hi,
while playing around with fsfuzzer, i got the following oops with jfs:
[ 851.804875] BUG at fs/jfs/jfs_xtree.c:760 assert(!BT_STACK_FULL(btstack))
[ 851.805179] ------------[ cut here ]------------
[ 851.805238] kernel BUG at fs/jfs/jfs_xtree.c:760!
[ 851.805287] invalid opcode: 0000 [#1]
[ 851.805327] PREEMPT
[ 851.805391] Modules linked in:
[ 851.805469] CPU: 0
[ 851.805474] EIP: 0060:[<c028e57a>] Not tainted VLI
[ 851.805482] EFLAGS: 00010286 (2.6.19-git18 #16)
[ 851.805620] EIP is at xtSearch+0x2fa/0x6a0
[ 851.805669] eax: 00000050 ebx: 00000001 ecx: cc826000 edx: 00000000
[ 851.805720] esi: 00030012 edi: cc826b94 ebp: cc826b58 esp: cc826ab8
[ 851.805772] ds: 007b es: 007b ss: 0068
[ 851.805823] Process mount (pid: 4721, ti=cc826000 task=d1faeb10 task.ti=cc826000)
[ 851.805872] Stack: c04fec94 c04feccd 000002f8 c04fecb5 0000f000 00000000 d1faeb10 cc826afc
[ 851.806173] 0000f000 00000000 00000000 c063387c d1faeb10 00000000 00000000 00000000
[ 851.807252] cc053368 cc826b9c cc053088 ffffffff 00000000 00000000 cc0530d8 cc0531e4
[ 851.807513] Call Trace:
[ 851.807593] [<c01045da>] show_trace_log_lvl+0x1a/0x40
[ 851.807697] [<c01046a9>] show_stack_log_lvl+0xa9/0xe0
[ 851.807774] [<c01048c4>] show_registers+0x1e4/0x360
[ 851.807852] [<c0104b3a>] die+0xfa/0x240
[ 851.807925] [<c0104cf3>] do_trap+0x73/0xa0
[ 851.808000] [<c01056b7>] do_invalid_op+0x97/0xc0
[ 851.808077] [<c04734e4>] error_code+0x74/0x80
[ 851.808347] [<c028fb4a>] xtLookup+0xaa/0x240
[ 851.808432] [<c02a3c95>] metapage_get_blocks+0x95/0xe0
[ 851.808512] [<c02a44ea>] metapage_readpage+0xea/0x160
[ 851.808593] [<c014acf3>] read_cache_page+0x93/0x160
[ 851.808676] [<c02a46f4>] __get_metapage+0x114/0x420
[ 851.808754] [<c029a906>] dbMount+0x46/0x160
[ 851.808835] [<c028e024>] jfs_mount+0x84/0x180
[ 851.808913] [<c028a13c>] jfs_fill_super+0x11c/0x2a0
[ 851.808994] [<c016948c>] get_sb_bdev+0xec/0x140
[ 851.809077] [<c0289c21>] jfs_get_sb+0x21/0x40
[ 851.809155] [<c0168f64>] vfs_kern_mount+0xc4/0x140
[ 851.809232] [<c0169029>] do_kern_mount+0x29/0x60
[ 851.809306] [<c017e76b>] do_mount+0x2ab/0x6e0
[ 851.809385] [<c017ec0d>] sys_mount+0x6d/0xc0
[ 851.809460] [<c0102fd0>] syscall_call+0x7/0xb
[ 851.809536] =======================
[ 851.809579] Code: c2 0f 85 20 fe ff ff c7 44 24 0c b5 ec 4f c0 c7 44 24 08
f8 02 00 00 c7 44 24 04 cd ec 4f c0 c7 04 24 94 ec 4f c0 e8 a6 c3 e8 ff <0f>
0b eb fe 89 f6 8b 7d bc f6 47 10 02 0f 84 33 01 00 00 8b 45
[ 851.811210] EIP: [<c028e57a>] xtSearch+0x2fa/0x6a0 SS:ESP 0068:cc826ab8
[ 851.811572]
On a damaged filesystem we might have a full stack and should
not progress further, and return instead of calling BUG()
Signed-off-by: Eric Sesterhenn
--- linux-2.6.19/fs/jfs/jfs_xtree.c.orig 2006-12-18 14:37:07.000000000 +0100
+++ linux-2.6.19/fs/jfs/jfs_xtree.c 2006-12-18 14:37:55.000000000 +0100
@@ -757,6 +757,8 @@ static int xtSearch(struct inode *ip, s6
nsplit = 0;
/* push (bn, index) of the parent page/entry */
+ if (BT_STACK_FULL(btstack))
+ return -EINVAL;
BT_PUSH(btstack, bn, index);
/* get the child page block number */
On Mon, 2006-12-18 at 19:51 +0100, Eric Sesterhenn wrote:
> hi,
>
> while playing around with fsfuzzer, i got the following oops with jfs:
>
> [ 851.804875] BUG at fs/jfs/jfs_xtree.c:760 assert(!BT_STACK_FULL(btstack))
...
> On a damaged filesystem we might have a full stack and should
> not progress further, and return instead of calling BUG()
>
> Signed-off-by: Eric Sesterhenn
>
> --- linux-2.6.19/fs/jfs/jfs_xtree.c.orig 2006-12-18 14:37:07.000000000 +0100
> +++ linux-2.6.19/fs/jfs/jfs_xtree.c 2006-12-18 14:37:55.000000000 +0100
> @@ -757,6 +757,8 @@ static int xtSearch(struct inode *ip, s6
> nsplit = 0;
>
> /* push (bn, index) of the parent page/entry */
> + if (BT_STACK_FULL(btstack))
> + return -EINVAL;
> BT_PUSH(btstack, bn, index);
>
> /* get the child page block number */
>
I typically return -EIO for metadata-corruption problems. I also want
to look at the other places in jfs_xtree.c that call BT_PUSH. I'm on
vacation today, so I'll take a closer look at this tomorrow and push it
upstream.
Thanks!
Shaggy
--
David Kleikamp
IBM Linux Technology Center
On Mon, 2006-12-18 at 19:51 +0100, Eric Sesterhenn wrote:
> hi,
>
> while playing around with fsfuzzer, i got the following oops with jfs:
>
> [ 851.804875] BUG at fs/jfs/jfs_xtree.c:760 assert(!BT_STACK_FULL(btstack))
> [ 851.805179] ------------[ cut here ]------------
> [ 851.805238] kernel BUG at fs/jfs/jfs_xtree.c:760!
...
> On a damaged filesystem we might have a full stack and should
> not progress further, and return instead of calling BUG()
>
> Signed-off-by: Eric Sesterhenn
>
> --- linux-2.6.19/fs/jfs/jfs_xtree.c.orig 2006-12-18 14:37:07.000000000 +0100
> +++ linux-2.6.19/fs/jfs/jfs_xtree.c 2006-12-18 14:37:55.000000000 +0100
> @@ -757,6 +757,8 @@ static int xtSearch(struct inode *ip, s6
> nsplit = 0;
>
> /* push (bn, index) of the parent page/entry */
> + if (BT_STACK_FULL(btstack))
> + return -EINVAL;
This leaks a reference on an xtree page. I'd also like to mark the
superblock dirty here, so that fsck.jfs will fix the file system on the
next boot. jfs_error does this as well as the requested error action.
The default is to remount read-only.
> BT_PUSH(btstack, bn, index);
>
> /* get the child page block number */
>
Do you want to retry your fsfuzzer testing with this patch? I'm going
to take a look at the other calls to BT_PUSH in xtTruncate and
xtTruncate_pmap, but I'm too busy now, so I'll send you what I have so
far (untested).
Signed-off-by: Dave Kleikamp <[email protected]>
diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c
index e98eb03..176e984 100644
--- a/fs/jfs/jfs_xtree.c
+++ b/fs/jfs/jfs_xtree.c
@@ -757,6 +757,11 @@ static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp,
nsplit = 0;
/* push (bn, index) of the parent page/entry */
+ if (BT_STACK_FULL(btstack)) {
+ jfs_error(ip->i_sb, "stack overrun in xtSearch!");
+ XT_PUTPAGE(mp);
+ return -EIO;
+ }
BT_PUSH(btstack, bn, index);
/* get the child page block number */
--
David Kleikamp
IBM Linux Technology Center