From patchwork Mon Mar 9 08:26:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: lishan X-Patchwork-Id: 11440423 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 69A8817E6 for ; Mon, 16 Mar 2020 13:59:30 +0000 (UTC) Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1C60120575 for ; Mon, 16 Mar 2020 13:59:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1C60120575 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=ocfs2-devel-bounces@oss.oracle.com Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02GDgoQd167762; Mon, 16 Mar 2020 13:59:12 GMT Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2120.oracle.com with ESMTP id 2yrq7kq1s8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 16 Mar 2020 13:59:12 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02GDoaWs056596; Mon, 16 Mar 2020 13:59:11 GMT Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userp3030.oracle.com with ESMTP id 2ys8rcgysr-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO); Mon, 16 Mar 2020 13:59:11 +0000 Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1jDqGs-0006hW-J6; Mon, 16 Mar 2020 06:59:10 -0700 Received: from userp3030.oracle.com ([156.151.31.80]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1jBDkK-0002aL-3P for ocfs2-devel@oss.oracle.com; Mon, 09 Mar 2020 01:26:44 -0700 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0298N8hh154345 for ; Mon, 9 Mar 2020 08:26:43 GMT Received: from userp2040.oracle.com (userp2040.oracle.com [156.151.31.90]) by userp3030.oracle.com with ESMTP id 2ymn3fe95b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 09 Mar 2020 08:26:43 +0000 Received: from pps.filterd (userp2040.oracle.com [127.0.0.1]) by userp2040.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 0298FaWV018634 for ; Mon, 9 Mar 2020 08:26:43 GMT Received: from huawei.com (szxga05-in.huawei.com [45.249.212.191]) by userp2040.oracle.com with ESMTP id 2yn16mum14-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 09 Mar 2020 08:26:42 +0000 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id E5395717253700794EBD; Mon, 9 Mar 2020 16:26:26 +0800 (CST) Received: from [127.0.0.1] (10.184.189.50) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.487.0; Mon, 9 Mar 2020 16:26:19 +0800 References: <1d38573d-61c7-be60-334e-c263caf7465c@huawei.com> To: Mark Fasheh , Joel Becker , Joseph Qi From: lishan Message-ID: Date: Mon, 9 Mar 2020 16:26:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: X-Originating-IP: [10.184.189.50] X-CFilter-Loop: Reflected X-PDR: PASS X-Source-IP: 45.249.212.191 X-ServerName: szxga05-in.huawei.com X-Proofpoint-SPF-Result: pass X-Proofpoint-SPF-Record: v=spf1 ip4:45.249.212.32 ip4:45.249.212.35 ip4:45.249.212.255 ip4:45.249.212.187/29 ip4:45.249.212.191 ip4:185.176.76.210 ip4:168.195.93.47 ip4:103.69.140.247 -all X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9551 signatures=668685 X-Proofpoint-Spam-Details: rule=tap_spam_policies_notspam policy=tap_spam_policies score=0 priorityscore=211 impostorscore=0 bulkscore=0 adultscore=0 lowpriorityscore=0 malwarescore=0 phishscore=0 clxscore=360 mlxscore=0 suspectscore=2 spamscore=0 mlxlogscore=684 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2003060098 X-Spam: Clean X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 mlxlogscore=874 phishscore=0 spamscore=0 mlxscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2003090062 X-Mailman-Approved-At: Mon, 16 Mar 2020 06:59:09 -0700 Cc: ocfs2-devel Subject: [Ocfs2-devel] [PATCH] ocfs2: fix a null pointer derefrence in ocfs2_block_group_clear_bits() X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9561 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 phishscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003160068 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9561 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 suspectscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1015 malwarescore=0 mlxscore=0 phishscore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003160068 A NULL pointer panic dereference in ocfs2_block_group_clear_bits() happen again. The information of NULL pointer stack as follows: PID: 81866 TASK: ffffa07c3c21ae80 CPU: 66 COMMAND: "fallocate" #0 [ffff0000b4d6b0b0] machine_kexec at ffff0000800a2954 #1 [ffff0000b4d6b110] __crash_kexec at ffff0000801bab34 #2 [ffff0000b4d6b2a0] panic at ffff0000800f02cc #3 [ffff0000b4d6b380] die at ffff00008008f6ac #4 [ffff0000b4d6b3d0] bug_handler at ffff00008008f744 #5 [ffff0000b4d6b400] brk_handler at ffff000080085d1c #6 [ffff0000b4d6b420] do_debug_exception at ffff000080081194 #7 [ffff0000b4d6b630] el1_dbg at ffff00008008332c PC: ffff00000190e9c0 [_ocfs2_free_suballoc_bits+1608] LR: ffff00000190e990 [_ocfs2_free_suballoc_bits+1560] SP: ffff0000b4d6b640 PSTATE: 60400009 X29: ffff0000b4d6b650 X28: 0000000000000000 X27: 00000000000052f3 X26: ffff807c511a9570 X25: ffff807ca0054000 X24: 00000000000052f2 X23: 0000000000000001 X22: ffff807c7cde7a90 X21: ffff0000811d9000 X20: ffff807c5e7d2000 X19: ffff00000190c768 X18: 0000000000000000 X17: 0000000000000000 X16: ffff000080a032f0 X15: 0000000000000000 X14: ffffffffffffffff X13: fffffffffffffff7 X12: ffffffffffffffff X11: 0000000000000038 X10: 0101010101010101 X9: ffffffffffffffff X8: 7f7f7f7f7f7f7f7f X7: 0000000000000000 X6: 0000000000000080 X5: 0000000000000000 X4: 0000000000000002 X3: ffff00000199f390 X2: a603c08321456e00 X1: ffff807c7cde7a90 X0: 0000000000000000 #8 [ffff0000b4d6b650] _ocfs2_free_suballoc_bits at ffff00000190e9bc [ocfs2] #9 [ffff0000b4d6b710] _ocfs2_free_clusters at ffff0000019110d4 [ocfs2] #10 [ffff0000b4d6b790] ocfs2_free_clusters at ffff000001913e94 [ocfs2] #11 [ffff0000b4d6b7d0] __ocfs2_flush_truncate_log at ffff0000018b5294 [ocfs2] #12 [ffff0000b4d6b8a0] ocfs2_remove_btree_range at ffff0000018bb34c [ocfs2] #13 [ffff0000b4d6b960] ocfs2_commit_truncate at ffff0000018bc76c [ocfs2] #14 [ffff0000b4d6ba60] ocfs2_wipe_inode at ffff0000018e57bc [ocfs2] #15 [ffff0000b4d6bb00] ocfs2_evict_inode at ffff0000018e5db8 [ocfs2] #16 [ffff0000b4d6bb70] evict at ffff000080365040 #17 [ffff0000b4d6bba0] iput at ffff0000803655d8 #18 [ffff0000b4d6bbe0] ocfs2_dentry_iput at ffff0000018c60a0 [ocfs2] #19 [ffff0000b4d6bc30] dentry_unlink_inode at ffff00008035ef58 #20 [ffff0000b4d6bc50] __dentry_kill at ffff000080360384 #21 [ffff0000b4d6bc80] dentry_kill at ffff000080360670 #22 [ffff0000b4d6bcb0] dput at ffff00008036093c #23 [ffff0000b4d6bcf0] __fput at ffff000080343930 #24 [ffff0000b4d6bd40] ____fput at ffff000080343aac #25 [ffff0000b4d6bd60] task_work_run at ffff0000801172fc The direct panic reason is that bh2jh (group_bh)-> b_committed_data is null. It is presumed that the network was disconnected during the write process, causing the transaction abort. as follows: jbd2_journal_abort ....... jbd2_journal_commit_transaction jh->b_committed_data = NULL; _ocfs2_free_suballoc_bits ocfs2_block_group_clear_bits // undo_bg is now set to null BUG_ON(!undo_bg); When applying for free space, if b_committed_data is null, it will be directly occupied, as follows: ocfs2_cluster_group_search ocfs2_block_group_find_clear_bits ocfs2_test_bg_bit_allocatable: bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; if (bg) ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); else ret = 1; b_committed_data is an intermediate state backup for bitmap transaction commits, newly applied space can overwrite previous dirty data, so, I think, while free clusters, if b_committed_data is null, ignore it. Host panic directly, too violent. Signed-off-by: Shan Li Reviewed-by: Jun Piao --- fs/ocfs2/suballoc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 939df99d2dec..aaf1b3cbd984 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -2412,14 +2412,19 @@ static int ocfs2_block_group_clear_bits(handle_t *handle, if (undo_fn) { spin_lock(&jh->b_state_lock); undo_bg = (struct ocfs2_group_desc *) jh->b_committed_data; - BUG_ON(!undo_bg); + if (!undo_bg) + mlog(ML_NOTICE, "%s: group descriptor # %llu (device %s) journal " + "b_committed_data had been cleared.\n", + OCFS2_SB(alloc_inode->i_sb)->uuid_str, + (unsigned long long)le64_to_cpu(bg->bg_blkno), + alloc_inode->i_sb->s_id); } tmp = num_bits; while(tmp--) { ocfs2_clear_bit((bit_off + tmp), (unsigned long *) bg->bg_bitmap); - if (undo_fn) + if (undo_fn && undo_bg) undo_fn(bit_off + tmp, (unsigned long *) undo_bg->bg_bitmap); }