Description of problem: To avoid exposing ourselves to the risk of finding another field like .map_bh.b_state where we rely on zeroing but don't enforce it in the code. The fix uses kzalloc to zero all the struct dio rather than manually trying to track which fields we rely on being zero. Reference: http://lkml.org/lkml/2007/7/26/88
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=848c4dd5153c7a0de55470ce99a8e13a63b4703f
Created attachment 315715 [details] Upstream patch for this issue
Reproducer: http://freshmeat.net/projects/fio/ http://lkml.org/lkml/2007/7/30/448
Created attachment 315718 [details] jobfile for reproducer
when I try to reproduce the bug on 2.6.18-92.1.10.el5, I met kernel panic. On 2.6.18-92.1.13, the same happens. the steps are as follows: 1. download fio-1.21.tar.bz2 from http://freshmeat.net/projects/fio/ and extract the file to /root/kzhang/fio directory 2. make & make install 3. download jobfile from https://bugzilla.redhat.com/attachment.cgi?id=315718 4. change the directory=/root/kzhang/fio 5. ./fio jobfile the system would kernel panic, following is the backtrace. Kernel BUG at mm/filemap.c:553 invalid opcode: 0000 [1] SMP last sysfs file: /block/dm-0/stat CPU 7 Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 xfrm_nalgo crypto_api cpufreq_ondemand acpi_cpufreq dm_multipath video sbs backlight i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod sg bnx2 floppy serio_raw pcspkr ide_cd i5000_edac cdrom edac_mc shpchp dm_snapshot dm_zero dm_mirror dm_mod usb_storage ata_piix libata megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 6447, comm: fio Not tainted 2.6.18-92.1.13.el5 #1 RIP: 0010:[<ffffffff80017c4a>] [<ffffffff80017c4a>] unlock_page+0xf/0x2f RSP: 0018:ffff810052605e18 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff810000e32cf8 RCX: 0000000000000000 RDX: ffff810001918cf8 RSI: ffff81007fe1c550 RDI: ffff810000e32cf8 RBP: 00000000ffffffef R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff81004f64e0e0 R13: 0000000000000000 R14: 0000000000001000 R15: ffff81005eec7220 FS: 00002b8a136f20f0(0000) GS:ffff81007fe1c3c0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000003d846d3020 CR3: 0000000051e6b000 CR4: 00000000000006e0 Process fio (pid: 6447, threadinfo ffff810052604000, task ffff810051f330c0) Stack: ffff810000e32cf8 ffffffff800ec7cb ffff810052605e98 ffff81004f64e000 ffff81007823ecc0 00000000000200d2 0000000000000010 ffff81004f64e0e0 ffff81004f64e000 0000000000000000 0000000000000000 ffffffff802f66a0 Call Trace: [<ffffffff800ec7cb>] pipe_to_file+0x31d/0x32e [<ffffffff800ebc88>] splice_from_pipe+0x89/0x21a [<ffffffff800ec4ae>] pipe_to_file+0x0/0x32e [<ffffffff800ec04b>] generic_file_splice_write+0x21/0x8a [<ffffffff800ecd59>] sys_splice+0x119/0x238 [<ffffffff8005d28d>] tracesys+0xd5/0xe0 Code: 0f 0b 68 97 3d 29 80 c2 29 02 48 89 df e8 b3 29 00 00 48 89 RIP [<ffffffff80017c4a>] unlock_page+0xf/0x2f RSP <ffff810052605e18> <0>Kernel panic - not syncing: Fatal exception
This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0885) Red Hat Enterprise Linux version 4 (RHSA-2008:0972)