Bug 4771

Summary: Linux 2.6.11.10 + reiserfs + usrquota, reiserfs panic
Product: File System Reporter: Guillaume Pelat (gp)
Component: ReiserFSAssignee: Diego Calleja (diegocg)
Status: CLOSED CODE_FIX    
Severity: high CC: akpm, jack
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.11.10 Subsystem:
Regression: --- Bisected commit-id:
Attachments: Patch hopefully fixing the bug - mark inode I_NEW when it's created
Patch fixing the above oops

Description Guillaume Pelat 2005-06-21 06:10:47 UTC 
Hardware Environment: AMD Athlon(tm) XP  3000+ , not smp
Software Environment: Reiserfs + usr quota enabled
Problem Description: 

ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (6924839)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7809292)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7809885)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7810216)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7811698)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7812011)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7812404)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7813157)
ReiserFS: sda3: warning: vs-15011: reiserfs_release_objectid: tried to free free
object id (7813425)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
ReiserFS: sda3: warning: vs-13060: reiserfs_update_sd: stat data of object
[5882601 5882606 0x0 SD] (nlink == 1) not found (pos 19)
TCP: Treason uncloaked! Peer 200.114.207.51:64840/80 shrinks window
2791985686:2792001470. Repaired.
ReiserFS: warning: vs-16090: direntry_bytes_number: bytes number is asked for
direntry
ReiserFS: warning: vs-16090: direntry_bytes_number: bytes number is asked for
direntry
REISERFS: panic (device Null superblock): free space 4024, entry_count 1

------------[ cut here ]------------
kernel BUG at fs/reiserfs/prints.c:362!
invalid operand: 0000 [#1]
CPU:    0
EIP:    0060:[<c019782f>]    Not tainted VLI
EFLAGS: 00010286   (2.6.11.10-endy)
EIP is at reiserfs_panic+0x4f/0x80
eax: 0000004d   ebx: c02be9bf   ecx: 00000001   edx: c02eecac
esi: 00000000   edi: 00000140   ebp: cfc65864   esp: cfc6584c
ds: 007b   es: 007b   ss: 0068
Process pure-ftpd (pid: 2473, threadinfo=cfc64000 task=f34bda40)
Stack: c02c3ee0 c02be9bf c03b3580 00000fb8 ef34a0c4 00000001 cfc6588c c01a993f
       00000000 c02c6ac0 00000fb8 00000001 00010000 00000000 ef34a01c 00000000
       cfc658e0 c0190233 ef34a01c 00000fd0 00000000 00000000 00000000 cfc658e0
Call Trace:
 [<c010282f>] show_stack+0x7f/0xa0
 [<c01029d1>] show_registers+0x151/0x1c0
 [<c0102bc8>] die+0xc8/0x150
 [<c010307c>] do_invalid_op+0xbc/0xd0
 [<c01024bb>] error_code+0x2b/0x30
 [<c01a993f>] direntry_check_left+0x8f/0x90
 [<c0190233>] get_num_ver+0x303/0x350
 [<c01912dc>] ip_check_balance+0x3ec/0xbb0
 [<c0192bcb>] fix_nodes+0x15b/0x420
 [<c019fdbf>] reiserfs_cut_from_item+0x10f/0x5f0
 [<c01a0638>] reiserfs_do_truncate+0x2e8/0x610
 [<c019f7bf>] reiserfs_delete_object+0x3f/0x80
 [<c018633c>] reiserfs_delete_inode+0x8c/0x110
 [<c015ed55>] generic_delete_inode+0x95/0x130
 [<c015ef96>] iput+0x56/0x80
 [<c018992a>] reiserfs_new_inode+0x13a/0x740
 [<c0184787>] reiserfs_create+0x97/0x1b0
 [<c0153ddf>] vfs_create+0x9f/0x120
 [<c01546c9>] open_namei+0x5d9/0x630
 [<c0144b8c>] filp_open+0x3c/0x60
 [<c0144ea6>] sys_open+0x46/0x90
 [<c0102313>] syscall_call+0x7/0xb
Code: 01 00 00 89 04 24 e8 31 fd ff ff c7 04 24 e0 3e 2c c0 85 f6 89 d8 0f 45 c7
ba 80 35 3b c0 8954 24 08 89 44 24 04 e8 f1 a9 f7 ff <0f> 0b 6a 01 02 ef 2b c0
c7 04 24 20 3f 2c c0 85 f6 b9 80 35 3b
Comment 1 Andrew Morton 2005-07-28 21:55:02 UTC 
Could you please retest 2.6.13-rc4?

Thanks.
Comment 2 Guillaume Pelat 2005-08-04 12:29:24 UTC 
Hi,

I retried with 2.6.13-rc4, but it doesnt seems to solve my problem.

Here's the new panic:

------------[ cut here ]------------
kernel BUG at fs/reiserfs/prints.c:362!
invalid operand: 0000 [#1]
CPU:    0
EIP:    0060:[<c019ae2f>]    Not tainted VLI
EFLAGS: 00010296   (2.6.13-rc4-endy)
EIP is at reiserfs_panic+0x4f/0x80
eax: 00000053   ebx: c02b8fde   ecx: 00000000   edx: c02dfdac
esi: 00000000   edi: 00000140   ebp: e75b383c   esp: e75b3824
ds: 007b   es: 007b   ss: 0068
Process pure-ftpd (pid: 12771, threadinfo=e75b2000 task=f091d530)
Stack: c02bd610 c02b8fde c03acdc0 00000fa0 c0971154 00000002 e75b3864 c01ac75f
       00000000 c02bf89c 00000fa0 00000002 00020000 00000000 c097101c 00000000
       e75b38b8 c01939d3 c097101c 00000fd0 00000000 00000000 00000000 00000000
Call Trace:
 [<c0102e5f>] show_stack+0x7f/0xa0
 [<c0103002>] show_registers+0x152/0x1c0
 [<c01031f8>] die+0xc8/0x140
 [<c0103325>] do_trap+0xb5/0xc0
 [<c010366c>] do_invalid_op+0xbc/0xd0
 [<c0102aa3>] error_code+0x4f/0x54
 [<c01ac75f>] direntry_check_left+0x8f/0x90
 [<c01939d3>] get_num_ver+0x303/0x350
 [<c01949ac>] ip_check_balance+0x3dc/0xbc0
 [<c0195948>] check_balance+0x58/0x70
 [<c019623b>] fix_nodes+0x15b/0x420
 [<c01a2daf>] reiserfs_cut_from_item+0x10f/0x570
 [<c01a359b>] reiserfs_do_truncate+0x2db/0x5e0
 [<c01a282f>] reiserfs_delete_object+0x3f/0x80
 [<c0189baf>] reiserfs_delete_inode+0xaf/0x150
 [<c0161835>] generic_delete_inode+0x95/0x130
 [<c0161a18>] generic_drop_inode+0x18/0x30
 [<c0161a86>] iput+0x56/0x80
 [<c018d07d>] reiserfs_new_inode+0x16d/0x7e0
 [<c0187d31>] reiserfs_create+0xc1/0x1f0
 [<c0156a4f>] vfs_create+0x9f/0x120
 [<c015732c>] open_namei+0x5cc/0x620
 [<c0146eac>] filp_open+0x3c/0x60
 [<c01471c5>] sys_open+0x55/0x90
 [<c0102889>] syscall_call+0x7/0xb
Code: 01 00 00 89 04 24 e8 31 fd ff ff c7 04 24 10 d6 2b c0 85 f6 89 d8 0f 45 c7
ba c0 cd 3a c0 89
54 24 08 89 44 24 04 e8 21 80 f7 ff <0f> 0b 6a 01 2f 95 2b c0 c7 04 24 34 d6 2b
c0 85 f6 be c0 cd 3
a
 Badness in do_exit at kernel/exit.c:787
 [<c0102e9e>] dump_stack+0x1e/0x30
 [<c0114fdc>] do_exit+0x2ec/0x300
 [<c010326f>] die+0x13f/0x140
 [<c0103325>] do_trap+0xb5/0xc0
 [<c010366c>] do_invalid_op+0xbc/0xd0
 [<c0102aa3>] error_code+0x4f/0x54
 [<c01ac75f>] direntry_check_left+0x8f/0x90
 [<c01939d3>] get_num_ver+0x303/0x350
 [<c01949ac>] ip_check_balance+0x3dc/0xbc0
 [<c0195948>] check_balance+0x58/0x70
 [<c019623b>] fix_nodes+0x15b/0x420
 [<c01a2daf>] reiserfs_cut_from_item+0x10f/0x570
 [<c01a359b>] reiserfs_do_truncate+0x2db/0x5e0
 [<c01a282f>] reiserfs_delete_object+0x3f/0x80
 [<c0189baf>] reiserfs_delete_inode+0xaf/0x150
 [<c0161835>] generic_delete_inode+0x95/0x130
 [<c0161a18>] generic_drop_inode+0x18/0x30
 [<c0161a86>] iput+0x56/0x80
 [<c018d07d>] reiserfs_new_inode+0x16d/0x7e0
 [<c0187d31>] reiserfs_create+0xc1/0x1f0
 [<c0156a4f>] vfs_create+0x9f/0x120
 [<c015732c>] open_namei+0x5cc/0x620
 [<c0146eac>] filp_open+0x3c/0x60
 [<c01471c5>] sys_open+0x55/0x90
 [<c0102889>] syscall_call+0x7/0xb
Comment 3 Jan Kara 2005-08-08 07:17:45 UTC 
I seems to me like the following is happening: we are trying to create new inode
- it fails (probably ENOSPC or EDQUOT). We try to undo what we've done.
reiserfs_delete_inode() expects inode to be marked I_NEW if it is not fully
initialized but neither new_inode() nor new_inode_init() mark the inode as
such... I'll attach completely untested patch against 2.6.13-rc6. I'll get into
testing it hopefully tomorrow...
Comment 4 Jan Kara 2005-08-08 07:19:26 UTC 
Created attachment 5549 [details]
Patch hopefully fixing the bug - mark inode I_NEW when it's created
Comment 5 Jan Kara 2005-08-10 05:50:30 UTC 
Created attachment 5580 [details]
Patch fixing the above oops

So I've looked so more into the problem. I've rewritten the patch as setting
I_NEW should use inode_lock and furthermore ReiserFS does not clear the flag...
In the new patch we just initialize objectid to 0 which should be enough to
make delete_inode() ignore the inode.
Comment 6 Jan Kara 2005-08-10 05:51:42 UTC 
PS: I've tested the patch and I'm not able to reproduce the oops any more.
Comment 7 Andrew Morton 2005-08-10 09:58:45 UTC 
bugme-daemon@kernel-bugs.osdl.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=4771
> 
> 
> 
> 
> 
> ------- Additional Comments From jack@suse.cz  2005-08-10 05:51 -------
> PS: I've tested the patch and I'm not able to reproduce the oops any more.
> 
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.

Jan, could you please send that patch through to Linus when you're happy
with it, cc myself?   I'll be mostly offline for the next four days.

Thanks.
Comment 8 Jan Kara 2005-08-11 04:10:15 UTC 
OK, if Gillaume won't report any problems with it and nobody objects till
Friday, I'll send it to Linus.
Comment 9 Diego Calleja 2006-01-05 04:16:48 UTC 
The patch is in mainline. /me closes the bug since everybody is being too lazy ;)