reiserfs: crash when extended attributes are enabled and /.reiserfs_priv is a regular file

Bug #367789 reported by Evgeny Kapun on 2009-04-27
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: linux-image-2.6.28-11-generic

Linux 2.6.28-11-generic #36-Ubuntu SMP Fri Mar 20 19:51:24 UTC 2009 x86_64 GNU/Linux

If root directory of reiserfs partition contains regular file named .reiserfs_priv, reiserfs crashes when trying to do operations that change extended attributes (for example, unlinking a file). I think this is because function get_xa_root (fs/reiserfs/xattr.c, line 61) assumes that privroot (dentry pointing to .reiserfs_priv in partition root) points to directory, but it can really point to anything (for example, regular file). Crash occurs when an attempt is made to call inode->i_op->lookup on regular file (fs/namei.c, line 1212), which leads to null pointer dereference.

dmesg output:
[621321.512413] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[621321.512420] IP: [<0000000000000000>] 0x0
[621321.512425] PGD 66cd2067 PUD 17efa067 PMD 0
[621321.512429] Oops: 0010 [#1] SMP
[621321.512431] last sysfs file: /sys/devices/platform/acer-wmi/rfkill/rfkill0/state
[621321.512434] Dumping ftrace buffer:
[621321.512436] (ftrace buffer empty)
[621321.512437] CPU 0
[621321.512439] Modules linked in: mmc_block tifm_sd usb_storage reiserfs tun nls_iso8859_1 nls_cp437 vfat fat aes_x86_64 aes
_generic arc4 ecb ath5k mac80211 cfg80211 i915 drm binfmt_misc ppdev bridge stp bnep input_polldev btusb joydev sbp2 lp parpo
rt snd_hda_intel snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event nsc_
ircc uvcvideo snd_seq snd_timer snd_seq_device pcmcia compat_ioctl32 psmouse tifm_7xx1 acer_wmi videodev video sdhci_pci sdhc
i snd soundcore irda yenta_socket rsrc_nonstatic pcmcia_core serio_raw pcspkr tifm_core led_class v4l1_compat iTCO_wdt iTCO_v
endor_support output intel_agp snd_page_alloc crc_ccitt usbhid ohci1394 ieee1394 tg3 fbcon tileblit font bitblit softcursor [
last unloaded: usb_storage]
[621321.512479] Pid: 29364, comm: vim Not tainted 2.6.28-11-generic #36-Ubuntu
[621321.512480] RIP: 0010:[<0000000000000000>] [<0000000000000000>] 0x0
[621321.512483] RSP: 0018:ffff880065229ca0 EFLAGS: 00010286
[621321.512485] RAX: ffffffffa04d6bc0 RBX: fffffffffffffff4 RCX: 0000000000000000
[621321.512487] RDX: 0000000000000000 RSI: ffff88005d4b8b60 RDI: ffff8800481576d0
[621321.512488] RBP: ffff880065229cd8 R08: 0000000000000006 R09: 0000000000000000
[621321.512490] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88005d4b8b60
[621321.512492] R13: 0000000000000080 R14: ffff880065229ce8 R15: ffff8800481576d0
[621321.512494] FS: 00007f822bd01780(0000) GS:ffffffff80aa3000(0000) knlGS:0000000000000000
[621321.512496] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[621321.512498] CR2: 0000000000000000 CR3: 000000005daef000 CR4: 00000000000006a0
[621321.512499] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[621321.512501] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[621321.512503] Process vim (pid: 29364, threadinfo ffff880065228000, task ffff88007d045980)
[621321.512505] Stack:
[621321.512506] ffffffff802f0847 0000000000000000 ffff8800501cb5b0 ffff8800501cb5b0
[621321.512509] 0000000000000080 ffff88006d1a6800 0000000000000080 ffff880065229d08
[621321.512512] ffffffff802f135a 00000006dc38d979 ffffffffa04d8466 ffff880065229e78
[621321.512516] Call Trace:
[621321.512517] [<ffffffff802f0847>] ? __lookup_hash+0x107/0x170
[621321.512524] [<ffffffff802f135a>] lookup_one_len+0x8a/0xa0
[621321.512527] [<ffffffffa04d33e9>] get_xa_root+0xf9/0x140 [reiserfs]
[621321.512540] [<ffffffffa04d380a>] open_xa_dir+0x2a/0x170 [reiserfs]
[621321.512547] [<ffffffffa04d46d9>] reiserfs_delete_xattrs+0x89/0x1b0 [reiserfs]
[621321.512555] [<ffffffffa04b393f>] reiserfs_delete_inode+0xaf/0x150 [reiserfs]
[621321.512563] [<ffffffff80318093>] ? inotify_inode_is_dead+0x93/0xb0
[621321.512567] [<ffffffffa04b3890>] ? reiserfs_delete_inode+0x0/0x150 [reiserfs]
[621321.512575] [<ffffffff802fd8a3>] generic_delete_inode+0xc3/0x1a0
[621321.512578] [<ffffffff802fd9a5>] generic_drop_inode+0x25/0x30
[621321.512581] [<ffffffff802fc5ad>] iput+0x5d/0x70
[621321.512583] [<ffffffff802f41a3>] do_unlinkat+0x113/0x1d0
[621321.512586] [<ffffffff802e91ed>] ? fput+0x1d/0x30
[621321.512589] [<ffffffff802e568b>] ? filp_close+0x5b/0x90
[621321.512592] [<ffffffff802f4271>] sys_unlink+0x11/0x20
[621321.512595] [<ffffffff8021253a>] system_call_fastpath+0x16/0x1b
[621321.512599] Code: Bad RIP value.
[621321.512602] RIP [<0000000000000000>] 0x0
[621321.512605] RSP <ffff880065229ca0>
[621321.512607] CR2: 0000000000000000
[621321.512609] ---[ end trace 234f48ccbf3ca0c5 ]---

This bug was reported a while ago and there hasn't been any activity in
it recently. We were wondering if this is still an issue? Can you try
with the latest Karmic 9.10 release of Ubuntu? ISO CD images are
available from http://cdimage.ubuntu.com/releases/ .

If the issue remains, could you run the following command from a
Terminal (Applications->Accessories->Terminal) while running Karmic. It
will automatically gather and attach updated debug information to this
report.

apport-collect -p linux 367789

Thanks in advance

tags: added: jaunty
Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: apport-collected
Evgeny Kapun (abacabadabacaba) wrote :
Download full text (3.8 KiB)

As of linux 2.6.32-10-generic, this bug is still valid. Now it crashes when mounting, not unlinking.

dmesg:
[ 1179.233464] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1179.233472] IP: [<(null)>] (null)
[ 1179.233475] PGD 50880067 PUD 508f1067 PMD 0
[ 1179.233479] Oops: 0010 [#1] SMP
[ 1179.233482] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.1/ttyUSB1/tty/ttyUSB1/uevent
[ 1179.233486] CPU 0
[ 1179.233488] Modules linked in: reiserfs ppp_async option usbserial bridge stp bnep snd_hda_codec_realtek btusb joydev fbcon tileblit font bitblit softcursor vga16fb vgastate arc4 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq yenta_socket snd_timer snd_seq_device ath5k tifm_7xx1 nsc_ircc sdhci_pci rsrc_nonstatic i915 drm_kms_helper usb_storage acer_wmi mac80211 ath uvcvideo tifm_core sdhci irda crc_ccitt usbhid pcmcia_core drm i2c_algo_bit psmouse serio_raw videodev v4l1_compat v4l2_compat_ioctl32 snd cfg80211 led_class soundcore snd_page_alloc video output intel_agp ohci1394 ieee1394 tg3 nbd
[ 1179.233536] Pid: 1865, comm: mount Not tainted 2.6.32-10-generic #14-Ubuntu Extensa 5220
[ 1179.233539] RIP: 0010:[<0000000000000000>] [<(null)>] (null)
[ 1179.233542] RSP: 0000:ffff880050883b90 EFLAGS: 00010286
[ 1179.233544] RAX: ffffffffa04f2060 RBX: ffff88005a7ea3c0 RCX: 0000000000000000
[ 1179.233546] RDX: 0000000000000000 RSI: ffff88005a7ea3c0 RDI: ffff8800674c4350
[ 1179.233549] RBP: ffff880050883bd8 R08: ffff880001c12200 R09: 00000000000000c0
[ 1179.233551] R10: 0000000000000001 R11: 0000000000000000 R12: ffff880050883bf8
[ 1179.233553] R13: ffff8800674c4350 R14: fffffffffffffff4 R15: 0000000000000000
[ 1179.233556] FS: 00007f08b76d77e0(0000) GS:ffff880001c00000(0000) knlGS:0000000000000000
[ 1179.233558] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1179.233560] CR2: 0000000000000000 CR3: 00000000508fd000 CR4: 00000000000006f0
[ 1179.233562] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1179.233565] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1179.233567] Process mount (pid: 1865, threadinfo ffff880050882000, task ffff88007aef5bc0)
[ 1179.233569] Stack:
[ 1179.233571] ffffffff8114bd12 ffff880050883be8 ffffffff8114bd12 0000000000000001
[ 1179.233575] <0> ffff88005a7ea540 ffff880050883bf8 ffffffffa04f8276 0000000000000000
[ 1179.233578] <0> ffff8800457dc000 ffff880050883c28 ffffffff8114be52 ffff880050883c38
[ 1179.233582] Call Trace:
[ 1179.233592] [<ffffffff8114bd12>] ? __lookup_hash+0x102/0x160
[ 1179.233595] [<ffffffff8114bd12>] ? __lookup_hash+0x102/0x160
[ 1179.233599] [<ffffffff8114be52>] lookup_one_len+0x82/0xc0
[ 1179.233602] [<ffffffff8114be52>] ? lookup_one_len+0x82/0xc0
[ 1179.233616] [<ffffffffa04f0124>] reiserfs_xattr_init+0x174/0x1a0 [reiserfs]
[ 1179.233623] [<ffffffffa04db5dc>] reiserfs_fill_super+0x87c/0xaa0 [reiserfs]
[ 1179.233627] [<ffffffff81143371>] get_sb_bdev+0x191/0x1d0
[ 1179.233633] [<ffffffffa04dad60>] ? reiserfs_fill_super+0x0/0xaa0 [reiserfs]
[ 1179.233638] [<ffffffff81137f50>] ? __alloc_percp...

Read more...

Changed in linux (Ubuntu):
status: Incomplete → New
Jeremy Foshee (jeremyfoshee) wrote :

Hi Eugene,

Please be sure to confirm this issue exists with the latest development release of Ubuntu. ISO CD images are available from http://cdimage.ubuntu.com/releases/lucid . If the issue remains, please run the following command from a Terminal (Applications->Accessories->Terminal). It will automatically gather and attach updated debug information to this report.

apport-collect -p linux 367789

Also, if you could test the latest upstream kernel available that would be great. It will allow additional upstream developers to examine the issue. Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Once you've tested the upstream kernel, please remove the 'needs-upstream-testing' tag. This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the 'needs-upstream-testing' text. Please let us know your results.

Thanks in advance.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: needs-kernel-logs
tags: added: needs-upstream-testing
tags: added: kj-triage
Changed in linux (Ubuntu):
status: New → Incomplete
Evgeny Kapun (abacabadabacaba) wrote :

In Lucid, it's all just the same.

[ 28.218806] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 28.219416] IP: [<(null)>] (null)
[ 28.219916] *pde = 1775c067 *pte = 00000000
[ 28.220177] Oops: 0000 [#1] SMP
[ 28.220177] last sysfs file: /sys/devices/platform/i8042/serio1/input/input3/event3/uevent
[ 28.220177] Modules linked in: reiserfs psmouse virtio_balloon serio_raw i2c_piix4 virtio_pci virtio_ring ne2k_pci floppy virtio 8390
[ 28.220177]
[ 28.220177] Pid: 473, comm: mount Not tainted (2.6.32-21-generic #32-Ubuntu)
[ 28.220177] EIP: 0060:[<00000000>] EFLAGS: 00000282 CPU: 0
[ 28.220177] EIP is at 0x0
[ 28.220177] EAX: df18821c EBX: e093b1c0 ECX: 00000000 EDX: df0a7198
[ 28.220177] ESI: fffffff4 EDI: df0a7198 EBP: d7689dc8 ESP: d7689dac
[ 28.220177] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 28.220177] Process mount (pid: 473, ti=d7688000 task=d7744ce0 task.ti=d7688000)
[ 28.220177] Stack:
[ 28.220177] c0212355 00000001 df18821c 00000000 df0a7110 e09409c5 d7689dd8 d7689df0
[ 28.220177] <0> c0212454 00000006 df0a7088 dc38d979 00000006 e09409c5 d757ea00 df0a7110
[ 28.220177] <0> 00000000 d7689e18 e0939790 e0940969 d757ea00 00000000 d7689e78 d7689e18
[ 28.220177] Call Trace:
[ 28.220177] [<c0212355>] ? __lookup_hash+0xc5/0x110
[ 28.220177] [<c0212454>] ? lookup_one_len+0x64/0x90
[ 28.220177] [<e0939790>] ? reiserfs_xattr_init+0x190/0x210 [reiserfs]
[ 28.220177] [<e0925931>] ? reiserfs_fill_super+0x7c1/0x9c0 [reiserfs]
[ 28.220177] [<c020aa42>] ? get_sb_bdev+0x162/0x1a0
[ 28.220177] [<e0925170>] ? reiserfs_fill_super+0x0/0x9c0 [reiserfs]
[ 28.220177] [<e0922356>] ? get_super_block+0x26/0x30 [reiserfs]
[ 28.220177] [<e0925170>] ? reiserfs_fill_super+0x0/0x9c0 [reiserfs]
[ 28.220177] [<c020a5b7>] ? vfs_kern_mount+0x67/0x170
[ 28.220177] [<c021eec7>] ? get_fs_type+0x97/0xb0
[ 28.220177] [<c020a71e>] ? do_kern_mount+0x3e/0xe0
[ 28.220177] [<c0221fd3>] ? do_mount+0x1c3/0x200
[ 28.220177] [<c022207b>] ? sys_mount+0x6b/0xa0
[ 28.220177] [<c01033ec>] ? syscall_call+0x7/0xb
[ 28.220177] Code: Bad EIP value.
[ 28.220177] EIP: [<00000000>] 0x0 SS:ESP 0068:d7689dac
[ 28.220177] CR2: 0000000000000000
[ 28.236691] ---[ end trace 408bab79fd0392c0 ]---

Changed in linux (Ubuntu):
status: Incomplete → New
Brad Figg (brad-figg) on 2011-05-04
tags: added: b73a1py79
Brad Figg (brad-figg) wrote :

This bug was filed against a series that is no longer supported and so is being marked as Won't Fix. If this issue still exists in supported series, ple
ase file a new bug.

Changed in linux (Ubuntu):
status: New → Won't Fix
Brad Figg (brad-figg) on 2011-05-04
tags: removed: b73a1py79
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers