Re: NFS bug?

From: Trond Myklebust
Date: Fri Apr 21 2006 - 10:08:11 EST

Next message: Michael Holzheu: "Re: [PATCH/RFC] s390: Hypervisor File System"
Previous message: Dmitry Fedorov: "Re: kfree(NULL)"
In reply to: Andrew Morton: "Re: NFS bug?"
Next in thread: Joshua Hudson: "Re: NFS bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2006-04-21 at 00:55 -0700, Andrew Morton wrote:
> Trond Myklebust <trond.myklebust@xxxxxxxxxx> wrote:
> >
> > On Thu, 2006-04-20 at 11:14 -0700, Robert Merrill wrote:
> > > > Oh... and could you also send us the Oops/stack trace from the BUG_ON()?
> > > >
> > > ------------[ cut here ]------------
> > > kernel BUG at arch/i386/lib/usercopy.c:582!
> > > invalid operand: 0000 [#49]
> > > SMP
> > > Modules linked in: w83627hf eeprom lm85 w83781d hwmon_vid i2c_isa
> > > i2c_dev thermal fan button processor ac battery nfs lockd nfs_acl
> > > sunrpc ipv6 quota_v1 ide_cd cdrom generic joydev piix psmouse evdev
> > > uhci_hcd ehci_hcd parport_pc parport e1000 rtc serio_raw floppy
> > > usbcore i2c_i801 ide_core i2c_core mousedev pcspkr shpchp pci_hotplug
> > > CPU: 2
> > > EIP: 0060:[<c01ff157>] Not tainted VLI
> > > EFLAGS: 00010282 (2.6.15.7-soda0)
> > > EIP is at __copy_from_user_ll+0x12/0xe2
> > > eax: 00000000 ebx: 00000003 ecx: fffffffb edx: fffffffb
> > > esi: 0804a024 edi: 00000000 ebp: 00000000 esp: f6964f84
> > > ds: 007b es: 007b ss: 0068
> > > Process a.out (pid: 6994, threadinfo=f6964000 task=f70e7030)
> > > Stack: fffffffb b7f55ff4 f893c2a0 00000000 0804a024 fffffffb fffffffb 000000d0
> > > f70e7030 00000003 0804a024 b7f55ff4 f6964000 f893dc1d 00000003 0804a024
> > > 00004000 0804a024 b7f55ff4 bf973d50 ffffffda 0000007b c010007b 000000dc
> > > Call Trace:
> > > Code: 07 29 c8 f3 a4 89 c1 c1 e9 02 83 e0 03 90 f3 a5 89 c1 f3 a4 89
> > > c8 5e 5f c3 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 85 c9 79 08 <0f>
> > > 0b 46 02 63 92 2f c0 83 f9 3f 0f 86 99 00 00 00 89 f8 31 f0
> >
> > Was there no stack trace in that Oops? AFAICS, getdents64() isn't
> > supposed to be calling __copy_from_user_ll() at all, so you appear to
> > have something very weird going here.
>
> I'd be guessing that filldir64() was passed a negative namlen.

Why would that trigger a bug in __copy_from_user_ll()? I could see it
triggering errors in copy_to_user(), but not copy_from_*...

Cheers,
Trond

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michael Holzheu: "Re: [PATCH/RFC] s390: Hypervisor File System"
Previous message: Dmitry Fedorov: "Re: kfree(NULL)"
In reply to: Andrew Morton: "Re: NFS bug?"
Next in thread: Joshua Hudson: "Re: NFS bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]