Revision f6619ef7508261be2ba3ded313ccc46ce670d0d3 authored by Wang, Rui Y on 18 November 2015, 15:00:53 UTC, committed by Dave Airlie on 19 November 2015, 03:20:01 UTC
The machine hang completely with the following message on the console: [ 487.777538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 [ 487.777554] IP: [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 [ 487.777557] PGD 42e9f7067 PUD 42f2fa067 PMD 0 [ 487.777560] Oops: 0002 [#1] SMP ... [ 487.777618] CPU: 21 PID: 3190 Comm: Xorg Tainted: G E 4.4.0-rc1-3-default+ #6 [ 487.777620] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRHSXSD1.86B.0059.R00.1501081238 01/08/2015 [ 487.777621] task: ffff880853ae4680 ti: ffff8808696d4000 task.ti: ffff8808696d4000 [ 487.777625] RIP: 0010:[<ffffffff8158aaee>] [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 [ 487.777627] RSP: 0018:ffff8808696d79c0 EFLAGS: 00010246 [ 487.777628] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 487.777629] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000060 [ 487.777630] RBP: ffff8808696d79e0 R08: 0000000000000000 R09: ffff88086924a780 [ 487.777631] R10: 000000000001bb40 R11: 0000000000003246 R12: 0000000000000000 [ 487.777632] R13: ffff880463a27360 R14: ffff88046ca50218 R15: 0000000000000080 [ 487.777634] FS: 00007f3f81c5a8c0(0000) GS:ffff88086f060000(0000) knlGS:0000000000000000 [ 487.777635] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 487.777636] CR2: 0000000000000060 CR3: 000000042e678000 CR4: 00000000001406e0 [ 487.777638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 487.777639] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 487.777639] Stack: [ 487.777642] ffffffffa00eb5fa ffff8808696d7b60 ffff88086b87d800 0000000000000000 [ 487.777644] ffff8808696d7ac8 ffffffffa01694b6 ffff8808696d7ae8 ffffffff8109c8d5 [ 487.777647] ffff880469158740 ffff880463a27000 ffff88086b87d800 ffff88086b87d800 [ 487.777647] Call Trace: [ 487.777674] [<ffffffffa00eb5fa>] ? drm_gem_object_lookup+0x1a/0xa0 [drm] [ 487.777681] [<ffffffffa01694b6>] mga_crtc_cursor_set+0xc6/0xb60 [mgag200] [ 487.777691] [<ffffffff8109c8d5>] ? find_busiest_group+0x35/0x4a0 [ 487.777696] [<ffffffff81086294>] ? __might_sleep+0x44/0x80 [ 487.777699] [<ffffffff815888c2>] ? __ww_mutex_lock+0x22/0x9c [ 487.777722] [<ffffffffa0104f64>] ? drm_modeset_lock+0x34/0xf0 [drm] [ 487.777733] [<ffffffffa0148d9e>] restore_fbdev_mode+0xee/0x2a0 [drm_kms_helper] [ 487.777742] [<ffffffffa014afce>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2e/0x70 [drm_kms_helper] [ 487.777748] [<ffffffffa014b037>] drm_fb_helper_set_par+0x27/0x50 [drm_kms_helper] [ 487.777752] [<ffffffff8134560c>] fb_set_var+0x18c/0x3f0 [ 487.777777] [<ffffffffa02a9b0a>] ? __ext4_handle_dirty_metadata+0x8a/0x210 [ext4] [ 487.777783] [<ffffffff8133cb97>] fbcon_blank+0x1b7/0x2b0 [ 487.777790] [<ffffffff813be2a3>] do_unblank_screen+0xb3/0x1c0 [ 487.777795] [<ffffffff813b5aba>] vt_ioctl+0x118a/0x1210 [ 487.777801] [<ffffffff813a8fe0>] tty_ioctl+0x3f0/0xc90 [ 487.777808] [<ffffffff81172018>] ? kzfree+0x28/0x30 [ 487.777813] [<ffffffff811e053f>] ? mntput+0x1f/0x30 [ 487.777817] [<ffffffff811d3f5d>] do_vfs_ioctl+0x30d/0x570 [ 487.777822] [<ffffffff8107ed3a>] ? task_work_run+0x8a/0xa0 [ 487.777825] [<ffffffff811d4234>] SyS_ioctl+0x74/0x80 [ 487.777829] [<ffffffff8158aeae>] entry_SYSCALL_64_fastpath+0x12/0x71 [ 487.777851] Code: 65 ff 0d ce 02 a8 7e 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 e8 b0 01 5d c3 0f 1f 00 65 ff 05 b1 02 a8 7e 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 4e f5 b1 ff 5d [ 487.777854] RIP [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30 [ 487.777855] RSP <ffff8808696d79c0> [ 487.777856] CR2: 0000000000000060 [ 487.777860] ---[ end trace 672a2cd555e0ebd3 ]--- The cursor code may be entered with file_priv == NULL && handle == NULL. The problem was introduced by: "bf89209 drm/mga200g: Hold a proper reference for cursor_set" which calls drm_gem_object_lookup(dev, file_priv...). Previously this wasn't a problem because we checked the handle. Move the check early in the function can fix the problem. Signed-off-by: Rui Wang <rui.y.wang@intel.com> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Dave Airlie <airlied@redhat.com>
1 parent e6c84ac
nfs.c
/* fs/fat/nfs.c
*
* This software is licensed under the terms of the GNU General Public
* License version 2, as published by the Free Software Foundation, and
* may be copied, distributed, and modified under those terms.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*/
#include <linux/exportfs.h>
#include "fat.h"
struct fat_fid {
u32 i_gen;
u32 i_pos_low;
u16 i_pos_hi;
u16 parent_i_pos_hi;
u32 parent_i_pos_low;
u32 parent_i_gen;
};
#define FAT_FID_SIZE_WITHOUT_PARENT 3
#define FAT_FID_SIZE_WITH_PARENT (sizeof(struct fat_fid)/sizeof(u32))
/**
* Look up a directory inode given its starting cluster.
*/
static struct inode *fat_dget(struct super_block *sb, int i_logstart)
{
struct msdos_sb_info *sbi = MSDOS_SB(sb);
struct hlist_head *head;
struct msdos_inode_info *i;
struct inode *inode = NULL;
head = sbi->dir_hashtable + fat_dir_hash(i_logstart);
spin_lock(&sbi->dir_hash_lock);
hlist_for_each_entry(i, head, i_dir_hash) {
BUG_ON(i->vfs_inode.i_sb != sb);
if (i->i_logstart != i_logstart)
continue;
inode = igrab(&i->vfs_inode);
if (inode)
break;
}
spin_unlock(&sbi->dir_hash_lock);
return inode;
}
static struct inode *fat_ilookup(struct super_block *sb, u64 ino, loff_t i_pos)
{
if (MSDOS_SB(sb)->options.nfs == FAT_NFS_NOSTALE_RO)
return fat_iget(sb, i_pos);
else {
if ((ino < MSDOS_ROOT_INO) || (ino == MSDOS_FSINFO_INO))
return NULL;
return ilookup(sb, ino);
}
}
static struct inode *__fat_nfs_get_inode(struct super_block *sb,
u64 ino, u32 generation, loff_t i_pos)
{
struct inode *inode = fat_ilookup(sb, ino, i_pos);
if (inode && generation && (inode->i_generation != generation)) {
iput(inode);
inode = NULL;
}
if (inode == NULL && MSDOS_SB(sb)->options.nfs == FAT_NFS_NOSTALE_RO) {
struct buffer_head *bh = NULL;
struct msdos_dir_entry *de ;
sector_t blocknr;
int offset;
fat_get_blknr_offset(MSDOS_SB(sb), i_pos, &blocknr, &offset);
bh = sb_bread(sb, blocknr);
if (!bh) {
fat_msg(sb, KERN_ERR,
"unable to read block(%llu) for building NFS inode",
(llu)blocknr);
return inode;
}
de = (struct msdos_dir_entry *)bh->b_data;
/* If a file is deleted on server and client is not updated
* yet, we must not build the inode upon a lookup call.
*/
if (IS_FREE(de[offset].name))
inode = NULL;
else
inode = fat_build_inode(sb, &de[offset], i_pos);
brelse(bh);
}
return inode;
}
static struct inode *fat_nfs_get_inode(struct super_block *sb,
u64 ino, u32 generation)
{
return __fat_nfs_get_inode(sb, ino, generation, 0);
}
static int
fat_encode_fh_nostale(struct inode *inode, __u32 *fh, int *lenp,
struct inode *parent)
{
int len = *lenp;
struct msdos_sb_info *sbi = MSDOS_SB(inode->i_sb);
struct fat_fid *fid = (struct fat_fid *) fh;
loff_t i_pos;
int type = FILEID_FAT_WITHOUT_PARENT;
if (parent) {
if (len < FAT_FID_SIZE_WITH_PARENT) {
*lenp = FAT_FID_SIZE_WITH_PARENT;
return FILEID_INVALID;
}
} else {
if (len < FAT_FID_SIZE_WITHOUT_PARENT) {
*lenp = FAT_FID_SIZE_WITHOUT_PARENT;
return FILEID_INVALID;
}
}
i_pos = fat_i_pos_read(sbi, inode);
*lenp = FAT_FID_SIZE_WITHOUT_PARENT;
fid->i_gen = inode->i_generation;
fid->i_pos_low = i_pos & 0xFFFFFFFF;
fid->i_pos_hi = (i_pos >> 32) & 0xFFFF;
if (parent) {
i_pos = fat_i_pos_read(sbi, parent);
fid->parent_i_pos_hi = (i_pos >> 32) & 0xFFFF;
fid->parent_i_pos_low = i_pos & 0xFFFFFFFF;
fid->parent_i_gen = parent->i_generation;
type = FILEID_FAT_WITH_PARENT;
*lenp = FAT_FID_SIZE_WITH_PARENT;
}
return type;
}
/**
* Map a NFS file handle to a corresponding dentry.
* The dentry may or may not be connected to the filesystem root.
*/
static struct dentry *fat_fh_to_dentry(struct super_block *sb, struct fid *fid,
int fh_len, int fh_type)
{
return generic_fh_to_dentry(sb, fid, fh_len, fh_type,
fat_nfs_get_inode);
}
static struct dentry *fat_fh_to_dentry_nostale(struct super_block *sb,
struct fid *fh, int fh_len,
int fh_type)
{
struct inode *inode = NULL;
struct fat_fid *fid = (struct fat_fid *)fh;
loff_t i_pos;
switch (fh_type) {
case FILEID_FAT_WITHOUT_PARENT:
if (fh_len < FAT_FID_SIZE_WITHOUT_PARENT)
return NULL;
break;
case FILEID_FAT_WITH_PARENT:
if (fh_len < FAT_FID_SIZE_WITH_PARENT)
return NULL;
break;
default:
return NULL;
}
i_pos = fid->i_pos_hi;
i_pos = (i_pos << 32) | (fid->i_pos_low);
inode = __fat_nfs_get_inode(sb, 0, fid->i_gen, i_pos);
return d_obtain_alias(inode);
}
/*
* Find the parent for a file specified by NFS handle.
* This requires that the handle contain the i_ino of the parent.
*/
static struct dentry *fat_fh_to_parent(struct super_block *sb, struct fid *fid,
int fh_len, int fh_type)
{
return generic_fh_to_parent(sb, fid, fh_len, fh_type,
fat_nfs_get_inode);
}
static struct dentry *fat_fh_to_parent_nostale(struct super_block *sb,
struct fid *fh, int fh_len,
int fh_type)
{
struct inode *inode = NULL;
struct fat_fid *fid = (struct fat_fid *)fh;
loff_t i_pos;
if (fh_len < FAT_FID_SIZE_WITH_PARENT)
return NULL;
switch (fh_type) {
case FILEID_FAT_WITH_PARENT:
i_pos = fid->parent_i_pos_hi;
i_pos = (i_pos << 32) | (fid->parent_i_pos_low);
inode = __fat_nfs_get_inode(sb, 0, fid->parent_i_gen, i_pos);
break;
}
return d_obtain_alias(inode);
}
/*
* Rebuild the parent for a directory that is not connected
* to the filesystem root
*/
static
struct inode *fat_rebuild_parent(struct super_block *sb, int parent_logstart)
{
int search_clus, clus_to_match;
struct msdos_dir_entry *de;
struct inode *parent = NULL;
struct inode *dummy_grand_parent = NULL;
struct fat_slot_info sinfo;
struct msdos_sb_info *sbi = MSDOS_SB(sb);
sector_t blknr = fat_clus_to_blknr(sbi, parent_logstart);
struct buffer_head *parent_bh = sb_bread(sb, blknr);
if (!parent_bh) {
fat_msg(sb, KERN_ERR,
"unable to read cluster of parent directory");
return NULL;
}
de = (struct msdos_dir_entry *) parent_bh->b_data;
clus_to_match = fat_get_start(sbi, &de[0]);
search_clus = fat_get_start(sbi, &de[1]);
dummy_grand_parent = fat_dget(sb, search_clus);
if (!dummy_grand_parent) {
dummy_grand_parent = new_inode(sb);
if (!dummy_grand_parent) {
brelse(parent_bh);
return parent;
}
dummy_grand_parent->i_ino = iunique(sb, MSDOS_ROOT_INO);
fat_fill_inode(dummy_grand_parent, &de[1]);
MSDOS_I(dummy_grand_parent)->i_pos = -1;
}
if (!fat_scan_logstart(dummy_grand_parent, clus_to_match, &sinfo))
parent = fat_build_inode(sb, sinfo.de, sinfo.i_pos);
brelse(parent_bh);
iput(dummy_grand_parent);
return parent;
}
/*
* Find the parent for a directory that is not currently connected to
* the filesystem root.
*
* On entry, the caller holds d_inode(child_dir)->i_mutex.
*/
static struct dentry *fat_get_parent(struct dentry *child_dir)
{
struct super_block *sb = child_dir->d_sb;
struct buffer_head *bh = NULL;
struct msdos_dir_entry *de;
struct inode *parent_inode = NULL;
struct msdos_sb_info *sbi = MSDOS_SB(sb);
if (!fat_get_dotdot_entry(d_inode(child_dir), &bh, &de)) {
int parent_logstart = fat_get_start(sbi, de);
parent_inode = fat_dget(sb, parent_logstart);
if (!parent_inode && sbi->options.nfs == FAT_NFS_NOSTALE_RO)
parent_inode = fat_rebuild_parent(sb, parent_logstart);
}
brelse(bh);
return d_obtain_alias(parent_inode);
}
const struct export_operations fat_export_ops = {
.fh_to_dentry = fat_fh_to_dentry,
.fh_to_parent = fat_fh_to_parent,
.get_parent = fat_get_parent,
};
const struct export_operations fat_export_ops_nostale = {
.encode_fh = fat_encode_fh_nostale,
.fh_to_dentry = fat_fh_to_dentry_nostale,
.fh_to_parent = fat_fh_to_parent_nostale,
.get_parent = fat_get_parent,
};
Computing file changes ...
