Most recent kernel where this bug did not occur:None Distribution: Hardware Environment:mips Software Environment:uCLinux Problem Description:NTFS write support crashes on ntfs_flush_dcache_pages I am mounting a 160GB drive mount -t ntfs /dev/sda1 /var/tmp and copied a file usbtree.txt to usb.if which already exists on my hard drive. The ntfs_flush_dcache_pages () BUG_ON(!nr_pages); do { /* * Warning: Do not do the decrement at the same time as the * call because flush_dcache_page() is a NULL macro on i386 * and hence the decrement never happens. */ flush_dcache_page(pages[nr_pages]); <====CRASH HERE!!! } while (--nr_pages > 0); I have only 1 page to write, nr_pages is 1. The pages that it should flush should be pages[0] instead of pages[nr_pages] which is pages[1] in this case. Because pages[1] is not initialized properly, hence it crashes when I tried to copy a file from one to another. If I modified the code to be like this while (--nr_pages > 0) { flush_dcache_page(pages[nr_pages]); } It works correctly for me. The file copy is sucessful. Below is a capture of the crash and some of my memory dumps using printk /var/tmp # cp usbtree.txt usb.if __ntfs_grab_cache_pages nr_pages 1 page[nr] 0 pages 81243cd0 nr 0 *cached_page 81027140 page[nr] 81027140 pages 81243cd0 nr 0 ntfs_copy_from_user nr pages 1 bytes 1000 kaddr 8138a000 ofs 0 buf 7fac4a90 len 1000 pages 81243cd0 *pages 81027140 last_page 81243cd4 *last_page 805e4dd7 <====== unitialized data kmap_atomic(*last_page, KM_USER0) 2f26e000 <===== uninitialized causing crash ntfs_flush_dcache_pages(81243cd0,1) pages 81243cd0 *page 81027140 nr_pages 1 pages[0] 81027140 nr_pages 1 pages[1] 805e4dd7 nr_pages 1 CPU 0 Unable to handle kernel paging request at virtual address 2f26e000, epc == 80c Oops[#1]: Cpu 0 $ 0 : 00000000 00000008 805e0000 2f26f000 $ 4 : 2f26e000 805e4dd7 804f80b0 00000000 $ 8 : 0001884a 804f8088 805e0000 805e0000 $12 : 805f0000 00000000 805e4a0b 00000010 $16 : 00000000 81243cd0 804a4f58 00001000 $20 : 804a4f30 804a4f0c 81243cd0 805e2ae0 $24 : 81243af8 8010f5a8 $28 : 81242000 81243c78 81243cd4 801fb21c Hi : 00000084 Lo : 9ba54a00 epc : 8010f5b0 r4k_blast_dcache_page_dc32+0x8/0xa0 Not tainted ra : 801fb21c ntfs_file_aio_write_nolock+0xaf4/0x1630 Status: 11005303 KERNEL EXL IE Cause : 00800008 BadVA : 2f26e000 PrId : 00019522 Modules linked in: Process cp (pid: 94, threadinfo=81242000, task=87d193f8) Stack : 81243cd0 805e4dd7 00000001 81243cd4 00001000 ffffffff 00000000 00000000 00001000 805e0000 805f0000 00000000 805e4a0d 00000010 000184ab 000184ab 00000001 80500000 ffffffa1 80500000 80500000 804f8088 81027140 805e4dd7 805e0000 80124138 81242000 81243d08 805e0000 801244fc 11005303 00000084 9ba54a00 000184ab 50804100 8012450c 00000400 805e49d8 00000001 00000000 ... Call Trace: [<80124138>] __call_console_drivers+0x80/0xb0 [<801244fc>] release_console_sem+0xe4/0x310 [<8012450c>] release_console_sem+0xf4/0x310 [<80124a7c>] vprintk+0x354/0x438 [<801fc0ac>] ntfs_file_writev+0x11c/0x2c8 [<8010ce08>] do_page_fault+0x378/0x3f0 [<8010cbe0>] do_page_fault+0x150/0x3f0 [<8013eec8>] autoremove_wake_function+0x0/0x48 [<801fc274>] ntfs_file_write+0x1c/0x28 [<8016aa68>] vfs_write+0x1b8/0x1d0 [<8016a688>] vfs_read+0x100/0x1d0 [<8016ab74>] sys_write+0x54/0xa0 [<80169a18>] do_sys_open+0xf8/0x148 [<8010b3a0>] stack_done+0x20/0x3c Code: 00000000 24831000 00000000 <bc950000> bc950020 bc950040 bc950060 bc95008 Segmentation fault Below is a capture of the crash My paramters at the time is nr_page
Hi, Thanks a lot for the report and detailed analysis! I have now submitted a patch to Linus/Andrew fixing this. Best regards, Anton