Project

General

Profile

Actions
Copy link

Bug #19127

closed

NULL pointer dereference in ceph_readdir

Added by Zheng Yan about 7 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Zheng Yan
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):

Description

[41775.962636] Oops: 0000 [#1] SMP
[41775.965783] Modules linked in: ceph libceph libcrc32c fscache binfmt_misc kvm_intel intel_rapl sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd joydev lpc_ich wmi ipmi_si ipmi_devintf acpi_power_meter ipmi_msghandler mei_me ioatdma mei acpi_pad shpchp ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp nfsd auth_rpcgss libiscsi nfs_acl scsi_transport_iscsi lockd grace lp sunrpc parport autofs4 btrfs xor raid6_pq hid_generic usbhid hid igb i2c_algo_bit ixgbe dca ahci ptp libahci pps_core nvme mdio nvme_core [last unloaded: kvm_intel]
[41776.027424] CPU: 5 PID: 6807 Comm: rm Not tainted 4.10.0-ceph-gbbcd1b20a189 #1
[41776.034694] Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015
[41776.042140] task: ffff99e6563ecc80 task.stack: ffffb6ddc4fe0000
[41776.048102] RIP: 0010:ceph_readdir+0xe8e/0x12c0 [ceph]
[41776.053273] RSP: 0018:ffffb6ddc4fe3db8 EFLAGS: 00010296
[41776.058528] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000766ec7e6
[41776.065699] RDX: 0000000000000001 RSI: 00000000e736fbf5 RDI: ffff99e604ca01a0
[41776.072866] RBP: ffffb6ddc4fe3ea0 R08: 0000000000000000 R09: 0000000000000000
[41776.080034] R10: ffff99e6563ed4c8 R11: ffff99e6563ed4a0 R12: ffff99e604ca01a0
[41776.087201] R13: ffff99e604ca0120 R14: 0000000000000007 R15: ffffb6ddc4fe3ef0
[41776.094371] FS:  00007f1092840700(0000) GS:ffff99e67fd40000(0000) knlGS:0000000000000000
[41776.102515] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[41776.108297] CR2: 000000000000000c CR3: 00000008576f8000 CR4: 00000000003406e0
[41776.115468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[41776.122633] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[41776.129804] Call Trace:
[41776.132285]  ? __might_fault+0x8c/0xa0
[41776.136063]  ? __might_fault+0x43/0xa0
[41776.139845]  iterate_dir+0xd3/0x1b0
[41776.143368]  SyS_getdents+0xa7/0x150
[41776.146977]  ? filldir64+0x150/0x150
[41776.150585]  entry_SYSCALL_64_fastpath+0x23/0xc6
[41776.155240] RIP: 0033:0x7f109232ed3b
[41776.158848] RSP: 002b:00007ffd4b373c30 EFLAGS: 00000206 ORIG_RAX: 000000000000004e
[41776.166470] RAX: ffffffffffffffda RBX: 0000000001077040 RCX: 00007f109232ed3b
[41776.173636] RDX: 0000000000010000 RSI: 00000000010792f0 RDI: 0000000000000003
[41776.180803] RBP: 0000000000000004 R08: 00007f109262b2f8 R09: 00007ffd4b373da4
[41776.187973] R10: 00000000010792b0 R11: 0000000000000206 R12: 0000000000000004
[41776.195139] R13: 0000000001077040 R14: 0000000000000000 R15: 00000000010899c0
[41776.202306] Code: 0f 84 75 02 00 00 48 3d 00 f0 ff ff 0f 87 8b 01 00 00 48 8b 98 d8 00 00 00 4c 8d a0 80 00 00 00 4c 89 e7 e8 05 0e ef c7 8b 45 80 <3b> 43 0c 75 a6 49 83 7d 58 00 74 9f 48 8b 4b 48 4d 8b 47 08 48

got this when rm fsstress test directory on 7 mds cluster.

(gdb) l * ceph_readdir+0xe8e
0x952e is in ceph_readdir (fs/ceph/dir.c:235).
233            di = ceph_dentry(dentry);
234            spin_lock(&dentry->d_lock);
235            if (di->lease_shared_gen == shared_gen &&
236                d_really_is_positive(dentry) &&
237                fpos_cmp(ctx->pos, di->offset) <= 0) {
238                emit_dentry = true;
239            }
240            spin_unlock(&dentry->d_lock);
Actions
Copy link

Also available in: Atom PDF