From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 66881] New: [3.12.1][ext4]kernel BUG at fs/ext4/extents_status.c:709!
Date: Thu, 12 Dec 2013 04:56:16 +0000 [thread overview]
Message-ID: <bug-66881-13602@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=66881
Bug ID: 66881
Summary: [3.12.1][ext4]kernel BUG at
fs/ext4/extents_status.c:709!
Product: File System
Version: 2.5
Kernel Version: 3.12.1
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: rnsastry@linux.vnet.ibm.com
Regression: No
With 'fsfuzz - file system fuzzer' found the following kernel bug:
[ 416.118860] ------------[ cut here ]------------
[ 416.118865] kernel BUG at fs/ext4/extents_status.c:709!
[ 416.118909] illegal operation: 0001 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 416.118915] Modules linked in: loop dm_multipath scsi_dh dm_mod vmur autofs4
[ 416.118925] CPU: 0 PID: 798 Comm: fstest Not tainted 3.12.1 #1
[ 416.118928] task: 000000003c3b4b20 ti: 000000003d0b8000 task.ti:
000000003d0b8000
[ 416.118939] Krnl PSW : 0704d00180000000 00000000003c68ec
(ext4_es_cache_extent+0x144/0x1e8)
[ 416.118942] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0
EA:3
Krnl GPRS: 0000000000000000 0000000000000020 000000003c44c950 000000000000ae56
[ 416.118947] 00000000ffff798a 1fffffffffffffff 1000000000000000
000000003688a848
[ 416.118950] 0000000000000020 000000003688a854 000000000000ae56
00000000ffff798a
[ 416.118952] 000000003c44c950 00000000000027df 000000003d0bb648
000000003d0bb5c0
[ 416.118962] Krnl Code: 00000000003c68e2: 15da clr
%r13,%r10
00000000003c68e4: a7a40004 brc 10,3c68ec
#00000000003c68e8: a7f40001 brc 15,3c68ea
>00000000003c68ec: 41b0c488 la %r11,1160(%r12)
00000000003c68f0: b904002b lgr %r2,%r11
00000000003c68f4: c0e5001ad134 brasl %r14,720b5c
00000000003c68fa: 4120c478 la %r2,1144(%r12)
00000000003c68fe: b904003a lgr %r3,%r10
[ 416.118987] Call Trace:
[ 416.118990] ([<00000000003c6930>] ext4_es_cache_extent+0x188/0x1e8)
[ 416.118993] [<00000000003a69c6>] __read_extent_tree_block+0x2de/0x410
[ 416.118996] [<00000000003a793c>] ext4_ext_find_extent+0x210/0x43c
[ 416.118998] [<00000000003acf12>] ext4_ext_map_blocks+0x196/0x1d30
[ 416.119002] [<0000000000379e06>] ext4_map_blocks+0xfe/0x544
[ 416.119005] [<000000000037c0f8>] _ext4_get_block+0xf4/0x1e0
[ 416.119009] [<00000000002f5574>] do_mpage_readpage+0x220/0x770
[ 416.119012] [<00000000002f5b76>] mpage_readpages+0xb2/0x11c
[ 416.119016] [<000000000024648e>] __do_page_cache_readahead+0x292/0x34c
[ 416.119019] [<000000000024685a>] ra_submit+0x42/0x54
[ 416.119021] [<0000000000246ea8>] page_cache_sync_readahead+0x70/0x80
[ 416.119025] [<0000000000239450>] generic_file_aio_read+0x308/0x8ac
[ 416.119029] [<00000000002a78b6>] do_sync_read+0x7e/0xac
[ 416.119032] [<00000000002a885c>] vfs_read+0x98/0x16c
[ 416.119035] [<00000000002a8b32>] SyS_read+0x5e/0x9c
[ 416.119039] [<0000000000721efc>] sysc_nr_ok+0x22/0x28
[ 416.119042] [<000003fffd147e98>] 0x3fffd147e98
[ 416.119044] INFO: lockdep is turned off.
[ 416.119046] Last Breaking-Event-Address:
[ 416.119048] [<00000000003c68e8>] ext4_es_cache_extent+0x140/0x1e8
[ 416.119052]
[ 416.119055] Kernel panic - not syncing: Fatal exception: panic_on_oops
And the reason is:
from v3.12.1/fs/ext4/extents.c
...
506 if (prev && (prev != lblk))
507 ext4_es_cache_extent(inode, prev,
508 lblk - prev, ~0,
509 EXTENT_STATUS_HOLE);
Suggested solution:
There should be extra condition for checking 'prev' can not be bigger than
'lblk',
because the difference is passed to 'ext4_es_cache_extent' as len.
And this 'len' is used in other calculations.
v3.12.1/fs/ext4/extents_status.c
...
698 ext4_lblk_t end = lblk + len - 1;
...
706 if (!len)
707 return;
708
709 BUG_ON(end < lblk);
...
Proof:
Here is the calculation from real data:
when,
prev=44630
lblk=10208
prev != lblk condition passed and
len = lblk - prev
len = 10208 - 44630 = -34422
since 'len' is of data type 'ext4_lblk_t' -> '_u32' it overflowed.
The variable 'end' is depending on 'len' and it hits the bug at
"BUG_ON(end < lblk);" .
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2013-12-12 4:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-12 4:56 bugzilla-daemon [this message]
2013-12-12 6:55 ` [Bug 66881] [3.12.1][ext4]kernel BUG at fs/ext4/extents_status.c:709! bugzilla-daemon
2013-12-21 11:55 ` bugzilla-daemon
2013-12-21 12:22 ` bugzilla-daemon
2014-03-30 15:53 ` bugzilla-daemon
2014-03-31 20:33 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-66881-13602@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.