From: Junxiao Bi Date: Thu, 1 Mar 2018 23:33:12 +0000 (-0800) Subject: ext4: fix ->put_link panic X-Git-Tag: v4.1.12-124.31.3~894 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=7db6d7e9209ffb4f42b64cfdecaa180b8dccbe58;p=users%2Fjedix%2Flinux-maple.git ext4: fix ->put_link panic Orabug: 27498770 The following panic was caught. Something wrong with the storage and io error was returned, generic_readlink()->ext4_follow_link()->page_follow_link_light() returned with NULL page and error link, then ext4_put_link() tried to free the error link and panic. [25144440.198756] device-mapper: snapshots: Invalidating snapshot: Unable to allocate exception. [25144440.332969] Aborting journal on device dm-7-8. [25144440.338462] Buffer I/O error on dev dm-7, logical block 3702784, lost sync page write [25144440.342625] Buffer I/O error on dev dm-7, logical block 0, lost sync page write [25144440.342627] EXT4-fs error (device dm-7): ext4_journal_check_start:56: Detected aborted journal [25144440.342629] EXT4-fs (dm-7): Remounting filesystem read-only [25144440.342630] EXT4-fs (dm-7): previous I/O error to superblock detected [25144440.342634] Buffer I/O error on dev dm-7, logical block 0, lost sync page write [25144440.390336] JBD2: Error -5 detected when updating journal superblock for dm-7-8. [25144464.799979] Buffer I/O error on dev dm-7, logical block 1573499, lost async page write [25144464.809517] Buffer I/O error on dev dm-7, logical block 1573501, lost async page write [25144464.819048] Buffer I/O error on dev dm-7, logical block 1573659, lost async page write [25144464.828669] Buffer I/O error on dev dm-7, logical block 1573660, lost async page write [25144464.838207] Buffer I/O error on dev dm-7, logical block 1573662, lost async page write [25144464.847798] Buffer I/O error on dev dm-7, logical block 1573675, lost async page write [25144464.857326] Buffer I/O error on dev dm-7, logical block 1573677, lost async page write [25144464.866848] Buffer I/O error on dev dm-7, logical block 1573696, lost async page write [25144464.876383] Buffer I/O error on dev dm-7, logical block 1573698, lost async page write [25144464.885903] Buffer I/O error on dev dm-7, logical block 1573703, lost async page write [25144496.335355] ------------[ cut here ]------------ [25144496.341039] kernel BUG at mm/slub.c:3413! [25144496.345997] invalid opcode: 0000 [#1] SMP [25144496.351074] Modules linked in: dm_snapshot dm_bufio nfnetlink_queue nfnetlink_log nfnetlink iptable_filter ip_tables oracleacfs(PO) oracleadvm(PO) oracleoks(PO) mpt3sas scsi_transport_sas raid_class nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs fscache lockd sunrpc grace ipmi_poweroff ipmi_devintf bonding rds_rdma rds ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad mlx4_ib mlx4_core dm_multipath bnx2i cnic uio cxgb4i libcxgbi cxgb4 ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipv6 fuse iTCO_wdt iTCO_vendor_support sb_edac edac_core i2c_i801 lpc_ich mfd_core sg ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel mdio ipmi_ssif i2c_core ipmi_si ipmi_msghandler wmi acpi_pad ext4 jbd2 mbcache sd_mod ahci libahci megaraid_sas dm_mirror [25144496.433281] dm_region_hash dm_log dm_mod [25144496.436514] CPU: 8 PID: 201734 Comm: tar Tainted: P O 4.1.12-61.28.1.el6uek.x86_64 #2 [25144496.447204] Hardware name: Oracle Corporation ORACLE SERVER X6-2/ASM,MOTHERBOARD,1U, BIOS 38070000 12/16/2016 [25144496.458974] task: ffff888ce26d0e00 ti: ffff888da1c50000 task.ti: ffff888da1c50000 [25144496.467999] RIP: 0010:[] [] kfree+0x159/0x170 [25144496.477238] RSP: 0018:ffff888da1c53da8 EFLAGS: 00010246 [25144496.483734] RAX: 001fffff80000400 RBX: fffffffffffffffb RCX: ffffffffa00ee860 [25144496.492480] RDX: 0000000000000000 RSI: fffffffffffffffb RDI: ffffea0001ffffc0 [25144496.501116] RBP: ffff888da1c53dc8 R08: 000000000001abc0 R09: ffff885efec07480 [25144496.509753] R10: ffffffff8118b1b7 R11: 0000000000000000 R12: 0000000000000000 [25144496.518425] R13: ffffffffa00ee890 R14: 00000000fffffffb R15: 000000000000005f [25144496.527061] FS: 00007f949c3957a0(0000) GS:ffff885eff400000(0000) knlGS:0000000000000000 [25144496.536769] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [25144496.543674] CR2: 00007f47cdbd8d20 CR3: 0000006093b7b000 CR4: 00000000003406e0 [25144496.552333] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [25144496.560961] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [25144496.569630] Stack: [25144496.572452] ffff888da1c53de8 ffff8801e33e7bc0 0000000000000000 ffff888da1c53de8 [25144496.581455] ffff888da1c53dd8 ffffffffa00ee890 ffff888da1c53eb8 ffffffff8120f7ec [25144496.590422] ffff888da1c53eb8 ffffffff812144c3 ffff88bec2658320 ffff8801e33e7bc0 [25144496.599391] Call Trace: [25144496.602619] [] ext4_put_link+0x30/0x40 [ext4] [25144496.609819] [] generic_readlink+0x8c/0xb0 [25144496.616627] [] ? user_path_at_empty+0x63/0xa0 [25144496.623816] [] SyS_readlinkat+0x116/0x130 [25144496.630629] [] SyS_readlink+0x1b/0x20 [25144496.637065] [] system_call_fastpath+0x12/0x71 [25144496.644278] Code: ff ff eb 8e 66 f7 07 00 c0 74 20 48 8b 07 31 f6 f6 c4 40 74 03 8b 77 68 e8 f5 d7 fa ff e9 70 ff ff ff 48 8b 7f 30 e9 19 ff ff ff <0f> 0b 0f 1f 44 00 00 eb f9 66 66 66 66 66 2e 0f 1f 84 00 00 00 [25144496.667149] RIP [] kfree+0x159/0x170 [25144496.673496] RSP Mainline/uek5 not have this issue, as the ->following_link and ->put_link have been refactored there. The patche set to do that is a little big, so I don't bother to backport them, just write this small patch to fix the issue. Signed-off-by: Junxiao Bi Reviewed-by: Ashish Samant --- diff --git a/fs/ext4/symlink.c b/fs/ext4/symlink.c index 187b78920314..abcf0420a181 100644 --- a/fs/ext4/symlink.c +++ b/fs/ext4/symlink.c @@ -103,7 +103,11 @@ static void ext4_put_link(struct dentry *dentry, struct nameidata *nd, struct page *page = cookie; if (!page) { - kfree(nd_get_link(nd)); + /* NULL page and error link maybe returned for unencrypted inode by + * ext4_follow_link(). + */ + if (!IS_ERR(nd_get_link(nd))) + kfree(nd_get_link(nd)); } else { kunmap(page); page_cache_release(page);