Bug 439917 - kernel: splice: fix bad unlock_page() in error case [rhel-5.3]
Summary: kernel: splice: fix bad unlock_page() in error case [rhel-5.3]
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Larry Woodman
QA Contact: Martin Jenner
Depends On:
Blocks: CVE-2008-4302
TreeView+ depends on / blocked
Reported: 2008-03-31 23:12 UTC by Greg Marsden
Modified: 2011-12-21 12:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-01-20 19:58:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch to unlock_page (1.06 KB, patch)
2008-03-31 23:12 UTC, Greg Marsden
no flags Details | Diff
job file to reproduce the crash (732 bytes, text/plain)
2008-07-10 18:24 UTC, Jeff Moyer
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0225 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.3 kernel security and bug fix update 2009-01-20 16:06:24 UTC

Description Greg Marsden 2008-03-31 23:12:29 UTC
Description of problem:

@ Linux ca-ostest184.us.oracle.com 2.6.18- #1 SMP Tue Jun 5
23:05:00 EDT 2007 i686 i686 i386 GNU/Linux
------------[ cut here ]------------
kernel BUG at mm/filemap.c:553!
invalid opcode: 0000 [#1]
last sysfs file: /block/sda/stat
Modules linked in: netconsole autofs4 hidp nfs lockd fscache nfs_acl rfcomm
l2cap bluetooth sunrpc ib_iser rdma_cm ib_addr i
@ b_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi scsi_transport_iscsi dm_mirror
dm_multipath dm_mod video sbs i2c_ec button batt
ery asus_acpi ac ipv6 parport_pc lp parport i2c_piix4 i2c_core sg cfi_probe
gen_probe scb2_flash ide_cd floppy cdrom mtdcore
@  serio_raw pcspkr chipreg e1000 tg3 aic7xxx scsi_transport_spi sd_mod
@ scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    0
EIP:    0060:[<c044f8c6>]    Not tainted VLI
EFLAGS: 00010246   (2.6.18- #1)
EIP is at unlock_page+0xe/0x27
eax: 00000000   ebx: c28109c0   ecx: c066ab00   edx: c066ab8c
esi: f4d08540   edi: 000200d2   ebp: c28109c0   esp: f33dfed4
ds: 007b   es: 007b   ss: 0068
Process fio (pid: 3771, ti=f33df000 task=f33cc000 task.ti=f33df000)
Stack: ffffffef c048baad f33dff24 f4d08540 f4d08400 fffb4000 f3725b00
       000200d2 00000000 00001000 00001d01 00001000 00001000 f4d08540
       00001000 c048af49 00000001 c066cdd8 00001000 00001000 00000000
Call Trace:
 [<c048baad>] pipe_to_file+0x34a/0x354
 [<c048af49>] splice_from_pipe+0x7a/0x1ef
 [<c048b2e9>] generic_file_splice_write+0x28/0x88
 [<c048b763>] pipe_to_file+0x0/0x354
 [<c048ae9f>] do_splice_from+0x50/0x57
 [<c048bf7a>] sys_splice+0xe9/0x1d8
 [<c0403eff>] syscall_call+0x7/0xb

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
io stress tests against ext3

Comment 1 Greg Marsden 2008-03-31 23:12:29 UTC
Created attachment 299787 [details]
patch to unlock_page

Comment 2 RHEL Program Management 2008-06-06 15:44:48 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 Jeff Moyer 2008-07-10 18:24:31 UTC
Created attachment 311502 [details]
job file to reproduce the crash

To run:

mkdir /tmp/fio
while true; do fio dio-breaker; done

It runs for a few iterations before crashing for me.

Comment 6 Don Zickus 2008-07-16 15:47:16 UTC
in kernel-2.6.18-97.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 11 Chris Ward 2008-11-14 13:23:33 UTC
Oracle, a fix for this bug should be available for testing in the RHEL 5.3 Beta release. You can download these bits from RHN.

Please take a moment to verify that the fix is present and functioning as expected and report back your test results as soon as  possible. Thanks! Please ping your Red Hat Partner Manager with any additional questions.

Comment 15 Mark J. Cox 2009-01-16 11:31:08 UTC
Removing the CVE name from the synopsis; this is because we have already fixed this issue for Red Hat Enterprise Linux 5 users via an asynchronous security advisory.  This bug serves as a placeholder to ensure that the bug was also fixed and tested in the upcoming 5.3 kernel.

Comment 16 errata-xmlrpc 2009-01-20 19:58:34 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.