On Fri, Jun 28, 2013 at 10:25:39AM +0800, Liu Bo wrote: > Several users reported this crash of NULL pointer or general protection, > the story is that we add a rbtree for speedup ulist iteration, and we > use krealloc() to address ulist growth, and krealloc() use memcpy to copy > old data to new memory area, so it's OK for an array as it doesn't use > pointers while it's not OK for a rbtree as it uses pointers. > > So krealloc() will mess up our rbtree and it ends up with crash. > > Signed-off-by: Liu Bo <bo.li....@oracle.com> > --- > v2: fix an use-after-free bug and a finger error(Thanks Zach and Josef). >
Is this supposed to fix this bug? [ 1215.561033] ------------[ cut here ]------------ [ 1215.561064] kernel BUG at fs/btrfs/ctree.c:1183! [ 1215.561087] invalid opcode: 0000 [#1] PREEMPT SMP [ 1215.561114] Modules linked in: btrfs raid6_pq zlib_deflate xor libcrc32c ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_CHECKSUM iptable_mangle bridge stp llc lockd be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4 i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ip6t_REJECT nf_conntrack_ipv6 ib_core nf_defrag_ipv6 ib_addr nf_conntrack_ipv4 iscsi_tcp nf_defrag_ipv4 xt_state nf_conntrack libiscsi_tcp ip6table_filter libisc si ip6_tables scsi_transport_iscsi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm vhost_net snd_timer macvtap snd macvlan tun virtio_net soundcore kvm_amd sunrpc kvm snd_page _alloc sp5100_tco edac_core microcode pcspkr serio_raw k10temp edac_mce_amd i2c_piix4 r8169 mii iomemory_vsl(OF) floppy firewire_ohci firewire_core ata_generic pata_acpi crc_itu_t pata_via radeon ttm drm_kms_helper drm i2c_algo_bit i2c_c ore [ 1215.561585] CPU 1 [ 1215.561597] Pid: 28188, comm: btrfs-endio-wri Tainted: GF O 3.9.0+ #9 To Be Filled By O.E.M. To Be Filled By O.E.M./890FX Deluxe5 [ 1215.561649] RIP: 0010:[<ffffffffa06f529b>] [<ffffffffa06f529b>] __tree_mod_log_rewind+0x26b/0x270 [btrfs] [ 1215.561706] RSP: 0018:ffff8803b7529828 EFLAGS: 00010293 [ 1215.561729] RAX: 0000000000000000 RBX: ffff8803b42d5960 RCX: ffff8803b75297c8 [ 1215.561759] RDX: 000000000002577d RSI: 0000000000000921 RDI: ffff8803b3e92440 [ 1215.561788] RBP: ffff8803b7529858 R08: 0000000000001000 R09: ffff8803b75297d8 [ 1215.561818] R10: 0000000000001bbb R11: 0000000000000000 R12: ffff8803b630ddc0 [ 1215.561848] R13: 0000000000000044 R14: ffff8803b3e92540 R15: 00017add00000000 [ 1215.561878] FS: 00007f9ba1ce7700(0000) GS:ffff88043fc40000(0000) knlGS:0000000000000000 [ 1215.561911] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1215.561936] CR2: 00007fa4a6148d90 CR3: 0000000427ff7000 CR4: 00000000000007e0 [ 1215.561965] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1215.561995] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1215.562025] Process btrfs-endio-wri (pid: 28188, threadinfo ffff8803b7528000, task ffff8803eb5a97d0) [ 1215.562063] Stack: [ 1215.562073] ffff88042998e1c0 ffff880000000000 ffff88042998e1c0 ffff8803c41b8000 [ 1215.562109] ffff8803b43c4e20 0000000000000001 ffff8803b7529908 ffffffffa06fda47 [ 1215.562146] ffff8803b7694458 00017add00000000 ffff8803b7529888 ffff8803b42d5960 [ 1215.562182] Call Trace: [ 1215.562200] [<ffffffffa06fda47>] btrfs_search_old_slot+0x757/0xa40 [btrfs] [ 1215.562237] [<ffffffffa0779fcd>] __resolve_indirect_refs+0x11d/0x670 [btrfs] [ 1215.562273] [<ffffffffa077ab4c>] find_parent_nodes+0x1fc/0xe90 [btrfs] [ 1215.562307] [<ffffffffa077b879>] btrfs_find_all_roots+0x99/0x100 [btrfs] [ 1215.562341] [<ffffffffa07240b0>] ? btrfs_submit_direct+0x680/0x680 [btrfs] [ 1215.562376] [<ffffffffa077c224>] iterate_extent_inodes+0x144/0x2f0 [btrfs] [ 1215.562412] [<ffffffffa077c462>] iterate_inodes_from_logical+0x92/0xb0 [btrfs] [ 1215.562449] [<ffffffffa07240b0>] ? btrfs_submit_direct+0x680/0x680 [btrfs] [ 1215.562484] [<ffffffffa07214f8>] record_extent_backrefs+0x78/0xf0 [btrfs] [ 1215.562519] [<ffffffffa072bac6>] btrfs_finish_ordered_io+0x156/0x9d0 [btrfs] [ 1215.562556] [<ffffffffa072c355>] finish_ordered_fn+0x15/0x20 [btrfs] [ 1215.562589] [<ffffffffa074d96a>] worker_loop+0x16a/0x570 [btrfs] [ 1215.562618] [<ffffffff8108f348>] ? __wake_up_common+0x58/0x90 [ 1215.562649] [<ffffffffa074d800>] ? btrfs_queue_worker+0x300/0x300 [btrfs] [ 1215.562680] [<ffffffff81086c10>] kthread+0xc0/0xd0 [ 1215.562703] [<ffffffff81650000>] ? acpi_processor_add+0xcb/0x47d [ 1215.562731] [<ffffffff81086b50>] ? flush_kthread_worker+0xb0/0xb0 [ 1215.562758] [<ffffffff8166452c>] ret_from_fork+0x7c/0xb0 [ 1215.562783] [<ffffffff81086b50>] ? flush_kthread_worker+0xb0/0xb0 [ 1215.562809] Code: c1 49 63 46 58 48 89 c2 48 c1 e2 05 48 8d 54 10 65 49 63 46 2c 48 89 c6 48 c1 e6 05 48 8d 74 30 65 e8 0a c7 04 00 e9 9d fe ff ff <0f> 0b 0f 0b 90 66 66 66 66 90 55 48 b8 00 00 00 00 00 16 00 00 [ 1215.562987] RIP [<ffffffffa06f529b>] __tree_mod_log_rewind+0x26b/0x270 [btrfs] [ 1215.563023] RSP <ffff8803b7529828> [ 1215.571784] ---[ end trace 89bb18f7414e2e9e ]--- Cause if so it didn't fix it :). If not just ignore me. Thanks, Josef -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
