From: Edward Shishkin <edward@namesys.com>
To: Zan Lynx <zlynx@acm.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
ReiserFS Mailing List <reiserfs-devel@vger.kernel.org>,
"Vladimir V. Saveliev" <vs@namesys.com>
Subject: Re: 2.6.22-rc6-mm1 reiser4_tree_by_page NULL pointer
Date: Wed, 11 Jul 2007 22:39:54 +0400 [thread overview]
Message-ID: <469523FA.7010308@namesys.com> (raw)
In-Reply-To: <1184090582.6933.20.camel@localhost>
[-- Attachment #1: Type: text/plain, Size: 4513 bytes --]
I have found the bug, which kills data
when booting after crash, power loss, etc.
The patch is attached.
Please, ping me, if it doesn't help..
Thanks,
Edward.
Zan Lynx wrote:
>This bug is annoying enough that I mostly stopped using rc6-mm1, which
>is why it took this long to make a report. Previous crashes were
>tainted.
>
>I recall seeing something about page table problems with this rc6-mm1
>but I don't know if that's what happened to me.
>
>System highlights are: x86_64, SLUB, Reiser4, ZONE_MOVABLE
>(kernelcore=384M), PATA with libata.
>
>So here it is:
>netconsole: network logging started
>eth0: no IPv6 routers present
>Hangcheck: hangcheck value past margin!
>ISO 9660 Extensions: Microsoft Joliet Level 3
>ISO 9660 Extensions: RRIP_1991A
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Hangcheck: hangcheck value past margin!
>Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
> [<ffffffff8033d324>] reiser4_tree_by_page+0x4/0x20
>PGD 9a69067 PUD 9a57067 PMD 0
>Oops: 0000 [1] PREEMPT SMP
>CPU 0
>Modules linked in: nls_iso8859_1 isofs nls_base netconsole usbhid hid snd_pcm_oss snd_mixer_oss ipv6 snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd snd_page_alloc ehci_hcd ohci_hcd usbcore evdev psmouse serio_raw sg
>Pid: 10479, comm: rhythmbox Not tainted 2.6.22-rc6-mm1 #3
>RIP: 0010:[<ffffffff8033d324>] [<ffffffff8033d324>] reiser4_tree_by_page+0x4/0x20
>RSP: 0018:ffff810011c21940 EFLAGS: 00010296
>RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000c
>RDX: 00000000000000f0 RSI: 0000000000000000 RDI: ffff810002135d80
>RBP: ffff810002135d80 R08: 0000000000000000 R09: 0000000000000001
>R10: 00000000000002b2 R11: ffffffff8035a350 R12: ffff810002135d80
>R13: ffff810011c21a90 R14: ffff81000e5fcdbc R15: ffff81000e5fcdbc
>FS: 0000000042003940(0063) GS:ffffffff8075b000(0000) knlGS:00000000f7ddf6b0
>CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>CR2: 0000000000000000 CR3: 0000000004368000 CR4: 00000000000006e0
>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>Process rhythmbox (pid: 10479, threadinfo ffff810011c20000, task ffff8100007b2f10)
>Stack: ffffffff8032649a ffff810011c21a90 0000000000000000 ffff810002135d80
> ffff810011c21a58 ffff810011c21a90 ffff81000e5fcdbc ffff81000e5fcdbc
> ffff810000000002 [<ffffffff8034dc96>] readpages_unix_file+0x56/0xc0
> [<ffffffff80282d05>] do_generic_mapping_read+0x2f5/0x4b0
> [<ffffffff80254580>] autoremove_wake_function+0x0/0x30
> [<ffffffff8034cf9f>] read_unix_file+0x49f/0x4c0
> [<ffffffff802ad995>] vfs_read+0xc5/0x180
>Code: 80 00 04
> RSP <ffff810011c21940>
>Bad page state in process 'gdb'
>page:ffff810002135d80 flags:0xc000000000000001 mapping:0000000000000000 mapcount:0 count:0
>Trying to fix it up, but a reboot is needed
>Backtrace:
>
>Call Trace:
> [<ffffffff80286c0b>] bad_page+0x6b/0x120
> [<ffffffff80287f65>] get_page_from_freelist+0x435/0x520
> [<ffffffff8028812e>] __alloc_pages+0x9e/0x3c0
> [<ffffffff80292e6b>] __handle_mm_fault+0x4eb/0x930
> [<ffffffff80530d1e>] do_page_fault+0x14e/0x8c0
> [<ffffffff80530d9b>] do_page_fault+0x1cb/0x8c0
> [<ffffffff80234a0f>] dequeue_entity+0xaf/0xf0
> [<ffffffff8052e7df>] _spin_unlock_irq+0x2f/0x50
> [<ffffffff8052ee0d>] error_exit+0x0/0x96
> [<ffffffff802820bd>] file_read_actor+0x10d/0x1b0
> [<ffffffff80282c41>] do_generic_mapping_read+0x231/0x4b0
> [<ffffffff80281fb0>] file_read_actor+0x0/0x1b0
> [<ffffffff80284f46>] generic_file_aio_read+0x106/0x1c0
> [<ffffffff802ad019>] do_sync_read+0xd9/0x120
> [<ffffffff802a723b>] check_bytes_and_report+0x4b/0x100
> [<ffffffff802a7704>] check_object+0x224/0x260
> [<ffffffff80254580>] autoremove_wake_function+0x0/0x30
> [<ffffffff8052e669>] _spin_unlock+0x29/0x50
> [<ffffffff80330e2c>] reiser4_grab+0x8c/0xd0
> [<ffffffff8034cf9f>] read_unix_file+0x49f/0x4c0
> [<ffffffff802b0da5>] cp_new_stat+0xe5/0x100
> [<ffffffff802ad995>] vfs_read+0xc5/0x180
> [<ffffffff802ade93>] sys_read+0x53/0x90
> [<ffffffff8020c1de>] system_call+0x7e/0x83
>
>INFO: lockdep is turned off.
>Hexdump:
>000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>010: 00 00 00 00 00 00 00 00SysRq : Emergency Sync
>Emergency Sync complete
>SysRq : Emergency Sync
>Emergency Sync complete
>Hangcheck: hangcheck value past margin!
>SysRq : Emergency Sync
>Emergency Sync complete
>SysRq : Resetting
>
>
[-- Attachment #2: reiser4-fix-extent2tail.patch --]
[-- Type: text/x-patch, Size: 1489 bytes --]
Fixed bug in extent2tail conversion.
Bug description:
when converting partially converted file
(with flag REISER4_PART_MIXED installed)
reiser4_cut_tree() starts to cut old metatada
from wrong offset. Result is data corruption.
Signed-off-by: Edward Shishkin <edward@namesys.com>
---
linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/file.c | 7 -------
linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/tail_conversion.c | 2 +-
2 files changed, 1 insertion(+), 8 deletions(-)
--- linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/tail_conversion.c.orig
+++ linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/tail_conversion.c
@@ -620,7 +620,7 @@
}
/* cut part of file we have read */
- start_byte = (__u64) (i << PAGE_CACHE_SHIFT);
+ start_byte = (__u64) ((i + start_page) << PAGE_CACHE_SHIFT);
set_key_offset(&from, start_byte);
set_key_offset(&to, start_byte + PAGE_CACHE_SIZE - 1);
/*
--- linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/file.c.orig
+++ linux-2.6.22-rc6-mm1/fs/reiser4/plugin/file/file.c
@@ -195,13 +195,6 @@
assert("vs-1164", level == LEAF_LEVEL || level == TWIG_LEVEL);
if (uf_info->container == UF_CONTAINER_UNKNOWN) {
- /*
- * container is unknown, therefore conversion can not be in
- * progress
- */
- assert("",
- !reiser4_inode_get_flag(unix_file_info_to_inode(uf_info),
- REISER4_PART_IN_CONV));
if (cbk_result == CBK_COORD_NOTFOUND)
uf_info->container = UF_CONTAINER_EMPTY;
else if (level == LEAF_LEVEL)
next prev parent reply other threads:[~2007-07-11 19:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-10 18:03 2.6.22-rc6-mm1 reiser4_tree_by_page NULL pointer Zan Lynx
2007-07-11 18:39 ` Edward Shishkin [this message]
2007-07-12 20:31 ` Zan Lynx
2007-07-13 16:41 ` Zan Lynx
2007-07-16 18:50 ` [patch 0/3] reiser4 fixups Edward Shishkin
2007-07-17 16:24 ` Zan Lynx
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=469523FA.7010308@namesys.com \
--to=edward@namesys.com \
--cc=linux-kernel@vger.kernel.org \
--cc=reiserfs-devel@vger.kernel.org \
--cc=vs@namesys.com \
--cc=zlynx@acm.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox