Actions
Bug #19127
closedNULL pointer dereference in ceph_readdir
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Crash signature (v1):
Crash signature (v2):
Description
[41775.962636] Oops: 0000 [#1] SMP [41775.965783] Modules linked in: ceph libceph libcrc32c fscache binfmt_misc kvm_intel intel_rapl sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ipmi_ssif pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd joydev lpc_ich wmi ipmi_si ipmi_devintf acpi_power_meter ipmi_msghandler mei_me ioatdma mei acpi_pad shpchp ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp nfsd auth_rpcgss libiscsi nfs_acl scsi_transport_iscsi lockd grace lp sunrpc parport autofs4 btrfs xor raid6_pq hid_generic usbhid hid igb i2c_algo_bit ixgbe dca ahci ptp libahci pps_core nvme mdio nvme_core [last unloaded: kvm_intel] [41776.027424] CPU: 5 PID: 6807 Comm: rm Not tainted 4.10.0-ceph-gbbcd1b20a189 #1 [41776.034694] Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015 [41776.042140] task: ffff99e6563ecc80 task.stack: ffffb6ddc4fe0000 [41776.048102] RIP: 0010:ceph_readdir+0xe8e/0x12c0 [ceph] [41776.053273] RSP: 0018:ffffb6ddc4fe3db8 EFLAGS: 00010296 [41776.058528] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000766ec7e6 [41776.065699] RDX: 0000000000000001 RSI: 00000000e736fbf5 RDI: ffff99e604ca01a0 [41776.072866] RBP: ffffb6ddc4fe3ea0 R08: 0000000000000000 R09: 0000000000000000 [41776.080034] R10: ffff99e6563ed4c8 R11: ffff99e6563ed4a0 R12: ffff99e604ca01a0 [41776.087201] R13: ffff99e604ca0120 R14: 0000000000000007 R15: ffffb6ddc4fe3ef0 [41776.094371] FS: 00007f1092840700(0000) GS:ffff99e67fd40000(0000) knlGS:0000000000000000 [41776.102515] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [41776.108297] CR2: 000000000000000c CR3: 00000008576f8000 CR4: 00000000003406e0 [41776.115468] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [41776.122633] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [41776.129804] Call Trace: [41776.132285] ? __might_fault+0x8c/0xa0 [41776.136063] ? __might_fault+0x43/0xa0 [41776.139845] iterate_dir+0xd3/0x1b0 [41776.143368] SyS_getdents+0xa7/0x150 [41776.146977] ? filldir64+0x150/0x150 [41776.150585] entry_SYSCALL_64_fastpath+0x23/0xc6 [41776.155240] RIP: 0033:0x7f109232ed3b [41776.158848] RSP: 002b:00007ffd4b373c30 EFLAGS: 00000206 ORIG_RAX: 000000000000004e [41776.166470] RAX: ffffffffffffffda RBX: 0000000001077040 RCX: 00007f109232ed3b [41776.173636] RDX: 0000000000010000 RSI: 00000000010792f0 RDI: 0000000000000003 [41776.180803] RBP: 0000000000000004 R08: 00007f109262b2f8 R09: 00007ffd4b373da4 [41776.187973] R10: 00000000010792b0 R11: 0000000000000206 R12: 0000000000000004 [41776.195139] R13: 0000000001077040 R14: 0000000000000000 R15: 00000000010899c0 [41776.202306] Code: 0f 84 75 02 00 00 48 3d 00 f0 ff ff 0f 87 8b 01 00 00 48 8b 98 d8 00 00 00 4c 8d a0 80 00 00 00 4c 89 e7 e8 05 0e ef c7 8b 45 80 <3b> 43 0c 75 a6 49 83 7d 58 00 74 9f 48 8b 4b 48 4d 8b 47 08 48
got this when rm fsstress test directory on 7 mds cluster.
(gdb) l * ceph_readdir+0xe8e 0x952e is in ceph_readdir (fs/ceph/dir.c:235). 233 di = ceph_dentry(dentry); 234 spin_lock(&dentry->d_lock); 235 if (di->lease_shared_gen == shared_gen && 236 d_really_is_positive(dentry) && 237 fpos_cmp(ctx->pos, di->offset) <= 0) { 238 emit_dentry = true; 239 } 240 spin_unlock(&dentry->d_lock);
Actions