I have come across a bug in the loop driver. To reproduce this bug,
simply do:
losetup /dev/loop0 /dev/[sh]da(some unused partition)
dd if=/dev/zero of=/dev/loop0
If you use the count/bs args for dd, or just wait for it to write alot
with the above command, you will notice that once it writes more
than the free amount of RAM, you will get the following oops.
The strange thing is, this ONLY occurs when attaching the loop device
to another block device(well, I only tested with an unused partition);
this bug does NOT occur if the loop target is a regular file on the
filesystem. I'm a very newbie kernel hacker, so I am not able to create
a patch to fix this. However, I did trace the oops to
drivers/block/loop.c:loop_get_buffer(): (kernel 2.5.63, however same
bug is in 2.5.62, I don't know when it was first introduced)
bio=bio_copy(rbh,GFP_NOIO,rbh->bi_rw & WRITE); // This returns NULL
bio->bi_end_io = loop_end_io_transfer; // Making this crash
Unable to handle kernel NULL pointer dereference at virtual address 00000028
printing eip:
c02298bb
*pde = 00000000
Oops: 0002
CPU: 0
EIP: 0060:[<c02298bb>] Not tainted
EFLAGS: 00010282
EIP is at loop_get_buffer+0x5b/0x70
eax: 00000000 ebx: c0511160 ecx: c0511120 edx: c7fec910
esi: c114a000 edi: c114a110 ebp: c5af7a2c esp: c5af7a18
ds: 007b es: 007b ss: 0068
Process dd (pid: 221, threadinfo=c5af6000 task=c748a6c0)
Stack: c0511160 00000010 00000001 c114a000 00000001 c5af7a50 c0229b06 c114a000
c0511160 c7feee20 00000000 c7ed13c0 00000001 c114a110 c5af7a84 c021d83d
c114a110 c0511160 00000010 00000001 c5af7a6c 00000000 c61fc460 0000513b
Call Trace:
[<c0229b06>] loop_make_request+0xd6/0x170
[<c021d83d>] generic_make_request+0x13d/0x1d0
[<c021d90d>] submit_bio+0x3d/0x80
[<c01529c7>] __block_write_full_page+0x207/0x3e0
[<c0154125>] block_write_full_page+0xd5/0xe0
[<c0156d20>] blkdev_get_block+0x0/0x60
[<c0156e80>] blkdev_writepage+0x20/0x30
[<c0156d20>] blkdev_get_block+0x0/0x60
[<c013e86c>] shrink_list+0x3cc/0x610
[<c0124815>] add_timer+0x95/0xb0
[<c013d679>] __pagevec_release+0x29/0x40
[<c013ec0a>] shrink_cache+0x15a/0x2d0
[<c013f39e>] shrink_caches+0x9e/0xc0
[<c013f435>] try_to_free_pages+0x75/0xe0
[<c0138f28>] __alloc_pages+0x1b8/0x2c0
[<c0137b03>] __grab_cache_page+0x43/0xa1
[<c0137018>] generic_file_aio_write_nolock+0x228/0x7b0
[<c021bd58>] blk_rq_map_sg+0xf8/0x170
[<c02464a9>] __ide_dma_begin+0x39/0x50
[<c0137618>] generic_file_write_nolock+0x78/0x90
[<c012d1d8>] rcu_process_callbacks+0xe8/0x110
[<c01212e6>] tasklet_action+0x46/0x70
[<c010bce8>] do_IRQ+0x108/0x130
[<c010a6e0>] common_interrupt+0x18/0x20
[<c0157ea3>] blkdev_file_write+0x33/0x40
[<c014fb3f>] vfs_write+0xaf/0x120
[<c014fc4c>] sys_write+0x3c/0x60
[<c010a573>] syscall_call+0x7/0xb
Code: c7 40 28 d0 97 22 c0 89 c2 89 58 30 eb b1 8d b4 26 00 00 00
This archive was generated by hypermail 2b29 : Fri Feb 28 2003 - 22:00:24 EST