Re: XFS Bug null pointer dereference in xfs_free_ag_extent

[Nathan Scott <nathans@xxxxxxx>]

On Tue, Aug 01, 2006 at 10:12:14AM +0200, Jan Dittmer wrote:
> Joe Jin schrieb:
> >  From the information, I think it caused by (args.agbp == NULL).
> > get rid of, we'll find the call trace should panic:
> > xfs_free_extent
> > |_   xfs_free_ag_extent  => here args.agbp= NULL;
> >         |_ xfs_btree_init_cursor()
> >               |_ agf = XFS_BUF_TO_AGF(agbp);  => (xfs_agf_t 
> > *)XFS_BUF_PTR(arbp)
> >                              |_ (xfs_caddr_t)((agbp)->b_addr) : but 
> > here, agbp is NULL
> > so it caused the oops.
> > Non debug option, and the oops occured at xfs_btree_init_cursor().
> > 
> 
> Probably caused by this part of the diff from Nathan's earlier mail:

*nod* - that is my suspicion, be great if you guys with the
reproducible case could confirm/deny.. (assuming this is the
case we're hitting, you can also try changing the assignment
to NULL there to instead be "agbp", and see if that corrects
things for you once more).

> --- fs/xfs/xfs_alloc.c
> +++ fs/xfs/xfs_alloc.c
> 
> @@ -1951,8 +1951,14 @@ xfs_alloc_fix_freelist(
>                * the restrictions correctly.  Can happen for free calls
>                * on a completely full ag.
>                */
> -             if (targs.agbno == NULLAGBLOCK)
> +             if (targs.agbno == NULLAGBLOCK) {
> +                     if (!(flags & XFS_ALLOC_FLAG_FREEING)) {
> +                             xfs_trans_brelse(tp, agflbp);
> +                             args->agbp = NULL;
> +                             return 0;
> +                     }
>                       break;
> +             }

cheers.

-- 
Nathan