From: Al Viro <viro@ZenIV.linux.org.uk>
To: George Spelvin <linux@horizon.com>
Cc: jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: 3.1-rc10 oops in nameidata_to_filp
Date: Thu, 24 Nov 2011 22:13:13 +0000 [thread overview]
Message-ID: <20111124221313.GO2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20111124214710.13413.qmail@science.horizon.com>
On Thu, Nov 24, 2011 at 04:47:10PM -0500, George Spelvin wrote:
> Thanks for the pointer. I'll write some debug code.
>
> > Said that, I'm not buying the theory of open assigning to ->f_mapping and
> > screwing it up; all such assignments end up with ->i_mapping of *some*
> > inode, as far as I can see from cursory grep over the tree. Just in case:
> > do you have CONFIG_FS_POSIX_ACL set?
>
> No, I always turn that off. (And TMPFS_POSIX_ACL, too.)
OK, then this 0x18 is very likely to be offset of i_mapping in struct inode
and we have file->f_mapping->host == NULL. Very odd... The only struct
address_space on your config besides inode->i_data (which _all_ get non-NULL
->host, pointing straight back to the containing struct inode) is
swapper_space. And there's no way in hell for it to legitimately end up
in file->f_mapping or inode->i_mapping.
So the possibilities are:
legitimate ->f_mapping, fucked contents of address_space it points to.
fucked ->i_mapping, ->f_mapping copied from it.
legitimate ->i_mapping, open() callback fucking ->f_mapping up.
Try to enable memory poisoning; if it turns those into oopsen on attempt
to access poison + 0x18, we'll know it's some inode getting freed while we
still have references to it... OTOH, that would make your debugging printks
not fire at all, so it might be better to get the pathname first before
enabling that and seeing how behaviour changes...
prev parent reply other threads:[~2011-11-24 22:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-16 11:22 3.1-rc10 oops in nameidata_to_filp George Spelvin
2011-11-24 14:51 ` Jan Kara
2011-11-24 16:44 ` George Spelvin
2011-11-24 17:38 ` Al Viro
2011-11-24 17:50 ` Al Viro
2011-11-24 17:51 ` Al Viro
2011-11-30 23:57 ` Andrew Morton
2011-11-24 21:14 ` Jan Kara
2011-11-24 21:47 ` George Spelvin
2011-11-24 22:13 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111124221313.GO2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).