55081 – BUG while unlinking inode with an xattr

Bug 55081 - BUG while unlinking inode with an xattr

Summary: BUG while unlinking inode with an xattr

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	ext2 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_ext2@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-03-11 18:47 UTC by Tyler Hicks
Modified:	2013-04-02 21:10 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	3.9-rc2
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
Fix BUG_ON in evict() (1.78 KB, patch) 2013-03-13 14:23 UTC, Jan Kara	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Tyler Hicks 2013-03-11 18:47:36 UTC

While running the eCryptfs regression test on 3.9-rc2, I hit a new BUG() when
eCryptf was mounted on top of ext2. I then determined that it was an
ext2-specific bug (doesn't happen on ext3, ext4, or other filesystems) and that
it happens without eCryptfs. So, I removed eCryptfs from the picture and
then distilled the test case down into a few commands.

Mount entry in /proc/mounts:

/dev/loop0 /tmp/ext2 ext2 rw,relatime,errors=continue,user_xattr,acl 0 0

Steps to reproduce:

$ cd /tmp/ext2
$ mkdir foo
$ setfacl -dm m:rwx foo
$ rm -rf foo

Note: I've also verified that the BUG is hit with a regular file and a user
xattr:

$ cd /tmp/ext2
$ touch foo
$ setfattr -n user.test -v test foo
$ rm foo

Relevant log entries (for the mkdir -> setfacl -> rm -rf reproducer):

------------[ cut here ]------------
kernel BUG at /var/scm/kernel/linux/fs/inode.c:570!
invalid opcode: 0000 [#1] PREEMPT SMP 
Modules linked in: ext2 fuse dm_crypt psmouse virtio_balloon nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc btrfs raid6_pq lzo_compress xor zlib_deflate libcrc32c virtio_blk virtio_net virtio_pci virtio_ring virtio
CPU 0 
Pid: 2195, comm: rm Not tainted 3.9.0-rc2 #52 Bochs Bochs
RIP: 0010:[<ffffffff81184260>]  [<ffffffff81184260>] evict+0x190/0x1a0
RSP: 0018:ffff880073a1bdf8  EFLAGS: 00010202
RAX: ffff88007ff8dd38 RBX: ffff88007a237698 RCX: 0000000000000034
RDX: 0000000000000003 RSI: ffff88007a237768 RDI: ffff88007ff8dd00
RBP: ffff880073a1be10 R08: d018000000000000 R09: 007a2377680c0000
R10: ff67dca720d1da03 R11: 0000000000000001 R12: ffff88007a237720
R13: ffffffffa02788c0 R14: ffffffffa02788c0 R15: ffff88007d345d60
FS:  00007f6e29440700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000878588 CR3: 00000000341ae000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process rm (pid: 2195, threadinfo ffff880073a1a000, task ffff880079b80000)
Stack:
 ffff88007a237698 ffff88007a237720 ffff8800779537b0 ffff880073a1be40
 ffffffff81184945 ffff88007a7be880 ffff88007a237698 ffff88007a261f80
 ffff88007a7be8e0 ffff880073a1be68 ffffffff811804f8 ffff88007a7be880
Call Trace:
 [<ffffffff81184945>] iput+0x105/0x1a0
 [<ffffffff811804f8>] d_kill+0xd8/0x120
 [<ffffffff81180cc2>] dput+0xe2/0x1d0
 [<ffffffff8116aaa6>] __fput+0x166/0x2f0
 [<ffffffff8116ac3e>] ____fput+0xe/0x10
 [<ffffffff810645e4>] task_work_run+0xb4/0xf0
 [<ffffffff810029d5>] do_notify_resume+0x75/0x80
 [<ffffffff81518c52>] int_signal+0x12/0x17
Code: 70 03 00 00 00 0f 84 4e ff ff ff 48 89 df e8 28 9f fe ff e9 41 ff ff ff 0f 1f 00 48 8d bb e0 01 00 00 31 f6 e8 62 87 f9 ff eb 92 <0f> 0b 0f 0b 0f 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 
RIP  [<ffffffff81184260>] evict+0x190/0x1a0
 RSP <ffff880073a1bdf8>
---[ end trace 2787ce3bd787beee ]---
BUG: sleeping function called from invalid context at /var/scm/kernel/linux/kernel/rwsem.c:20
in_atomic(): 1, irqs_disabled(): 0, pid: 2195, name: rm
INFO: lockdep is turned off.
Pid: 2195, comm: rm Tainted: G      D      3.9.0-rc2 #52
Call Trace:
 [<ffffffff8107626f>] __might_sleep+0xff/0x130
 [<ffffffff8150de24>] down_read+0x24/0x5c
 [<ffffffff8106ee5b>] ? __validate_process_creds+0x5b/0xf0
 [<ffffffff81058924>] exit_signals+0x24/0x130
 [<ffffffff8104695c>] do_exit+0xbc/0xaa0
 [<ffffffff81044bd1>] ? kmsg_dump+0x101/0x110
 [<ffffffff81044af5>] ? kmsg_dump+0x25/0x110
 [<ffffffff8151201b>] oops_end+0xab/0xf0
 [<ffffffff81005bc8>] die+0x58/0x90
 [<ffffffff8151189b>] do_trap+0x6b/0x170
 [<ffffffff81002f95>] do_invalid_op+0x95/0xb0
 [<ffffffff81184260>] ? evict+0x190/0x1a0
 [<ffffffff812eb17d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
 [<ffffffff81511164>] ? restore_args+0x30/0x30
 [<ffffffff81519abb>] invalid_op+0x1b/0x20
 [<ffffffff81184260>] ? evict+0x190/0x1a0
 [<ffffffff811841c0>] ? evict+0xf0/0x1a0
 [<ffffffff81184945>] iput+0x105/0x1a0
 [<ffffffff811804f8>] d_kill+0xd8/0x120
 [<ffffffff81180cc2>] dput+0xe2/0x1d0
 [<ffffffff8116aaa6>] __fput+0x166/0x2f0
 [<ffffffff8116ac3e>] ____fput+0xe/0x10
 [<ffffffff810645e4>] task_work_run+0xb4/0xf0
 [<ffffffff810029d5>] do_notify_resume+0x75/0x80
 [<ffffffff81518c52>] int_signal+0x12/0x17
note: rm[2195] exited with preempt_count 1
BUG: scheduling while atomic: rm/2195/0x10000002
INFO: lockdep is turned off.
Modules linked in: ext2 fuse dm_crypt psmouse virtio_balloon nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc btrfs raid6_pq lzo_compress xor zlib_deflate libcrc32c virtio_blk virtio_net virtio_pci virtio_ring virtio
Pid: 2195, comm: rm Tainted: G      D      3.9.0-rc2 #52
Call Trace:
 [<ffffffff81506890>] __schedule_bug+0x66/0x75
 [<ffffffff8150ed3f>] __schedule+0x89f/0x960
 [<ffffffff812e7592>] ? number.isra.1+0x322/0x360
 [<ffffffff81153188>] ? alloc_pages_current+0xb8/0x180
 [<ffffffff81077e88>] __cond_resched+0x18/0x30
 [<ffffffff8150ee7f>] _cond_resched+0x2f/0x40
 [<ffffffff811361f2>] unmap_single_vma+0x3f2/0x7f0
 [<ffffffff81136d59>] unmap_vmas+0x49/0x60
 [<ffffffff8113f228>] exit_mmap+0x88/0x150
 [<ffffffff8103e3f5>] mmput+0x65/0xe0
 [<ffffffff81046b34>] do_exit+0x294/0xaa0
 [<ffffffff81044bd1>] ? kmsg_dump+0x101/0x110
 [<ffffffff81044af5>] ? kmsg_dump+0x25/0x110
 [<ffffffff8151201b>] oops_end+0xab/0xf0
 [<ffffffff81005bc8>] die+0x58/0x90
 [<ffffffff8151189b>] do_trap+0x6b/0x170
 [<ffffffff81002f95>] do_invalid_op+0x95/0xb0
 [<ffffffff81184260>] ? evict+0x190/0x1a0
 [<ffffffff812eb17d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
 [<ffffffff81511164>] ? restore_args+0x30/0x30
 [<ffffffff81519abb>] invalid_op+0x1b/0x20
 [<ffffffff81184260>] ? evict+0x190/0x1a0
 [<ffffffff811841c0>] ? evict+0xf0/0x1a0
 [<ffffffff81184945>] iput+0x105/0x1a0
 [<ffffffff811804f8>] d_kill+0xd8/0x120
 [<ffffffff81180cc2>] dput+0xe2/0x1d0
 [<ffffffff8116aaa6>] __fput+0x166/0x2f0
 [<ffffffff8116ac3e>] ____fput+0xe/0x10
 [<ffffffff810645e4>] task_work_run+0xb4/0xf0
 [<ffffffff810029d5>] do_notify_resume+0x75/0x80
 [<ffffffff81518c52>] int_signal+0x12/0x17

Comment 1 Jan Kara 2013-03-13 14:23:32 UTC

Created attachment 95331 [details]
Fix BUG_ON in evict()

This patch fixes the issue for me. I've added it to my tree and will push it to Linus soon.

Comment 2 Tyler Hicks 2013-04-02 21:10:33 UTC

Sorry for not getting around to verifying the fix until now. I tested 3.9-rc5 and it looks good. Thanks!

Note You need to log in before you can comment on or make changes to this bug.