[BUG] Oops in inode_to

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [BUG] Oops in inode_to_bdi()
@ 2015-01-21 19:17 Jens Axboe
  2015-01-21 19:29 ` Christoph Hellwig
  0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2015-01-21 19:17 UTC (permalink / raw)
  To: hch; +Cc: linux-fsdevel

Christoph,

Ran into this one while testing. Looks like mapping->host is NULL, off
the shmem_writepage().

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffff8119589f>] inode_to_bdi+0xf/0x50
PGD 0 
Oops: 0000 [#1] PREEMPT SMP 
Modules linked in: wl(O) tun cfg80211 btusb joydev hid_apple hid_generic usbhid hid bcm5974 usb_storage nouveau snd_hda_codec_hdmi snd_hda_codec_cirrus snd_hda_codec_generic x86_pkg_temp_thermal snd_hda_intel kvm_intel snd_hda_controller snd_hda_codec kvm snd_hwdep snd_pcm applesmc input_polldev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_timer snd_seq_device snd xhci_pci xhci_hcd ttm thunderbolt soundcore apple_gmux apple_bl bluetooth binfmt_misc fuse nls_iso8859_1 nls_cp437 vfat fat [last unloaded: wl]
CPU: 4 PID: 50 Comm: kswapd0 Tainted: G     U     O   3.19.0-rc5+ #60
Hardware name: Apple Inc. MacBookPro11,3/Mac-2BD1B31983FE1663, BIOS MBP112.88Z.0138.B02.1310181745 10/18/2013
task: ffff880462e917f0 ti: ffff880462edc000 task.ti: ffff880462edc000
RIP: 0010:[<ffffffff8119589f>]  [<ffffffff8119589f>] inode_to_bdi+0xf/0x50
RSP: 0000:ffff880462edf8e8  EFLAGS: 00010282
RAX: ffffffff81c4cd80 RBX: ffffea0001b3abc0 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff880462edf8f8 R08: 00000000001e8500 R09: ffff880460f7cb68
R10: ffff880462edfa00 R11: 0000000000000101 R12: 0000000000000000
R13: ffffffff81c4cd98 R14: 0000000000000000 R15: ffff880460f7c9c0
FS:  0000000000000000(0000) GS:ffff88047f300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 00000002b6341000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffea0001b3abc0 ffffffff81c4cd80 ffff880462edf948 ffffffff811244aa
 ffffffff811565b0 ffff880460f7c9c0 ffff880462edf948 ffffea0001b3abc0
 0000000000000001 ffff880462edfb40 ffff880008b999c0 ffff880460f7c9c0
Call Trace:
 [<ffffffff811244aa>] __test_set_page_writeback+0x3a/0x170
 [<ffffffff811565b0>] ? SyS_madvise+0x790/0x790
 [<ffffffff81156bb6>] __swap_writepage+0x216/0x280
 [<ffffffff8133d592>] ? radix_tree_insert+0x32/0xe0
 [<ffffffff81157741>] ? swap_info_get+0x61/0xf0
 [<ffffffff81159bfc>] ? page_swapcount+0x4c/0x60
 [<ffffffff81156c4d>] swap_writepage+0x2d/0x50
 [<ffffffff81131658>] shmem_writepage+0x198/0x2c0
 [<ffffffff8112cae4>] shrink_page_list+0x464/0xa00
 [<ffffffff8112d666>] shrink_inactive_list+0x266/0x500
 [<ffffffff8112e215>] shrink_lruvec+0x5d5/0x720
 [<ffffffff8112e3bb>] shrink_zone+0x5b/0x190
 [<ffffffff8112ee3f>] kswapd+0x48f/0x8d0
 [<ffffffff8112e9b0>] ? try_to_free_pages+0x4c0/0x4c0
 [<ffffffff81067be2>] kthread+0xd2/0xf0
 [<ffffffff81060000>] ? workqueue_congested+0x30/0x80
 [<ffffffff81067b10>] ? kthread_create_on_node+0x180/0x180
 [<ffffffff816b556c>] ret_from_fork+0x7c/0xb0
 [<ffffffff81067b10>] ? kthread_create_on_node+0x180/0x180
Code: 00 48 c7 c7 8d 8d a4 81 e8 3f 62 eb ff e9 fc fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 49 89 fc 53 <48> 8b 5f 28 48 89 df e8 15 f8 00 00 85 c0 75 11 48 8b 83 d8 00 
RIP  [<ffffffff8119589f>] inode_to_bdi+0xf/0x50
 RSP <ffff880462edf8e8>
CR2: 0000000000000028
---[ end trace eb0e21aa7dad3ddf ]---


-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [BUG] Oops in inode_to_bdi()
  2015-01-21 19:17 [BUG] Oops in inode_to_bdi() Jens Axboe
@ 2015-01-21 19:29 ` Christoph Hellwig
  2015-01-21 19:33   ` Jens Axboe
  2015-01-24  1:22   ` Omar Sandoval
  0 siblings, 2 replies; 5+ messages in thread
From: Christoph Hellwig @ 2015-01-21 19:29 UTC (permalink / raw)
  To: Jens Axboe; +Cc: hch, linux-fsdevel

On Wed, Jan 21, 2015 at 12:17:07PM -0700, Jens Axboe wrote:
> Christoph,
> 
> Ran into this one while testing. Looks like mapping->host is NULL, off
> the shmem_writepage().

Hmm.  Not sure how this can happen, but for a NULL inode we can
always just return noop_backing_dev_info safely, I'll cook up a patch.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [BUG] Oops in inode_to_bdi()
  2015-01-21 19:29 ` Christoph Hellwig
@ 2015-01-21 19:33   ` Jens Axboe
  2015-01-21 20:04     ` Jens Axboe
  2015-01-24  1:22   ` Omar Sandoval
  1 sibling, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2015-01-21 19:33 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: linux-fsdevel

[-- Attachment #1: Type: text/plain, Size: 494 bytes --]

On 01/21/2015 12:29 PM, Christoph Hellwig wrote:
> On Wed, Jan 21, 2015 at 12:17:07PM -0700, Jens Axboe wrote:
>> Christoph,
>>
>> Ran into this one while testing. Looks like mapping->host is NULL, off
>> the shmem_writepage().
>
> Hmm.  Not sure how this can happen, but for a NULL inode we can
> always just return noop_backing_dev_info safely, I'll cook up a patch.

I got 8 of them in a row. Current kernel is running with the attached, 
just to see if I can reproduce it.

-- 
Jens Axboe


[-- Attachment #2: inode-debug.patch --]
[-- Type: text/x-patch, Size: 507 bytes --]

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index a20b1145f4d5..4f03e33365e1 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -68,7 +68,12 @@ EXPORT_SYMBOL(writeback_in_progress);
 
 struct backing_dev_info *inode_to_bdi(struct inode *inode)
 {
-	struct super_block *sb = inode->i_sb;
+	struct super_block *sb;
+
+	if (WARN_ON(!inode))
+		return &noop_backing_dev_info;
+
+	sb = inode->i_sb;
 #ifdef CONFIG_BLOCK
 	if (sb_is_blkdev_sb(sb))
 		return blk_get_backing_dev_info(I_BDEV(inode));

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [BUG] Oops in inode_to_bdi()
  2015-01-21 19:33   ` Jens Axboe
@ 2015-01-21 20:04     ` Jens Axboe
  0 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2015-01-21 20:04 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: linux-fsdevel

On 01/21/2015 12:33 PM, Jens Axboe wrote:
> On 01/21/2015 12:29 PM, Christoph Hellwig wrote:
>> On Wed, Jan 21, 2015 at 12:17:07PM -0700, Jens Axboe wrote:
>>> Christoph,
>>>
>>> Ran into this one while testing. Looks like mapping->host is NULL, off
>>> the shmem_writepage().
>>
>> Hmm.  Not sure how this can happen, but for a NULL inode we can
>> always just return noop_backing_dev_info safely, I'll cook up a patch.
>
> I got 8 of them in a row. Current kernel is running with the attached,
> just to see if I can reproduce it.

Works fine with the debug patch. Added a page dump for when we hit this:

page:ffffea0001afa680 count:2 mapcount:0 mapping:          (null) index:0x0
flags: 0x40000000000d0009(locked|uptodate|swapcache|reclaim|swapbacked)

I'll commit the NULL inode work-around.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [BUG] Oops in inode_to_bdi()
  2015-01-21 19:29 ` Christoph Hellwig
  2015-01-21 19:33   ` Jens Axboe
@ 2015-01-24  1:22   ` Omar Sandoval
  1 sibling, 0 replies; 5+ messages in thread
From: Omar Sandoval @ 2015-01-24  1:22 UTC (permalink / raw)
  To: Christoph Hellwig; +Cc: Jens Axboe, linux-fsdevel

On Wed, Jan 21, 2015 at 11:29:49AM -0800, Christoph Hellwig wrote:
> On Wed, Jan 21, 2015 at 12:17:07PM -0700, Jens Axboe wrote:
> > Christoph,
> > 
> > Ran into this one while testing. Looks like mapping->host is NULL, off
> > the shmem_writepage().
> 
> Hmm.  Not sure how this can happen, but for a NULL inode we can
> always just return noop_backing_dev_info safely, I'll cook up a patch.

Just in case anyone is still wondering, this happens because for a
swapcache page, page_mapping() returns the corresponding address_space
out of swapper_spaces, which doesn't have a valid host pointer. Before
getting rid of backing_dev_info, we would've used swap_backing_dev_info,
which it looks like you replaced with noop_backing_dev_info in your
series, so Jens' fix should be right.

-- 
Omar

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-01-24  1:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-21 19:17 [BUG] Oops in inode_to_bdi() Jens Axboe
2015-01-21 19:29 ` Christoph Hellwig
2015-01-21 19:33   ` Jens Axboe
2015-01-21 20:04     ` Jens Axboe
2015-01-24  1:22   ` Omar Sandoval

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).