Trond Myklebust <[email protected]> wrote:
>
> On Thu, 2006-04-20 at 11:14 -0700, Robert Merrill wrote:
> > > Oh... and could you also send us the Oops/stack trace from the BUG_ON()?
> > >
> > ------------[ cut here ]------------
> > kernel BUG at arch/i386/lib/usercopy.c:582!
> > invalid operand: 0000 [#49]
> > SMP
> > Modules linked in: w83627hf eeprom lm85 w83781d hwmon_vid i2c_isa
> > i2c_dev thermal fan button processor ac battery nfs lockd nfs_acl
> > sunrpc ipv6 quota_v1 ide_cd cdrom generic joydev piix psmouse evdev
> > uhci_hcd ehci_hcd parport_pc parport e1000 rtc serio_raw floppy
> > usbcore i2c_i801 ide_core i2c_core mousedev pcspkr shpchp pci_hotplug
> > CPU: 2
> > EIP: 0060:[<c01ff157>] Not tainted VLI
> > EFLAGS: 00010282 (2.6.15.7-soda0)
> > EIP is at __copy_from_user_ll+0x12/0xe2
> > eax: 00000000 ebx: 00000003 ecx: fffffffb edx: fffffffb
> > esi: 0804a024 edi: 00000000 ebp: 00000000 esp: f6964f84
> > ds: 007b es: 007b ss: 0068
> > Process a.out (pid: 6994, threadinfo=f6964000 task=f70e7030)
> > Stack: fffffffb b7f55ff4 f893c2a0 00000000 0804a024 fffffffb fffffffb 000000d0
> > f70e7030 00000003 0804a024 b7f55ff4 f6964000 f893dc1d 00000003 0804a024
> > 00004000 0804a024 b7f55ff4 bf973d50 ffffffda 0000007b c010007b 000000dc
> > Call Trace:
> > Code: 07 29 c8 f3 a4 89 c1 c1 e9 02 83 e0 03 90 f3 a5 89 c1 f3 a4 89
> > c8 5e 5f c3 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 85 c9 79 08 <0f>
> > 0b 46 02 63 92 2f c0 83 f9 3f 0f 86 99 00 00 00 89 f8 31 f0
>
> Was there no stack trace in that Oops? AFAICS, getdents64() isn't
> supposed to be calling __copy_from_user_ll() at all, so you appear to
> have something very weird going here.
I'd be guessing that filldir64() was passed a negative namlen.
Perhaps Robert could test this:
--- devel/fs/readdir.c~a 2006-04-21 00:54:33.000000000 -0700
+++ devel-akpm/fs/readdir.c 2006-04-21 00:54:58.000000000 -0700
@@ -231,6 +231,10 @@ static int filldir64(void * __buf, const
buf->error = -EINVAL; /* only used if we fail.. */
if (reclen > buf->count)
return -EINVAL;
+ if (namlen < 0) {
+ dump_stack();
+ return -EINVAL;
+ }
dirent = buf->previous;
if (dirent) {
if (__put_user(offset, &dirent->d_off))
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]