Re: Regression in Autofs, 2.6.15-git
From: P. Christeas
Date: Sat Jan 14 2006 - 10:14:15 EST
> > Unable to handle kernel NULL pointer dereference at virtual address
> > 00000030 printing eip:
> > *pde = 00000000
> > Oops: 0000 [#1]
> > PREEMPT SMP
> > Modules linked in: nfs autofs4 cpufreq_ondemand cpufreq_userspace
> > cpufreq_powersave p4_clockmod speedstep_lib freq_table nfsd exportfs
> > lockd sunrpc irtty_sir sir_dev irda crc_ccitt rfcomm l2cap bluetooth
> > snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
> > snd_pcm_oss snd_mixer_oss snd_atiixp snd_ac97_codec snd_ac97_bus snd_pcm
> > snd_timer snd_page_alloc i2c_isa 8139too eth1394 sd_mod ohci1394 ieee1394
> > loop cx88_blackbird cx8802 tda9887 tuner cx8800 cx88xx i2c_algo_bit
> > video_buf ir_common tveeprom i2c_core btcx_risc usb_storage scsi_mod
> > usbhid ehci_hcd ohci_hcd usbcore video container button battery CPU: 1
> > EIP: 0060:[<c0162875>] Not tainted VLI
> > EFLAGS: 00210202 (2.6.15xrg-gf33dc619)
> > EIP is at touch_atime+0x43/0x9f
> > eax: 40000000 ebx: db67435c ecx: d8942a00 edx: 00000004
> > esi: d3aba6c0 edi: d7e942b0 ebp: 00000004 esp: d3cede50
^^^^^^^^^^^^^^^^^^^^^
Note these..
> > ds: 007b es: 007b ss: 0068
> > Process konqueror (pid: 4751, threadinfo=d3cec000 task=dfda6a90)
> > Stack: <0>00000001 00000001 d362fd50 d3aba6c0 e1b0e727 00000004 d362fd50
> > 00000000 d3aba6c0 d362fd50 00000000 e1b0edd7 00000004 d362fd50 00000002
> > d371b8bc d362fd50 d362fd50 c1627d40 e1b0e909 d362fd50 d3cedea8 db67435c
> > 00000004 Call Trace:
> > [<e1b0e727>] autofs4_update_usage+0x2c/0x4b [autofs4]
> > [<e1b0edd7>] autofs4_revalidate+0x10d/0x121 [autofs4]
> > [<e1b0e909>] autofs4_dir_open+0xb7/0x19b [autofs4]
> > [<c0158627>] permission+0x7f/0x8c
> > [<c0158647>] vfs_permission+0x13/0x17
> > [<c0159da5>] may_open+0x53/0x1a1
> > [<e1b0e852>] autofs4_dir_open+0x0/0x19b [autofs4]
> > [<c014c7cf>] __dentry_open+0xe7/0x1e5
> > [<c014c98c>] nameidata_to_filp+0x1f/0x31
> > [<c014c8fd>] filp_open+0x30/0x38
> > [<c014cb69>] do_sys_open+0x3c/0xaf
> > [<c01027cf>] sysenter_past_esp+0x54/0x75
> > Code: a8 01 75 7e f6 83 78 01 00 00 02 75 75 f6 c4 04 75 70 f6 c4 08 74
> > 10 0f b7 43 28 25 00 f0 00 00 3d 00 40 00 00 74 5b 85 d2 74 1b <8b> 42 2c
> > a8 08 75 50 a8 10 74 10 0f b7 43 28 25 00 f0 00 00 3d <6>note:
> > konqueror[4751] exited with preempt_count 1
>
> We test incoming arg `mnt' for NULL so we can ignore that.
>
Still, it seems that the problem lies in 'mnt'.
EIP: 0060:[<c0162875>] -->
0xc0162875 is in touch_atime (fs/inode.c:1205).
and:
Dump of assembler code for function touch_atime:
0xc0162832 <touch_atime+0>: push %esi
0xc0162833 <touch_atime+1>: push %ebx
0xc0162834 <touch_atime+2>: push %eax
0xc0162835 <touch_atime+3>: push %eax
0xc0162836 <touch_atime+4>: mov 0x14(%esp),%edx
...
0xc0162871 <touch_atime+63>: test %edx,%edx
0xc0162873 <touch_atime+65>: je 0xc0162890 <touch_atime+94>
0xc0162875 <touch_atime+67>: mov 0x2c(%edx),%eax
0xc0162878 <touch_atime+70>: test $0x8,%al
0xc016287a <touch_atime+72>: jne 0xc01628cc <touch_atime+154>
Doesn't that mean that mnt==0x0004 ? Clearly wrong. I can also see from
Christian's patch that mnt wasn't previously used, so it makes perfect sense
for that commit to introduce the oops.
I guess the problem lies in autofs4_revalidate (fs/autofs4/root.c:420), the
nd->mnt value..
I will add a silly validator (mnt>0xff) instead of (mnt) and see..
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/