lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <469523FA.7010308@namesys.com>
Date:	Wed, 11 Jul 2007 22:39:54 +0400
From:	Edward Shishkin <edward@...esys.com>
To:	Zan Lynx <zlynx@....org>
CC:	Linux Kernel <linux-kernel@...r.kernel.org>,
	ReiserFS Mailing List <reiserfs-devel@...r.kernel.org>,
	"Vladimir V. Saveliev" <vs@...esys.com>
Subject: Re: 2.6.22-rc6-mm1 reiser4_tree_by_page NULL pointer


I have found the bug, which kills data
when booting after crash, power loss, etc.
The patch is attached.
Please, ping me, if it doesn't help..

Thanks,
Edward.

Zan Lynx wrote:

>This bug is annoying enough that I mostly stopped using rc6-mm1, which
>is why it took this long to make a report.  Previous crashes were
>tainted.
>
>I recall seeing something about page table problems with this rc6-mm1
>but I don't know if that's what happened to me.
>
>System highlights are: x86_64, SLUB, Reiser4, ZONE_MOVABLE
>(kernelcore=384M), PATA with libata.
>
>So here it is:
>netconsole: network logging started
>eth0: no IPv6 routers present
>Hangcheck: hangcheck value past margin!
>ISO 9660 Extensions: Microsoft Joliet Level 3
>ISO 9660 Extensions: RRIP_1991A
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> [<ffffffff8033d324>] reiser4_tree_by_page+0x4/0x20
>PGD 9a69067 PUD 9a57067 PMD 0 
>Oops: 0000 [1] PREEMPT SMP 
>CPU 0 
>Modules linked in: nls_iso8859_1 isofs nls_base netconsole usbhid hid snd_pcm_oss snd_mixer_oss ipv6 snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd snd_page_alloc ehci_hcd ohci_hcd usbcore evdev psmouse serio_raw sg
>Pid: 10479, comm: rhythmbox Not tainted 2.6.22-rc6-mm1 #3
>RIP: 0010:[<ffffffff8033d324>]  [<ffffffff8033d324>] reiser4_tree_by_page+0x4/0x20
>RSP: 0018:ffff810011c21940  EFLAGS: 00010296
>RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000c
>RDX: 00000000000000f0 RSI: 0000000000000000 RDI: ffff810002135d80
>RBP: ffff810002135d80 R08: 0000000000000000 R09: 0000000000000001
>R10: 00000000000002b2 R11: ffffffff8035a350 R12: ffff810002135d80
>R13: ffff810011c21a90 R14: ffff81000e5fcdbc R15: ffff81000e5fcdbc
>FS:  0000000042003940(0063) GS:ffffffff8075b000(0000) knlGS:00000000f7ddf6b0
>CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>CR2: 0000000000000000 CR3: 0000000004368000 CR4: 00000000000006e0
>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>Process rhythmbox (pid: 10479, threadinfo ffff810011c20000, task ffff8100007b2f10)
>Stack:  ffffffff8032649a ffff810011c21a90 0000000000000000 ffff810002135d80
> ffff810011c21a58 ffff810011c21a90 ffff81000e5fcdbc ffff81000e5fcdbc
> ffff810000000002 [<ffffffff8034dc96>] readpages_unix_file+0x56/0xc0
> [<ffffffff80282d05>] do_generic_mapping_read+0x2f5/0x4b0
> [<ffffffff80254580>] autoremove_wake_function+0x0/0x30
> [<ffffffff8034cf9f>] read_unix_file+0x49f/0x4c0
> [<ffffffff802ad995>] vfs_read+0xc5/0x180
>Code: 80 00 04 
> RSP <ffff810011c21940>
>Bad page state in process 'gdb'
>page:ffff810002135d80 flags:0xc000000000000001 mapping:0000000000000000 mapcount:0 count:0
>Trying to fix it up, but a reboot is needed
>Backtrace:
>
>Call Trace:
> [<ffffffff80286c0b>] bad_page+0x6b/0x120
> [<ffffffff80287f65>] get_page_from_freelist+0x435/0x520
> [<ffffffff8028812e>] __alloc_pages+0x9e/0x3c0
> [<ffffffff80292e6b>] __handle_mm_fault+0x4eb/0x930
> [<ffffffff80530d1e>] do_page_fault+0x14e/0x8c0
> [<ffffffff80530d9b>] do_page_fault+0x1cb/0x8c0
> [<ffffffff80234a0f>] dequeue_entity+0xaf/0xf0
> [<ffffffff8052e7df>] _spin_unlock_irq+0x2f/0x50
> [<ffffffff8052ee0d>] error_exit+0x0/0x96
> [<ffffffff802820bd>] file_read_actor+0x10d/0x1b0
> [<ffffffff80282c41>] do_generic_mapping_read+0x231/0x4b0
> [<ffffffff80281fb0>] file_read_actor+0x0/0x1b0
> [<ffffffff80284f46>] generic_file_aio_read+0x106/0x1c0
> [<ffffffff802ad019>] do_sync_read+0xd9/0x120
> [<ffffffff802a723b>] check_bytes_and_report+0x4b/0x100
> [<ffffffff802a7704>] check_object+0x224/0x260
> [<ffffffff80254580>] autoremove_wake_function+0x0/0x30
> [<ffffffff8052e669>] _spin_unlock+0x29/0x50
> [<ffffffff80330e2c>] reiser4_grab+0x8c/0xd0
> [<ffffffff8034cf9f>] read_unix_file+0x49f/0x4c0
> [<ffffffff802b0da5>] cp_new_stat+0xe5/0x100
> [<ffffffff802ad995>] vfs_read+0xc5/0x180
> [<ffffffff802ade93>] sys_read+0x53/0x90
> [<ffffffff8020c1de>] system_call+0x7e/0x83
>
>INFO: lockdep is turned off.
>Hexdump:
>000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>010: 00 00 00 00 00 00 00 00SysRq : Emergency Sync
>Emergency Sync complete
>SysRq : Emergency Sync
>Emergency Sync complete
>Hangcheck: hangcheck value past margin!
>SysRq : Emergency Sync
>Emergency Sync complete
>SysRq : Resetting
>  
>

View attachment "reiser4-fix-extent2tail.patch" of type "text/x-patch" (1490 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ