[Unionfs] Oops when inserting rw branch with unionfs on root
filesystem
Erez Zadok
ezk at cs.sunysb.edu
Tue Mar 25 17:50:41 EDT 2008
In message <47CD25AA.9080307 at expires-20080606.gate.mooo.com>, Klaus Fuerstberger writes:
> Hi,
>
> I have a unionfs root filesystem. Sometimes I want to sync the unionfs
> changes in ram back to the CF card. This is done with rsync and ist no
> problem. But now I want to free the used ram of the unionfs. Mostly it
> works, if I simlpe delete the /ram/changes/*, but sometimes the system
> freezes.
> Now I thought it would be the cleanest to insert another leftmost
> read-write branch at highest priority and delete the old read-write
> branch with the used memory. This resulted in the crash below.
> Is there any clean method, beside a reboot, to free the used memory of
> the union after the rsync?
>
> ### This ist what I tried and what caused the Oops:
> mount -t unionfs -o remount,incgen none /
> mount -t ext3 -o remount,rw /dev/hda1 /ram/rootfs
> # Synchronize the changes to the CF-Card
> rsync -av --exclude=/tmp/ --exclude=/ram/ --exclude=/proc/
> --exclude=/sys/ --exclude=/dev/ --delete / /ram/rootfs/
> # Try to free the used memory in /rootfs/changes in inserting a leftmost
> RW branch and deleting the old RW branch
> mkdir /ram/changes2
> mount -t unionfs -o remount,add=/ram/changes2=rw none /
> ..............Oops...............
>
> # The initramfs script
> ### /usr/share/initramfs-tools/scripts/union
> mountroot()
> {
> RAM=/ram
> ROOTFS=$RAM/rootfs
> CHANGES=$RAM/changes
>
> mkdir $RAM
> mount -t tmpfs -o size=90% tmpfs $RAM
> mkdir $ROOTFS
> mkdir $CHANGES
> mount -r -t ext3 /dev/hda1 $ROOTFS
> mount -t unionfs -o dirs=$CHANGES=rw:$ROOTFS=ro unionfs ${rootmnt}
>
> # Das overlay zugaenglich machen
> mkdir ${rootmnt}$RAM 2>/dev/null
> mount -o move $RAM ${rootmnt}$RAM
> }
> ###############################
>
> ### /etc/fstab
> proc /proc proc defaults
> 0 0
> none / unionfs dirs=/ram/changes=rw:/=ro
> 0 0
> ###############################
>
> ### Oops
> BUG: unable to handle kernel NULL pointer dereference at virtual address
> 00000060
> printing eip: d0827646 *pde = 00000000
> Oops: 0000 [#1]
> Modules linked in: ipv6 dm_snapshot dm_mirror dm_mod leds_alix led_class
> xt_mac xt_limit ips
>
> Pid: 1816, comm: mount Not tainted (2.6.24.2-alix #3)
> EIP: 0060:[<d0827646>] EFLAGS: 00010206 CPU: 0
> EIP is at unionfs_remount_fs+0x4be/0x748 [unionfs]
> EAX: 00000060 EBX: 00000003 ECX: 00000002 EDX: cf6da6c0
> ESI: ce556400 EDI: cf7bf004 EBP: ce6ecce0 ESP: cec55db0
> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Process mount (pid: 1816, ti=cec54000 task=ce5ed030 task.ti=cec54000)
> Stack: ce74a6e0 cec55df4 00000002 cec55df4 cec55e10 ce556400 cf4ab620
> ce6ecce0
> 00000002 cf4ab620 cf4ab620 ce74a6e0 ce74a6e0 00000000 ffffffff
> 7fffffff
> 00000000 00000002 00000000 d0833de8 ce556400 cf7bf000 00000000
> c0153337
> Call Trace:
> [<c0153337>] do_remount_sb+0xc2/0xe9
> [<c0163539>] do_mount+0x193/0x5e5
> [<c0129d7c>] update_wall_time+0x540/0x6ae
> [<c0114ee0>] update_curr+0x52/0xc8
> [<c01283ef>] hrtimer_run_queues+0x12/0x133
> [<c011e8b0>] run_timer_softirq+0x12/0x141
> [<c012bd73>] tick_handle_periodic+0xf/0x54
> [<c011c038>] tasklet_action+0x32/0x52
> [<c011bfa0>] __do_softirq+0x35/0x75
> [<c0105b9c>] do_IRQ+0x58/0x6b
> [<c013dcfd>] __alloc_pages+0x5d/0x2d4
> [<c0104553>] common_interrupt+0x23/0x28
> [<c01625ca>] copy_mount_options+0xa3/0x10d
> [<c01639fd>] sys_mount+0x72/0xa9
> [<c0103baa>] syscall_call+0x7/0xb
> =======================
> Code: d2 eb 12 8b 4c 24 24 89 d0 c1 e0 04 8b 04 08 83 c0 60 ff 00 42 39
> da 7c ea 31 c9 eb 1
> EIP: [<d0827646>] unionfs_remount_fs+0x4be/0x748 [unionfs] SS:ESP
> 0068:cec55db0
> ---[ end trace a38d4d4b3dc9a968 ]---
> WARNING: at kernel/exit.c:917 do_exit()
> Pid: 1816, comm: mount Tainted: G D 2.6.24.2-alix #3
> [<c011ab0c>] do_exit+0x48/0x5ed
> [<c0118ee9>] printk+0x1b/0x1f
> [<c0104d9b>] die+0x1b1/0x1b9
> [<c011408e>] do_page_fault+0x43c/0x51a
> [<c0113c52>] do_page_fault+0x0/0x51a
> [<c02a0f9a>] error_code+0x6a/0x70
> [<d0827646>] unionfs_remount_fs+0x4be/0x748 [unionfs]
> [<c0153337>] do_remount_sb+0xc2/0xe9
> [<c0163539>] do_mount+0x193/0x5e5
> [<c0129d7c>] update_wall_time+0x540/0x6ae
> [<c0114ee0>] update_curr+0x52/0xc8
> [<c01283ef>] hrtimer_run_queues+0x12/0x133
> [<c011e8b0>] run_timer_softirq+0x12/0x141
> [<c012bd73>] tick_handle_periodic+0xf/0x54
> [<c011c038>] tasklet_action+0x32/0x52
> [<c011bfa0>] __do_softirq+0x35/0x75
> [<c0105b9c>] do_IRQ+0x58/0x6b
> [<c013dcfd>] __alloc_pages+0x5d/0x2d4
> [<c0104553>] common_interrupt+0x23/0x28
> [<c01625ca>] copy_mount_options+0xa3/0x10d
> [<c01639fd>] sys_mount+0x72/0xa9
> [<c0103baa>] syscall_call+0x7/0xb
> ###############################
>
> Bye,
> Klaus
Klaus, life is ironic. Less than an hour after releasing unionfs-2.3, I've
quite by accident discovered this bug, and fixed it. I also believe that
this affected other people (e.g., Dave Miller). The oops stack trace I've
seen for the bug is identical to yours (with unionfs_remount_fs in the mix).
Patch below.
And now I'll have to release 2.3.1 rsn...
Enjoy,
Erez.
diff --git a/fs/unionfs/super.c b/fs/unionfs/super.c
index e5cb235..4cddc83 100644
--- a/fs/unionfs/super.c
+++ b/fs/unionfs/super.c
@@ -755,7 +755,7 @@ out_no_change:
/* grab new lower super references; release old ones */
for (i = 0; i < new_branches; i++)
atomic_inc(&new_data[i].sb->s_active);
- for (i = 0; i < new_branches; i++)
+ for (i = 0; i < sbmax(sb); i++)
atomic_dec(&UNIONFS_SB(sb)->data[i].sb->s_active);
/* copy new vectors into their correct place */
More information about the unionfs
mailing list