Re: NFS bug?

Trond Myklebust <[email protected]> wrote:
>
> On Thu, 2006-04-20 at 11:14 -0700, Robert Merrill wrote:
>  > > Oh... and could you also send us the Oops/stack trace from the BUG_ON()?
>  > >
>  >  ------------[ cut here ]------------
>  > kernel BUG at arch/i386/lib/usercopy.c:582!
>  > invalid operand: 0000 [#49]
>  > SMP
>  > Modules linked in: w83627hf eeprom lm85 w83781d hwmon_vid i2c_isa
>  > i2c_dev thermal fan button processor ac battery nfs lockd nfs_acl
>  > sunrpc ipv6 quota_v1 ide_cd cdrom generic joydev piix psmouse evdev
>  > uhci_hcd ehci_hcd parport_pc parport e1000 rtc serio_raw floppy
>  > usbcore i2c_i801 ide_core i2c_core mousedev pcspkr shpchp pci_hotplug
>  > CPU:    2
>  > EIP:    0060:[<c01ff157>]    Not tainted VLI
>  > EFLAGS: 00010282   (2.6.15.7-soda0)
>  > EIP is at __copy_from_user_ll+0x12/0xe2
>  > eax: 00000000   ebx: 00000003   ecx: fffffffb   edx: fffffffb
>  > esi: 0804a024   edi: 00000000   ebp: 00000000   esp: f6964f84
>  > ds: 007b   es: 007b   ss: 0068
>  > Process a.out (pid: 6994, threadinfo=f6964000 task=f70e7030)
>  > Stack: fffffffb b7f55ff4 f893c2a0 00000000 0804a024 fffffffb fffffffb 000000d0
>  >        f70e7030 00000003 0804a024 b7f55ff4 f6964000 f893dc1d 00000003 0804a024
>  >        00004000 0804a024 b7f55ff4 bf973d50 ffffffda 0000007b c010007b 000000dc
>  > Call Trace:
>  > Code: 07 29 c8 f3 a4 89 c1 c1 e9 02 83 e0 03 90 f3 a5 89 c1 f3 a4 89
>  > c8 5e 5f c3 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 85 c9 79 08 <0f>
>  > 0b 46 02 63 92 2f c0 83 f9 3f 0f 86 99 00 00 00 89 f8 31 f0
> 
>  Was there no stack trace in that Oops? AFAICS, getdents64() isn't
>  supposed to be calling __copy_from_user_ll() at all, so you appear to
>  have something very weird going here.

I'd be guessing that filldir64() was passed a negative namlen.

Perhaps Robert could test this:

--- devel/fs/readdir.c~a	2006-04-21 00:54:33.000000000 -0700
+++ devel-akpm/fs/readdir.c	2006-04-21 00:54:58.000000000 -0700
@@ -231,6 +231,10 @@ static int filldir64(void * __buf, const
 	buf->error = -EINVAL;	/* only used if we fail.. */
 	if (reclen > buf->count)
 		return -EINVAL;
+	if (namlen < 0) {
+		dump_stack();
+		return -EINVAL;
+	}
 	dirent = buf->previous;
 	if (dirent) {
 		if (__put_user(offset, &dirent->d_off))
_

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: NFS bug?
    • From: Trond Myklebust <[email protected]>

• References:
  • NFS bug?
    • From: "Robert Merrill" <[email protected]>
  • Re: NFS bug?
    • From: Trond Myklebust <[email protected]>
  • Re: NFS bug?
    • From: "Robert Merrill" <[email protected]>
  • Re: NFS bug?
    • From: Trond Myklebust <[email protected]>
  • Re: NFS bug?
    • From: "Robert Merrill" <[email protected]>
  • Re: NFS bug?
    • From: Trond Myklebust <[email protected]>

• Prev by Date: Re: Linux 2.6.17-rc2
• Next by Date: Re: [patch 1/5] mm: remap_vmalloc_range
• Previous by thread: Re: NFS bug?
• Next by thread: Re: NFS bug?
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]