lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 7 Mar 2012 11:42:40 +0100
From:	Jan Kara <jack@...e.cz>
To:	Fengguang Wu <fengguang.wu@...el.com>
Cc:	Jan Kara <jack@...e.cz>, Dave Jones <davej@...hat.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	Fedora Kernel Team <kernel-team@...oraproject.org>,
	viro@...IV.linux.org.uk, Christoph Hellwig <hch@...radead.org>
Subject: Re: inode->i_wb_list corruption.

On Tue 06-03-12 23:26:08, Wu Fengguang wrote:
> On Tue, Mar 06, 2012 at 10:03:07PM +0100, Jan Kara wrote:
> > On Tue 06-03-12 13:51:37, Dave Jones wrote:
> > > We've had three separate reports against 3.2.x recently where the linked list debugging
> > > is getting tripped up by the prev->next pointer being null instead of pointing
> > > to the current list entry while walking the i_wb_list
> > > 
> > > Call traces are slightly different each time, but all end up walking i_wb_list 
> > > in dput -> d_kill -> i_put -> evict -> inode_wb_list_del
> > > 
> > > What protects that list ? It looks to be just bdi->wb.list_lock ?
> > > 
> > > 
> > > full reports at:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=784741
> > > https://bugzilla.redhat.com/show_bug.cgi?id=799229
> > > https://bugzilla.redhat.com/show_bug.cgi?id=799692
> >   Hum, interesting! I'd guess this might be caused by f758eeab - adding
> > Fengguang and Christoph to CC. But I'm really failing to see how this could
> > happen but interesting thing is that in two of the three cases the files
> > are on virtual filesystems (once cgroup, once sysfs). These both use
> > noop_backing_dev_info.
> 
> sysfs/cgroup forgot to init inode->i_wb_list?
  Umm, it's not *that* simple I'd say. E.g. sysfs doesn't provide
alloc_inode() method so we use inode_cachep for allocations. And that cache
is configured to use inode_init_once().

Also note that the error message is:
list_del corruption. prev->next should be ffff8801c2f41b18, but was (null)

Which means that our inode had correct i_wb_list.prev but the previous
inode had NULL in i_wb_list.next. But that means that both inodes were
linked into the list at some point. So it does not seem like an
initialization issue to me...

								Honza

> --- linux.orig/fs/inode.c	2012-02-22 19:20:48.374799955 -0800
> +++ linux/fs/inode.c	2012-03-06 23:11:29.133899478 -0800
> @@ -193,6 +193,7 @@ int inode_init_always(struct super_block
>  	inode->i_private = NULL;
>  	inode->i_mapping = mapping;
>  	INIT_LIST_HEAD(&inode->i_dentry);	/* buggered by rcu freeing */
> +	INIT_LIST_HEAD(&inode->i_wb_list);
>  #ifdef CONFIG_FS_POSIX_ACL
>  	inode->i_acl = inode->i_default_acl = ACL_NOT_CACHED;
>  #endif
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ