subject:"Problem with current\->journal_info for BTRFS, Null pointer dereference in start

Re: Problem with current->journal_info for BTRFS, Null pointer dereference in start_transaction

2018-05-07 Thread Liu Bo

On Mon, May 7, 2018 at 2:49 PM, robbieko  wrote:
> Hi,
>
> When send process requires memory allocation, shrinker may be triggered due
> to insufficient memory.
> Then evict_inode gets called when inode is dropped, and this function may
> need to start transaction.
> However, the journal_info is already points to BTRFS_SEND_TRANS_STUB, it
> passed the if condition,
> and the following use yields illegal memory access.
>
>  495 if (current->journal_info) {
>  496 WARN_ON(type & TRANS_EXTWRITERS);
>  497 h = current->journal_info;
>  498 refcount_inc(&h->use_count);
>  499 WARN_ON(refcount_read(&h->use_count) > 2);
>  500 h->orig_rsv = h->block_rsv;
>  501 h->block_rsv = NULL;
>  502 goto got_it;
>  503 }
>
> Direct IO has a similar problem, journal_info will store btrfs_dio_data,
> which will lead to illegal memory access.
>
> Anyone have the best solution?
>

btrfs_evict_inode() only starts transaction before doing truncate,
thus we can save the trans_handle and restore afterwards.

The same stuff can be applied to direct IO as what we used to do.

thanks,
liubo
> CallTrace looks like this:
> 018-04-30T04:28:00+08:00 Office kernel: [62182.567827] BUG: unable to handle
> kernel NULL pointer dereference at 0021
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.576596] IP:
> [] start_transaction+0x64/0x450 [btrfs]
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.584208] PGD 8fea4b067 PUD
> a33bea067 PMD 0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.589179] Oops:  [#1] SMP
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.734282] CPU: 3 PID: 12681
> Comm: btrfs Tainted: P C O 3.10.102 #15266
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.742554] Hardware name:
> Synology Inc. RS3617xs Series/Type2 - Board Product Name1, BIOS M.012
> 2016/06/04
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.753451] task:
> 880a2babc040 ti: 880013e8 task.ti: 880013e8
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.761819] RIP:
> 0010:[] [] start_transaction+0x64/0x450
> [btrfs]
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.772148] RSP:
> 0018:880013e834d0 EFLAGS: 00010246
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.778085] RAX:
> 880a2babc040 RBX: 880b7e8488a0 RCX: 
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.786063] RDX:
> 88101c1bc000 RSI:  RDI: 
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.794034] RBP:
> 0801 R08: 0001 R09: 
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.802012] R10:
> 0100 R11: 0002 R12: 881018148000
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.809983] R13:
> 0001 R14: 88101c1bc188 R15: 881018148000
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.817961] FS:
> 7f3db36038c0() GS:88107fc6() knlGS:
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.827001] CS: 0010 DS: 
> ES:  CR0: 80050033
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.833424] CR2:
> 0021 CR3: 000633403000 CR4: 003407e0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.841394] DR0:
>  DR1:  DR2: 
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.849373] DR3:
>  DR6: fffe0ff0 DR7: 0400
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.857351] Stack:
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.859585] 0002
> 881018148000 880b7e8488a0 0002
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.867869] 880933256540
> 880013e83550 88101c1bc188 881018148000
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.876161] a087a838
> 0007  88101c1bc000
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.884450] Call Trace:
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.887198] []
> ? btrfs_evict_inode+0x3d8/0x580 [btrfs]
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.894799] []
> ? evict+0xa2/0x1a0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.900352] []
> ? shrink_dentry_list+0x308/0x3d0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.907263] []
> ? prune_dcache_sb+0x133/0x160
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.913881] []
> ? prune_super+0xcf/0x1a0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.920013] []
> ? shrink_slab+0x11f/0x1d0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.926242] []
> ? do_try_to_free_pages+0x452/0x560
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.97] []
> ? throttle_direct_reclaim+0x74/0x240
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.940634] []
> ? try_to_free_pages+0xae/0xc0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.947252] []
> ? __alloc_pages_nodemask+0x53b/0x9f0
> 2018-04-30T04:28:00+08:00 Office kernel: [62182.954542] []
> ? __do_page_c

Problem with current->journal_info for BTRFS, Null pointer dereference in start_transaction

2018-05-06 Thread robbieko


Hi,

When send process requires memory allocation, shrinker may be triggered 
due to insufficient memory.
Then evict_inode gets called when inode is dropped, and this function 
may need to start transaction.
However, the journal_info is already points to BTRFS_SEND_TRANS_STUB, it 
passed the if condition,

and the following use yields illegal memory access.

 495 if (current->journal_info) {
 496 WARN_ON(type & TRANS_EXTWRITERS);
 497 h = current->journal_info;
 498 refcount_inc(&h->use_count);
 499 WARN_ON(refcount_read(&h->use_count) > 2);
 500 h->orig_rsv = h->block_rsv;
 501 h->block_rsv = NULL;
 502 goto got_it;
 503 }

Direct IO has a similar problem, journal_info will store btrfs_dio_data, 
which will lead to illegal memory access.


Anyone have the best solution?

CallTrace looks like this:
018-04-30T04:28:00+08:00 Office kernel: [62182.567827] BUG: unable to 
handle kernel NULL pointer dereference at 0021
2018-04-30T04:28:00+08:00 Office kernel: [62182.576596] IP: 
[] start_transaction+0x64/0x450 [btrfs]
2018-04-30T04:28:00+08:00 Office kernel: [62182.584208] PGD 8fea4b067 
PUD a33bea067 PMD 0
2018-04-30T04:28:00+08:00 Office kernel: [62182.589179] Oops:  [#1] 
SMP
2018-04-30T04:28:00+08:00 Office kernel: [62182.734282] CPU: 3 PID: 
12681 Comm: btrfs Tainted: P C O 3.10.102 #15266
2018-04-30T04:28:00+08:00 Office kernel: [62182.742554] Hardware name: 
Synology Inc. RS3617xs Series/Type2 - Board Product Name1, BIOS M.012 
2016/06/04
2018-04-30T04:28:00+08:00 Office kernel: [62182.753451] task: 
880a2babc040 ti: 880013e8 task.ti: 880013e8
2018-04-30T04:28:00+08:00 Office kernel: [62182.761819] RIP: 
0010:[] [] 
start_transaction+0x64/0x450 [btrfs]
2018-04-30T04:28:00+08:00 Office kernel: [62182.772148] RSP: 
0018:880013e834d0 EFLAGS: 00010246
2018-04-30T04:28:00+08:00 Office kernel: [62182.778085] RAX: 
880a2babc040 RBX: 880b7e8488a0 RCX: 
2018-04-30T04:28:00+08:00 Office kernel: [62182.786063] RDX: 
88101c1bc000 RSI:  RDI: 
2018-04-30T04:28:00+08:00 Office kernel: [62182.794034] RBP: 
0801 R08: 0001 R09: 
2018-04-30T04:28:00+08:00 Office kernel: [62182.802012] R10: 
0100 R11: 0002 R12: 881018148000
2018-04-30T04:28:00+08:00 Office kernel: [62182.809983] R13: 
0001 R14: 88101c1bc188 R15: 881018148000
2018-04-30T04:28:00+08:00 Office kernel: [62182.817961] FS: 
7f3db36038c0() GS:88107fc6() knlGS:
2018-04-30T04:28:00+08:00 Office kernel: [62182.827001] CS: 0010 DS: 
 ES:  CR0: 80050033
2018-04-30T04:28:00+08:00 Office kernel: [62182.833424] CR2: 
0021 CR3: 000633403000 CR4: 003407e0
2018-04-30T04:28:00+08:00 Office kernel: [62182.841394] DR0: 
 DR1:  DR2: 
2018-04-30T04:28:00+08:00 Office kernel: [62182.849373] DR3: 
 DR6: fffe0ff0 DR7: 0400

2018-04-30T04:28:00+08:00 Office kernel: [62182.857351] Stack:
2018-04-30T04:28:00+08:00 Office kernel: [62182.859585] 0002 
881018148000 880b7e8488a0 0002
2018-04-30T04:28:00+08:00 Office kernel: [62182.867869] 880933256540 
880013e83550 88101c1bc188 881018148000
2018-04-30T04:28:00+08:00 Office kernel: [62182.876161] a087a838 
0007  88101c1bc000

2018-04-30T04:28:00+08:00 Office kernel: [62182.884450] Call Trace:
2018-04-30T04:28:00+08:00 Office kernel: [62182.887198] 
[] ? btrfs_evict_inode+0x3d8/0x580 [btrfs]
2018-04-30T04:28:00+08:00 Office kernel: [62182.894799] 
[] ? evict+0xa2/0x1a0
2018-04-30T04:28:00+08:00 Office kernel: [62182.900352] 
[] ? shrink_dentry_list+0x308/0x3d0
2018-04-30T04:28:00+08:00 Office kernel: [62182.907263] 
[] ? prune_dcache_sb+0x133/0x160
2018-04-30T04:28:00+08:00 Office kernel: [62182.913881] 
[] ? prune_super+0xcf/0x1a0
2018-04-30T04:28:00+08:00 Office kernel: [62182.920013] 
[] ? shrink_slab+0x11f/0x1d0
2018-04-30T04:28:00+08:00 Office kernel: [62182.926242] 
[] ? do_try_to_free_pages+0x452/0x560
2018-04-30T04:28:00+08:00 Office kernel: [62182.97] 
[] ? throttle_direct_reclaim+0x74/0x240
2018-04-30T04:28:00+08:00 Office kernel: [62182.940634] 
[] ? try_to_free_pages+0xae/0xc0
2018-04-30T04:28:00+08:00 Office kernel: [62182.947252] 
[] ? __alloc_pages_nodemask+0x53b/0x9f0
2018-04-30T04:28:00+08:00 Office kernel: [62182.954542] 
[] ? __do_page_cache_readahead+0xec/0x270
2018-04-30T04:28:00+08:00 Office kernel: [62182.962035] 
[] ? ondemand_readahead+0xbb/0x220
2018-04-30T04:28:00+08:00 Office kernel: [62182.968863] 
[] ? fill_read_buf+0x2b3/0x3a0 [btrfs]
2018-04-30T04:28:00+08:00 Office kernel: [62182.976073] 
[] ? send_extent_data+0x10e/0x300 [btrfs]
2018-04-30T04:28:00+08:00 Office kernel: [62182.983566] 
[] ? process_extent+0x1fb/0x

Re: Problem with current->journal_info for BTRFS, Null pointer dereference in start_transaction

Problem with current->journal_info for BTRFS, Null pointer dereference in start_transaction

2 matches

Site Navigation

Mail list logo

Footer information