Bug 6700 - ntfs_flush_dcache_pages causes segmentation fault
Summary: ntfs_flush_dcache_pages causes segmentation fault
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: i386 Linux
: P2 high
Assignee: Anton Altaparmakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-16 17:30 UTC by Pauline Ng
Modified: 2006-06-20 00:23 UTC (History)
0 users

See Also:
Kernel Version: 2.6
Subsystem:
Regression: ---
Bisected commit-id:


Attachments

Description Pauline Ng 2006-06-16 17:30:17 UTC
Most recent kernel where this bug did not occur:None
Distribution:
Hardware Environment:mips
Software Environment:uCLinux
Problem Description:NTFS write support crashes on ntfs_flush_dcache_pages

I am mounting a 160GB drive
mount -t ntfs /dev/sda1 /var/tmp

and copied a file usbtree.txt to usb.if which already
exists on my hard drive.

The ntfs_flush_dcache_pages ()

	BUG_ON(!nr_pages);
	do {
		/*
		 * Warning: Do not do the decrement at the same time as the
		 * call because flush_dcache_page() is a NULL macro on i386
		 * and hence the decrement never happens.
		 */
		flush_dcache_page(pages[nr_pages]);   <====CRASH HERE!!!
	} while (--nr_pages > 0);


I have only 1 page to write, nr_pages is 1.
The pages that it should flush should be pages[0]
instead of pages[nr_pages] which is pages[1] in this case.
Because pages[1] is not initialized properly, hence
it crashes when I tried to copy a file from one to another.  
If I modified the code to be
like this

while (--nr_pages > 0)
{
flush_dcache_page(pages[nr_pages]); 
}

It works correctly for me. The file copy is sucessful.

Below is a capture of the crash and some of my memory dumps
using printk

/var/tmp # cp usbtree.txt usb.if
__ntfs_grab_cache_pages
nr_pages        1
page[nr]        0 pages 81243cd0 nr        0
*cached_page 81027140
page[nr] 81027140 pages 81243cd0 nr        0

ntfs_copy_from_user
nr pages        1 bytes     1000
kaddr 8138a000 ofs        0 buf 7fac4a90 len     1000
pages 81243cd0
*pages 81027140 
last_page 81243cd4
*last_page 805e4dd7 <====== unitialized data
kmap_atomic(*last_page, KM_USER0) 2f26e000 <===== uninitialized causing crash

ntfs_flush_dcache_pages(81243cd0,1)
pages 81243cd0 
*page 81027140
nr_pages        1
pages[0] 81027140 nr_pages        1 
pages[1] 805e4dd7 nr_pages        1 
CPU 0 Unable to handle kernel paging request at virtual address 2f26e000, epc 
== 80c
Oops[#1]:
Cpu 0
$ 0   : 00000000 00000008 805e0000 2f26f000
$ 4   : 2f26e000 805e4dd7 804f80b0 00000000
$ 8   : 0001884a 804f8088 805e0000 805e0000
$12   : 805f0000 00000000 805e4a0b 00000010
$16   : 00000000 81243cd0 804a4f58 00001000
$20   : 804a4f30 804a4f0c 81243cd0 805e2ae0
$24   : 81243af8 8010f5a8
$28   : 81242000 81243c78 81243cd4 801fb21c
Hi    : 00000084
Lo    : 9ba54a00
epc   : 8010f5b0 r4k_blast_dcache_page_dc32+0x8/0xa0     Not tainted
ra    : 801fb21c ntfs_file_aio_write_nolock+0xaf4/0x1630
Status: 11005303    KERNEL EXL IE
Cause : 00800008
BadVA : 2f26e000
PrId  : 00019522
Modules linked in:
Process cp (pid: 94, threadinfo=81242000, task=87d193f8)
Stack : 81243cd0 805e4dd7 00000001 81243cd4 00001000 ffffffff 00000000 00000000
        00001000 805e0000 805f0000 00000000 805e4a0d 00000010 000184ab 000184ab
        00000001 80500000 ffffffa1 80500000 80500000 804f8088 81027140 805e4dd7
        805e0000 80124138 81242000 81243d08 805e0000 801244fc 11005303 00000084
        9ba54a00 000184ab 50804100 8012450c 00000400 805e49d8 00000001 00000000
        ...
Call Trace:
 [<80124138>] __call_console_drivers+0x80/0xb0
 [<801244fc>] release_console_sem+0xe4/0x310
 [<8012450c>] release_console_sem+0xf4/0x310
 [<80124a7c>] vprintk+0x354/0x438
 [<801fc0ac>] ntfs_file_writev+0x11c/0x2c8
 [<8010ce08>] do_page_fault+0x378/0x3f0
 [<8010cbe0>] do_page_fault+0x150/0x3f0
 [<8013eec8>] autoremove_wake_function+0x0/0x48
 [<801fc274>] ntfs_file_write+0x1c/0x28
 [<8016aa68>] vfs_write+0x1b8/0x1d0
 [<8016a688>] vfs_read+0x100/0x1d0
 [<8016ab74>] sys_write+0x54/0xa0
 [<80169a18>] do_sys_open+0xf8/0x148
 [<8010b3a0>] stack_done+0x20/0x3c


Code: 00000000  24831000  00000000 <bc950000> bc950020  bc950040  bc950060  
bc95008
Segmentation fault





Below is a capture of the crash

My paramters at the time is
nr_page
Comment 1 Anton Altaparmakov 2006-06-20 00:23:18 UTC
Hi,

Thanks a lot for the report and detailed analysis!

I have now submitted a patch to Linus/Andrew fixing this.

Best regards,

Anton

Note You need to log in before you can comment on or make changes to this bug.