Public bug reported:
Binary package hint: linux-image-2.6.28-11-generic
Linux 2.6.28-11-generic #36-Ubuntu SMP Fri Mar 20 19:51:24 UTC 2009
x86_64 GNU/Linux
If root directory of reiserfs partition contains regular file named
.reiserfs_priv, reiserfs crashes when trying to do operations that
change extended attributes (for example, unlinking a file). I think this
is because function get_xa_root (fs/reiserfs/xattr.c, line 61) assumes
that privroot (dentry pointing to .reiserfs_priv in partition root)
points to directory, but it can really point to anything (for example,
regular file). Crash occurs when an attempt is made to call
inode->i_op->lookup on regular file (fs/namei.c, line 1212), which leads
to null pointer dereference.
dmesg output:
[621321.512413] BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
[621321.512420] IP: [<0000000000000000>] 0x0
[621321.512425] PGD 66cd2067 PUD 17efa067 PMD 0
[621321.512429] Oops: 0010 [#1] SMP
[621321.512431] last sysfs file:
/sys/devices/platform/acer-wmi/rfkill/rfkill0/state
[621321.512434] Dumping ftrace buffer:
[621321.512436] (ftrace buffer empty)
[621321.512437] CPU 0
[621321.512439] Modules linked in: mmc_block tifm_sd usb_storage reiserfs tun
nls_iso8859_1 nls_cp437 vfat fat aes_x86_64 aes
_generic arc4 ecb ath5k mac80211 cfg80211 i915 drm binfmt_misc ppdev bridge stp
bnep input_polldev btusb joydev sbp2 lp parpo
rt snd_hda_intel snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss
snd_seq_midi snd_rawmidi snd_seq_midi_event nsc_
ircc uvcvideo snd_seq snd_timer snd_seq_device pcmcia compat_ioctl32 psmouse
tifm_7xx1 acer_wmi videodev video sdhci_pci sdhc
i snd soundcore irda yenta_socket rsrc_nonstatic pcmcia_core serio_raw pcspkr
tifm_core led_class v4l1_compat iTCO_wdt iTCO_v
endor_support output intel_agp snd_page_alloc crc_ccitt usbhid ohci1394
ieee1394 tg3 fbcon tileblit font bitblit softcursor [
last unloaded: usb_storage]
[621321.512479] Pid: 29364, comm: vim Not tainted 2.6.28-11-generic #36-Ubuntu
[621321.512480] RIP: 0010:[<0000000000000000>] [<0000000000000000>] 0x0
[621321.512483] RSP: 0018:ffff880065229ca0 EFLAGS: 00010286
[621321.512485] RAX: ffffffffa04d6bc0 RBX: fffffffffffffff4 RCX:
0000000000000000
[621321.512487] RDX: 0000000000000000 RSI: ffff88005d4b8b60 RDI:
ffff8800481576d0
[621321.512488] RBP: ffff880065229cd8 R08: 0000000000000006 R09:
0000000000000000
[621321.512490] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff88005d4b8b60
[621321.512492] R13: 0000000000000080 R14: ffff880065229ce8 R15:
ffff8800481576d0
[621321.512494] FS: 00007f822bd01780(0000) GS:ffffffff80aa3000(0000)
knlGS:0000000000000000
[621321.512496] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[621321.512498] CR2: 0000000000000000 CR3: 000000005daef000 CR4:
00000000000006a0
[621321.512499] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[621321.512501] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[621321.512503] Process vim (pid: 29364, threadinfo ffff880065228000, task
ffff88007d045980)
[621321.512505] Stack:
[621321.512506] ffffffff802f0847 0000000000000000 ffff8800501cb5b0
ffff8800501cb5b0
[621321.512509] 0000000000000080 ffff88006d1a6800 0000000000000080
ffff880065229d08
[621321.512512] ffffffff802f135a 00000006dc38d979 ffffffffa04d8466
ffff880065229e78
[621321.512516] Call Trace:
[621321.512517] [<ffffffff802f0847>] ? __lookup_hash+0x107/0x170
[621321.512524] [<ffffffff802f135a>] lookup_one_len+0x8a/0xa0
[621321.512527] [<ffffffffa04d33e9>] get_xa_root+0xf9/0x140 [reiserfs]
[621321.512540] [<ffffffffa04d380a>] open_xa_dir+0x2a/0x170 [reiserfs]
[621321.512547] [<ffffffffa04d46d9>] reiserfs_delete_xattrs+0x89/0x1b0
[reiserfs]
[621321.512555] [<ffffffffa04b393f>] reiserfs_delete_inode+0xaf/0x150
[reiserfs]
[621321.512563] [<ffffffff80318093>] ? inotify_inode_is_dead+0x93/0xb0
[621321.512567] [<ffffffffa04b3890>] ? reiserfs_delete_inode+0x0/0x150
[reiserfs]
[621321.512575] [<ffffffff802fd8a3>] generic_delete_inode+0xc3/0x1a0
[621321.512578] [<ffffffff802fd9a5>] generic_drop_inode+0x25/0x30
[621321.512581] [<ffffffff802fc5ad>] iput+0x5d/0x70
[621321.512583] [<ffffffff802f41a3>] do_unlinkat+0x113/0x1d0
[621321.512586] [<ffffffff802e91ed>] ? fput+0x1d/0x30
[621321.512589] [<ffffffff802e568b>] ? filp_close+0x5b/0x90
[621321.512592] [<ffffffff802f4271>] sys_unlink+0x11/0x20
[621321.512595] [<ffffffff8021253a>] system_call_fastpath+0x16/0x1b
[621321.512599] Code: Bad RIP value.
[621321.512602] RIP [<0000000000000000>] 0x0
[621321.512605] RSP <ffff880065229ca0>
[621321.512607] CR2: 0000000000000000
[621321.512609] ---[ end trace 234f48ccbf3ca0c5 ]---
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
reiserfs: crash when extended attributes are enabled and /.reiserfs_priv is a
regular file
https://bugs.launchpad.net/bugs/367789
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
