[PATCH] Re: btrfs does not work on usermode linux

[Sergei Trofimovich <slyich@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 3870 bytes --]

On Sun, 10 Apr 2011 23:06:22 +0300
Sergei Trofimovich <slyich@gmail.com> wrote:

> > > According to https://btrfs.wiki.kernel.org/index.php/Debugging_Btrfs_with_GDB
> > > UML did work once.
> > > 
> > > Now it corrupts data and triggers BUG_ON once you
> > > start to use it. I tried both 2.6.38 and 2.6.39-rc2 (x86_64)
> > > I need some help to track it down.
> > > 
> > > doing 'touch `seq 1 11`; rm 11' kills the kernel:
> > 
> > 2.6.36 works 2.6.37 doesn't. bsecting
> 
> Bisected down to:
> 
> commit 59daa706fbec745684702741b9f5373142dd9fdc (v2.6.36-rc2-2-g59daa70)
> Author: Ma Ling <ling.ma@intel.com>
> Date:   Tue Jun 29 03:24:25 2010 +0800
> 
>     x86, mem: Optimize memcpy by avoiding memory false dependece
> 
> Which means btrfs passes overlapping areas to memcpy. I've added some debug info
> and found out rough place:
> touching files 1 .. 11
> #run> touch 1 2 3 4 5 6 7 8 9 10 11
> [    2.270000]  memcpy overlap detected: memcpy(dst=0000000070654e8a, src=0000000070654ea9, size=171) [delta=31]
> [    2.270000] ------------[ cut here ]------------
> [    2.270000] WARNING: at /home/slyfox/linux-2.6/fs/btrfs/memcpy_debug.c:18 btrfs_memcpy+0x52/0x68()
> [    2.270000] Call Trace: 
> [    2.270000] 7064b748:  [<600eff46>] map_extent_buffer+0x62/0x9e
> [    2.270000] 7064b758:  [<60029ad9>] warn_slowpath_common+0x59/0x70
> [    2.270000] 7064b798:  [<60029b05>] warn_slowpath_null+0x15/0x17
> [    2.270000] 7064b7a8:  [<6011129e>] btrfs_memcpy+0x52/0x68
> [    2.270000] 7064b7d8:  [<600efa01>] memcpy_extent_buffer+0x18d/0x1da
> [    2.270000] 7064b858:  [<600efae2>] memmove_extent_buffer+0x94/0x208
> [    2.270000] 7064b8d8:  [<600bc4b0>] setup_items_for_insert+0x2b8/0x426
> [    2.270000] 7064b8e8:  [<600bb25a>] btrfs_leaf_free_space+0x62/0xa6
> [    2.270000] 7064b9c8:  [<600c13f3>] btrfs_insert_empty_items+0xa3/0xb5
> [    2.270000] 7064ba38:  [<600ce690>] insert_with_overflow+0x33/0xf1
> [    2.270000] 7064ba88:  [<600ce7d4>] btrfs_insert_dir_item+0x86/0x268
> [    2.270000] 7064bae8:  [<601b498b>] _raw_spin_unlock+0x9/0xb
> [    2.270000] 7064bb48:  [<600ddef1>] btrfs_add_link+0x10d/0x170
> [    2.270000] 7064bbc8:  [<600ddf7a>] btrfs_add_nondir+0x26/0x52
> [    2.270000] 7064bc08:  [<600de73f>] btrfs_create+0xf2/0x1c0
> [    2.270000] 7064bc18:  [<6007ccff>] generic_permission+0x57/0x9d
> [    2.270000] 7064bc68:  [<6007cf60>] vfs_create+0x6a/0x75
> 
> which is in extent_io:copy_pages. I haven't dig further only made sure the following
> patch below (practically converts copy_pages to move_pages). It certainly does not
> look the right thing, but I don't understand extent_io contents yet to understand what
> actually happened.
> 
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 20ddb28..4cab7db 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -3893,14 +3893,17 @@ static void copy_pages(struct page *dst_page, struct page *src_page,
>         char *src_kaddr;
>  
>         if (dst_page != src_page)
> +       {
>                 src_kaddr = kmap_atomic(src_page, KM_USER1);
> +               memcpy(dst_kaddr + dst_off, src_kaddr + src_off, len);
> +               kunmap_atomic(src_kaddr, KM_USER1);
> +       }
>         else
> +       {
>                 src_kaddr = dst_kaddr;
> -
> -       memcpy(dst_kaddr + dst_off, src_kaddr + src_off, len);
> +               memmove(dst_kaddr + dst_off, src_kaddr + src_off, len);
> +       }
>         kunmap_atomic(dst_kaddr, KM_USER0);
> -       if (dst_page != src_page)
> -               kunmap_atomic(src_kaddr, KM_USER1);
>  }
>  
>  void memcpy_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,

Attached nicer patch. Looks like original logic expected ceritain memcpy copy direction,
but there isn't one!

-- 

  Sergei

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-btrfs-properly-handle-overlapping-areas-in-memmove_e.patch --]
[-- Type: text/x-patch, Size: 2763 bytes --]

From 0eaf33265f8a2e0d76ee6db1ad74ee4422efb122 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sun, 10 Apr 2011 23:19:53 +0300
Subject: [PATCH] btrfs: properly handle overlapping areas in memmove_extent_buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix data corruption caused by memcpy() usage on overlapping data.
I've observed it first when found out usermode linux crash on btrfs.

Сall chain is the following:
------------[ cut here ]------------
WARNING: at /home/slyfox/linux-2.6/fs/btrfs/extent_io.c:3900 memcpy_extent_buffer+0x1a5/0x219()
Call Trace:
6fa39a58:  [<601b495e>] _raw_spin_unlock_irqrestore+0x18/0x1c
6fa39a68:  [<60029ad9>] warn_slowpath_common+0x59/0x70
6fa39aa8:  [<60029b05>] warn_slowpath_null+0x15/0x17
6fa39ab8:  [<600efc97>] memcpy_extent_buffer+0x1a5/0x219
6fa39b48:  [<600efd9f>] memmove_extent_buffer+0x94/0x208
6fa39bc8:  [<600becbf>] btrfs_del_items+0x214/0x473
6fa39c78:  [<600ce1b0>] btrfs_delete_one_dir_name+0x7c/0xda
6fa39cc8:  [<600dad6b>] __btrfs_unlink_inode+0xad/0x25d
6fa39d08:  [<600d7864>] btrfs_start_transaction+0xe/0x10
6fa39d48:  [<600dc9ff>] btrfs_unlink_inode+0x1b/0x3b
6fa39d78:  [<600e04bc>] btrfs_unlink+0x70/0xef
6fa39dc8:  [<6007f0d0>] vfs_unlink+0x58/0xa3
6fa39df8:  [<60080278>] do_unlinkat+0xd4/0x162
6fa39e48:  [<600517db>] call_rcu_sched+0xe/0x10
6fa39e58:  [<600452a8>] __put_cred+0x58/0x5a
6fa39e78:  [<6007446c>] sys_faccessat+0x154/0x166
6fa39ed8:  [<60080317>] sys_unlink+0x11/0x13
6fa39ee8:  [<60016b80>] handle_syscall+0x58/0x70
6fa39f08:  [<60021377>] userspace+0x2d4/0x381
6fa39fc8:  [<60014507>] fork_handler+0x62/0x69
---[ end trace 70b0ca2ef0266b93 ]---

http://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg09302.html

Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
 fs/btrfs/extent_io.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 20ddb28..3bbda41 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -3897,6 +3897,7 @@ static void copy_pages(struct page *dst_page, struct page *src_page,
 	else
 		src_kaddr = dst_kaddr;
 
+	BUG_ON(abs(src_off - dst_off) < len);
 	memcpy(dst_kaddr + dst_off, src_kaddr + src_off, len);
 	kunmap_atomic(dst_kaddr, KM_USER0);
 	if (dst_page != src_page)
@@ -3970,7 +3971,7 @@ void memmove_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
 		       "len %lu len %lu\n", dst_offset, len, dst->len);
 		BUG_ON(1);
 	}
-	if (dst_offset < src_offset) {
+	if (abs(dst_offset - src_offset) >= len) {
 		memcpy_extent_buffer(dst, dst_offset, src_offset, len);
 		return;
 	}
-- 
1.7.3.4


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]