Kernel Bug-Vulnerability-Comment library

sisi8408

1. 
   
2. static void balance_leaf_shift_left(struct tree_balance *tb,
   
3.                                         struct item_head *ih,
   
4.                                         const char *body,
   
5.                                         int flag,
   
6.                                         int *p_pos_in_item,
   
7.                                         int *p_item_pos,
   
8.                                         int *p_zeros_num);
   
9. 
   
10. static void balance_leaf_shift_right(struct tree_balance *tb,
    
11.                                         struct item_head *ih,
    
12.                                         const char *body,
    
13.                                         int flag,
    
14.                                         int *p_pos_in_item,
    
15.                                         int *p_item_pos,
    
16.                                         int *p_zeros_num);
    
17. 
    
18. static void balance_leaf_do_split(struct tree_balance *tb,
    
19.                                 struct item_head *ih,
    
20.                                 const char *body,
    
21.                                 int flag,
    
22.                                 struct item_head *insert_key,
    
23.                                 struct buffer_head **insert_ptr,
    
24.                                 int *p_pos_in_item,
    
25.                                 int *p_item_pos,
    
26.                                 int *p_zeros_num);
    
27. 
    
28. static void balance_leaf_do_remain(struct tree_balance *tb,
    
29.                                 struct item_head *ih,
    
30.                                 const char *body,
    
31.                                 int flag,
    
32.                                 struct item_head *insert_key,
    
33.                                 struct buffer_head **insert_ptr,
    
34.                                 int *p_pos_in_item,
    
35.                                 int *p_item_pos,
    
36.                                 int *p_zeros_num);
    
37. 
    
38. 
    
39. static int balance_leaf(struct tree_balance *tb,
    
40.                         struct item_head *ih,
    
41.                         const char *body,
    
42.                         int flag,
    
43.                         struct item_head *insert_key,
    
44.                         struct buffer_head **insert_ptr)
    
45. {
    
46.         int pos_in_item = tb->tb_path->pos_in_item;
    
47.         int item_pos = PATH_LAST_POSITION(tb->tb_path);
    
48.        
    
49.         PROC_INFO_INC(tb->tb_sb, balance_at[0]);
    
50. 
    
51.         if (tb->insert_size[0] < 0)
    
52.                 return balance_leaf_when_delete(tb, flag);
    
53. 
    
54.         if (flag != M_INSERT &&
    
55.             is_indirect_le_ih(B_N_PITEM_HEAD(tbS0, item_pos)))
    
56.                 pos_in_item *= UNFM_P_SIZE;
    
57. 
    
58.         if (tb->lnum[0] > 0) /* shift left */
    
59.                 balance_leaf_shift_left(tb, ih, body, flag,
    
60.                                         /*insert_key, insert_ptr,*/
    
61.                                         &pos_in_item, &item_pos,
    
62.                                         &zeros_num);
    
63.         /* compute new item position */
    
64.         item_pos -= (tb->lnum[0] - ((tb->lbytes != -1) ? 1 : 0));
    
65. 
    
66.         if (tb->rnum[0] > 0) /* shift right */
    
67.                 balance_leaf_shift_right(tb, ih, body, flag,
    
68.                                         /*insert_key, insert_ptr,*/
    
69.                                         &pos_in_item, &item_pos,
    
70.                                         &zeros_num);
    
71.         /* 2008-2-17 10:00
    
72.          * after shift, check sInum or do split.
    
73.          */
    
74.         if (tb->blknum[0] == 0) {        /* node S[0] is empty now */
    
75.                 RFALSE(!tb->lnum[0] || !tb->rnum[0],
    
76.                        "PAP-12190: lnum and rnum must not be zero");
    
77.                 /* if insertion was done before 0-th position in R[0], right
    
78.                    delimiting key of the tb->L[0]'s and left delimiting key are
    
79.                    not set correctly */
    
80.                 if (tb->CFL[0]) {
    
81.                         if (!tb->CFR[0])
    
82.                                 reiserfs_panic(tb->tb_sb,
    
83.                                        "vs-12195: balance_leaf: CFR not initialized");
    
84.                         copy_key(B_N_PDELIM_KEY(tb->CFL[0], tb->lkey[0]),
    
85.                                  B_N_PDELIM_KEY(tb->CFR[0], tb->rkey[0]));
    
86. 
    
87.                         do_balance_mark_internal_dirty(tb, tb->CFL[0], 0);
    
88.                 }
    
89.                 reiserfs_invalidate_buffer(tb, tbS0);
    
90.                 return 0;
    
91.         }
    
92.         /* do SInum, where I = 1, 2 */       
    
93.         balance_leaf_do_split(tb, ih, body, flag,
    
94.                                 insert_key, insert_ptr,
    
95.                                 &pos_in_item, &item_pos, &zeros_num);
    
96. 
    
97.         /* if the affected item was not wholly shifted,
    
98.          * then we perform all necessary operations on that part
    
99.          * or whole of the affected item which remains in S
    
100.          */
     
101.         if (0 <= item_pos && item_pos < tb->s0num)
     
102.                 balance_leaf_do_remain(tb, ih, body, flag,
     
103.                                         insert_key, insert_ptr,
     
104.                                         &pos_in_item, &item_pos,
     
105.                                         &zeros_num);
     
106. 
     
107. #ifdef CONFIG_REISERFS_CHECK
     
108.         if (flag == M_PASTE && tb->insert_size[0]) {
     
109.                 print_cur_tb("12290");
     
110.                 reiserfs_panic(tb->tb_sb,
     
111.                        "PAP-12290: balance_leaf: insert_size is still not 0 (%d)",
     
112.                        tb->insert_size[0]);
     
113.         }
     
114. #endif
     
115.         return 0;
     
116. } /* Leaf level of the tree is balanced (end of balance_leaf) ,hehe */
     
117. 
     

复制代码

sisi8408

1. 
   
2. /*
   
3. * Key of an item determines its location in the S+tree, and
   
4. * is composed of 4 components
   
5. */
   
6. struct reiserfs_key
   
7. {
   
8.         __le32 k_dir_id; /* packing locality: by default parent directory object id */
   
9.         __le32 k_objectid; /* object identifier */
   
10.         union {
    
11.                 struct offset_v1        k_offset_v1;
    
12.                 struct offset_v2        k_offset_v2;
    
13.         } __attribute__ ((__packed__)) u;
    
14. } __attribute__ ((__packed__));
    
15. 
    
16. #define KEY_SIZE        (sizeof(struct reiserfs_key))
    
17. 
    
18. struct in_core_key
    
19. {
    
20.         __u32 k_dir_id;
    
21.         __u32 k_objectid;
    
22.         __u64 k_offset;
    
23.         __u8  k_type;
    
24. };
    

复制代码

By def, the basic element of Stree, item, maybe understood as two parts:
o node{dir-id, obj-id}, cooresponding to phy disk block,
                        which is, as in the case of ext2,
                        managed in groups by bitmap.

o item-entry{type, off}, due to the fact that inode, one of the hot ideas in FS,
                         is understood by HR, i gas, as a set of SD, DE, IND and DIR,
                         the socalled four types of item.

To locate any item in Stree, i have to first compute the node,
which is in 64-bit space in total, and IOW RFS is able to address 2^64 inodes,
as shown by search_by_key,

1. 
   
2.         while (reada_count < SEARCH_BY_KEY_READA) {
   
3.                 if (pos == limit)
   
4.                         break;
   
5.                                
   
6.                 reada_blocks[reada_count++] = B_N_CHILD_NUM(p_s_bh, pos);
   
7.                                
   
8.                 if (p_s_search_path->reada & PATH_READA_BACK)
   
9.                         pos--;
   
10.                 else
    
11.                         pos++;
    
12.                 /*
    
13.                  * check to make sure we're in the same object
    
14.                  */
    
15.                 le_key = B_N_PDELIM_KEY(p_s_bh, pos);
    
16.                 if (le32_to_cpu(le_key->k_objectid) != p_s_key->on_disk_key.k_objectid)
    
17.                         break;
    
18.         }
    

复制代码

or 2^64 disk blocks, with nothing to do block_sz.

The power of Stree to manage 2^64 inodes is garunteed by the principles of Btree,
i gas, and in certain cases Btree is simple game like,

1. 
   
2. /* linux-2.6.23.12/drivers/net/ppp_generic.c
   
3. *
   
4. * A cardmap represents a mapping from unsigned integers to pointers,
   
5. * and provides a fast "find lowest unused number" operation.
   
6. *
   
7. * It uses a broad (32-way) tree with a bitmap at each level.
   
8. * It is designed to be space-efficient for small numbers of entries
   
9. * and time-efficient for large numbers of entries.
   
10. */
    
11. #define CARDMAP_ORDER        5
    
12. #define CARDMAP_WIDTH        (1U << CARDMAP_ORDER)
    
13. #define CARDMAP_MASK        (CARDMAP_WIDTH - 1)
    
14. 
    
15. struct cardmap
    
16. {
    
17.         int shift;
    
18.         unsigned long inuse;
    
19.         struct cardmap *parent;
    
20.         void *ptr[CARDMAP_WIDTH];
    
21. };
    

复制代码

more funny case, say LC-tries playing game in 32-bit space,
can be checked in linux-2.6.23.12/net/ipv4/fib_trie.c.

As learn in RFS, x-tree may, if defed and played in nice way,
replace hash table in general cases.

What is more, even in the kingdom of a inode, say a regular file,
game is again palyed in 64-bit space,
and in summary RFS addresses in 128-bit space,
though the Stree height is confined to 5.

Unlike ext2, i gas, the ops in Stree is focusing not on inode but upon item,
as shown by,

1. 
   
2.         if (paste_entry_position == 0) {
   
3.                 /* change delimiting keys */
   
4.                 replace_key(tb, tb->CFR[0], tb->rkey[0], tb->R[0], 0);
   
5.         }
   

复制代码

and in general, for a certain inode, or file if u like, if it has N items,
there are, accordingly, N paths in Stree to locate each item,
of cough, certain nodes, at least the root, can be used by multi paths.

Since binary search employed in Stree, key is ordered in 128-bit space,
and it maybe, i gas, the core reason why RFS is faster in reading,
as shown by get_l/rkey functions.

In writing, insert/paste/del/cut, it is hard to understand what HR is playing,
especialy on the leaf level, though fix_node.c is mainly to teach do_balance.c
what to do upon shifting and packing.

[ 本帖最后由 sisi8408 于 2008-2-17 19:29 编辑 ]

sisi8408

1. 
   
2. int search_for_position_by_key(struct super_block *p_s_sb,
   
3.                            const struct cpu_key *p_cpu_key,
   
4.                            struct treepath *p_s_search_path)
   
5. {
   
6. [...]
   
7.         /* Item not found.
   
8.          * Set path to the previous item.
   
9.          */
   
10.         p_le_ih = B_N_PITEM_HEAD(PATH_PLAST_BUFFER(p_s_search_path),
    
11.                                  --PATH_LAST_POSITION(p_s_search_path));
    
12.         /*
    
13.          *
    
14.         if (comp_short_keys(&(p_le_ih->ih_key), p_cpu_key))
    
15.                 return FILE_NOT_FOUND;
    
16. 
    
17.         //still same inode
    
18.         //2.6.23.12
    
19.         //
    
20.         n_blk_size = p_s_sb->s_blocksize;
    
21.          *
    
22.          */
    
23.         n_blk_size = p_s_sb->s_blocksize;
    
24. 
    
25.         if (comp_short_keys(&(p_le_ih->ih_key), p_cpu_key))
    
26.                 return FILE_NOT_FOUND;
    
27. [...]
    
28. }
    

复制代码

sisi8408

1. 
   
2. int reiserfs_delete_item(struct reiserfs_transaction_handle *th,
   
3.                          struct treepath *p_s_path,        /* Path to the deleted item. */
   
4.                          const struct cpu_key *p_s_item_key,        /* Key to search for the deleted item.  */
   
5.                          struct inode *p_s_inode,        /* inode is here just to update i_blocks and quotas */
   
6.                          struct buffer_head *p_s_un_bh) /* NULL or unformatted node pointer.    */
   
7. {
   
8.         struct super_block *p_s_sb = p_s_inode->i_sb;
   
9.         struct tree_balance s_del_balance;
   
10.         struct item_head s_ih;
    
11.         struct item_head *q_ih;
    
12.         int quota_cut_bytes;
    
13.         int n_ret_value, n_del_size, n_removed;
    
14. 
    
15. #ifdef CONFIG_REISERFS_CHECK
    
16.         char c_mode;
    
17.         int n_iter = 0;
    
18. #endif
    
19. 
    
20.         BUG_ON(!th->t_trans_id);
    
21. 
    
22.         init_tb_struct(th, &s_del_balance, p_s_sb, p_s_path,
    
23.                        0 /*size is unknown */);
    
24.         while(1) {
    
25.                 n_removed = 0;
    
26. 
    
27. #ifdef CONFIG_REISERFS_CHECK
    
28.                 n_iter++;
    
29.                 c_mode =
    
30. #endif
    
31.                 prepare_for_delete_or_cut(th, p_s_inode, p_s_path,
    
32.                                               p_s_item_key, &n_removed,
    
33.                                               &n_del_size,
    
34.                                               max_reiserfs_offset(p_s_inode));
    
35.                 /* 2.6.23.12
    
36.                  * 2008-2-18 20:22
    
37.                  * RFALSE is potential BUG
    
38.                  */
    
39.                 RFALSE(c_mode != M_DELETE, "PAP-5320: mode must be M_DELETE");
    
40. [...]
    
41. }
    

复制代码

sisi8408

1. 
   
2. void reiserfs_release_objectid(struct reiserfs_transaction_handle *th,
   
3.                                __u32 objectid_to_release)
   
4. {
   
5. [...]
   
6.                         if (sb_oid_cursize(rs) == sb_oid_maxsize(rs)) {
   
7.                                 /* objectid map must be expanded, but there is no space */
   
8.                                 PROC_INFO_INC(s, leaked_oid);
   
9.                                 /*
   
10. 2008-2-24 16:01 2.6.23.12
    
11. 
    
12.    "The exception is immediately after a sequence
    
13.    of operations which deletes a large number of objects of
    
14.    non-sequential objectids,
    
15.    and even then it will become compact
    
16.    again as soon as more objects are created."
    
17. 
    
18.         map[0] = 1, map[1] = j, map[2] = j +1, ... map[sb_oid_maxsize(rs)] = k
    
19.        
    
20.         then for objid to be released, it is possible that it is not
    
21.         recorded by this small cache, map[], and
    
22.         it will not become compact again as soon as more objects are created,
    
23.         especially in cases that objids to be released are in the range of (1, j).
    
24.                                 */
    
25.                                 return;
    
26.                         }
    
27. [...]
    
28. }
    

复制代码

sisi8408

1. 
   
2. static int tcp_error(struct sk_buff *skb,
   
3.                      unsigned int dataoff,
   
4.                      enum ip_conntrack_info *ctinfo,
   
5.                      int pf,
   
6.                      unsigned int hooknum)
   
7. {
   
8.         struct tcphdr _tcph, *th;
   
9.         unsigned int tcplen = skb->len - dataoff;
   
10.         u_int8_t tcpflags;
    
11. 
    
12.         /* Smaller that minimal TCP header? */
    
13.         th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
    
14.         if (th == NULL) {
    
15.                 if (LOG_INVALID(IPPROTO_TCP))
    
16.                         nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
    
17.                                 "nf_ct_tcp: short packet ");
    
18.                 return -NF_ACCEPT;
    
19.         } /* 2.6.23.12 */
    
20.         else if (th == &_tcph)
    
21.                 return -NF_ACCEPT;
    
22. [...]
    
23. }
    

复制代码

sisi8408

1. 
   
2. void wait_task_inactive (struct task_struct *p)
   
3. {
   
4. [..]
   
5.         /* 2.6.23.12
   
6.          * Ok, time to look more closely!
   
7.          *
   
8.          * We need the rq lock now, to be *sure*.
   
9.          * If we're wrong, we'll just go back and repeat.
   
10.          */
    
11.         rq = task_rq_lock(p, &flags);
    
12.         running = task_running(rq, p);
    
13.         if (unlikely(running)) {
    
14.                 task_rq_unlock(rq, &flags);
    
15.                 cpu_relax();
    
16.                 goto repeat;
    
17.         }
    
18.         on_rq = p->se.on_rq;
    
19.         if (unlikely(on_rq)) {
    
20.                 task_rq_unlock(rq, &flags);
    
21.                 yield();
    
22.                 goto repeat;
    
23.         }
    
24.         task_rq_unlock(rq, &flags);
    
25.         /*
    
26.          * Ahh, all good. It wasn't running, and it wasn't
    
27.          * runnable, which means that it will never become
    
28.          * running in the future either. We're all done!
    
29.          */
    
30. }
    

复制代码

sisi8408

典型的oops shooting过程

1. 
   
2. Hello :)
   
3. 
   
4. My system just crashed because of a power fluctuation and the root
   
5. filesystem was damaged.
   
6. The system booted up just fine, but when samba tried to start up
   
7. the kernel oops'd.
   
8. 
   
9. xfs_repair was apparently able to repair the damage, though I seem
   
10. to have lost some files.
    
11. 
    
12. I do realize that a lot of awful things can happen if you just cut
    
13. the power, but the kernel shouldn't oops on a mounted file
    
14. system, right?
    
15. 
    
16. Please CC me, as I'm not subscribed to the lists.
    
17. 
    
18. 
    
19. Regards
    
20. Thomas
    
21. 
    
22. $ rpm -q xfsprogs
    
23. xfsprogs-2.9.4-4.fc8
    
24. 
    
25. $ uname -a
    
26. Linux linux.local.loc 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:48:34 EST 2008 i686 i686 i386
    
27. GNU/Linux
    
28. 
    
29. ["xfs_check" (text/plain)]
    
30. 
    
31. block 0/19018 expected type unknown got free2
    
32. agi unlinked bucket 6 is 103430 in ag 3 (inode=12686342)
    
33. agi unlinked bucket 14 is 91278 in ag 3 (inode=12674190)
    
34. agi unlinked bucket 23 is 106135 in ag 3 (inode=12689047)
    
35. agi unlinked bucket 31 is 53279 in ag 3 (inode=12636191)
    
36. agi unlinked bucket 35 is 106147 in ag 3 (inode=12689059)
    
37. agi unlinked bucket 36 is 60836 in ag 3 (inode=12643748)
    
38. agi unlinked bucket 39 is 60839 in ag 3 (inode=12643751)
    
39. agi unlinked bucket 41 is 378537 in ag 3 (inode=12961449)
    
40. agi unlinked bucket 50 is 91250 in ag 3 (inode=12674162)
    
41. agi unlinked bucket 20 is 38996 in ag 4 (inode=16816212)
    
42. agi unlinked bucket 57 is 95353 in ag 4 (inode=16872569)
    
43. agi unlinked bucket 4 is 199940 in ag 8 (inode=33754372)
    
44. agi unlinked bucket 8 is 56392 in ag 8 (inode=33610824)
    
45. agi unlinked bucket 21 is 177621 in ag 8 (inode=33732053)
    
46. agi unlinked bucket 22 is 56406 in ag 8 (inode=33610838)
    
47. agi unlinked bucket 23 is 56407 in ag 8 (inode=33610839)
    
48. agi unlinked bucket 27 is 54747 in ag 8 (inode=33609179)
    
49. agi unlinked bucket 32 is 67232 in ag 8 (inode=33621664)
    
50. agi unlinked bucket 37 is 54757 in ag 8 (inode=33609189)
    
51. agi unlinked bucket 39 is 67239 in ag 8 (inode=33621671)
    
52. agi unlinked bucket 40 is 67240 in ag 8 (inode=33621672)
    
53. agi unlinked bucket 47 is 56367 in ag 8 (inode=33610799)
    
54. agi unlinked bucket 0 is 34944 in ag 10 (inode=41977984)
    
55. agi unlinked bucket 20 is 42516 in ag 11 (inode=46179860)
    
56. agi unlinked bucket 15 is 463 in ag 13 (inode=54526415)
    
57. agi unlinked bucket 62 is 154430 in ag 13 (inode=54680382)
    
58. block 0/21136 type unknown not expected
    
59. allocated inode 12689047 has 0 link count
    
60. allocated inode 12689059 has 0 link count
    
61. allocated inode 12674162 has 0 link count
    
62. allocated inode 12674190 has 0 link count
    
63. allocated inode 12636191 has 0 link count
    
64. allocated inode 12961449 has 0 link count
    
65. allocated inode 12643748 has 0 link count
    
66. allocated inode 12643751 has 0 link count
    
67. allocated inode 12686342 has 0 link count
    
68. allocated inode 16816212 has 0 link count
    
69. allocated inode 16872569 has 0 link count
    
70. allocated inode 33754372 has 0 link count
    
71. allocated inode 33732053 has 0 link count
    
72. allocated inode 33621664 has 0 link count
    
73. allocated inode 33621671 has 0 link count
    
74. allocated inode 33621672 has 0 link count
    
75. allocated inode 33609179 has 0 link count
    
76. allocated inode 33609189 has 0 link count
    
77. allocated inode 33610799 has 0 link count
    
78. allocated inode 33610824 has 0 link count
    
79. allocated inode 33610838 has 0 link count
    
80. allocated inode 33610839 has 0 link count
    
81. allocated inode 41977984 has 0 link count
    
82. allocated inode 46179860 has 0 link count
    
83. allocated inode 54680382 has 0 link count
    
84. allocated inode 54526415 has 0 link count
    
85. sb_ifree 3257, counted 3259
    
86. sb_fdblocks 7248513, counted 7248904
    
87. 
    
88. ["xfs_oops" (text/plain)]
    
89. 
    
90. Mar  1 10:32:03 linux kernel: BUG: unable to handle kernel NULL pointer dereference \
    
91.                 at virtual address 00000002
    
92. Mar  1 10:32:03 linux kernel: printing eip: f8a96141 *pde = 38ccb067
    
93. Mar  1 10:32:03 linux kernel: Oops: 0000 [#1] SMP
    
94. Mar  1 10:32:03 linux kernel: Modules linked in: asb100 hwmon_vid hwmon tun sch_sfq \
    
95. sch_htb pppoe pppox ppp_synctty ppp_async crc_ccitt ppp_generic slhc bridge \
    
96. xt_NOTRACK iptable_raw ipt_MASQUERADE iptable_nat nf_nat ipt_REJECT xt_mac ipt_LOG \
    
97. nf_conntrack_ipv4 xt_state nf_conntrack nfnetlink iptable_filter xt_CLASSIFY \
    
98. xt_length ipt_owner xt_TCPMSS xt_comment xt_tcpudp iptable_mangle ip_tables x_tables \
    
99. ext2 mbcache dm_mirror dm_mod 8139too r8169 mii i2c_i801 iTCO_wdt iTCO_vendor_support \
    
100.                 i2c_core sg sr_mod cdrom ata_generic ata_piix libata sd_mod scsi_mod \
     
101.                 xfs ehci_hcd
     
102. Mar  1 10:32:03 linux kernel: CPU:    0
     
103. Mar  1 10:32:03 linux kernel: EIP:    0060:[<f8a96141>]    Not tainted VLI
     
104. Mar  1 10:32:03 linux kernel: EFLAGS: 00010292   (2.6.23.15-137.fc8 #1)
     
105. Mar  1 10:32:03 linux kernel: EIP is at xfs_attr_shortform_getvalue+0x15/0xdb [xfs]
     
106. Mar  1 10:32:03 linux kernel: eax: 00000000   ebx: f268cddc   ecx: f8ae4d9d   edx: \
     
107.                 08d26645
     
108. Mar  1 10:32:03 linux kernel: esi: f04d1600   edi: 00000004   ebp: f8ae4d91   esp: \
     
109.                 f268cdbc
     
110. Mar  1 10:32:03 linux kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
     
111. Mar  1 10:32:03 linux kernel: Process smbd (pid: 2036, ti=f268c000 task=f7207840 \
     
112.                 task.ti=f268c000)
     
113. Mar  1 10:32:03 linux kernel: Stack: 00000003 f37888d4 00000003 f04d1600 f04d1600 \
     
114.                 f268ce38 f8ae4d91 f8a93a97
     
115. Mar  1 10:32:03 linux kernel: f8ae4d91 0000000c c1ba6000 00000130 00000402 275b19c4 \
     
116.                 00000000 00000000
     
117. Mar  1 10:32:03 linux kernel: f04d1600 00000000 00000000 00000000 00000000 00000001 \
     
118.                 00000000 00000000
     
119. Mar  1 10:32:03 linux kernel: Call Trace:
     
120. Mar  1 10:32:03 linux kernel: [<f8a93a97>] xfs_attr_fetch+0x9e/0xee [xfs]
     
121. Mar  1 10:32:03 linux kernel: [<f8a8d843>] xfs_acl_iaccess+0x59/0xc2 [xfs]
     
122. Mar  1 10:32:03 linux kernel: [<f8abe3c2>] xfs_iaccess+0x87/0x15c [xfs]
     
123. Mar  1 10:32:03 linux kernel: [<f8ad53ec>] xfs_access+0x26/0x3a [xfs]
     
124. Mar  1 10:32:03 linux kernel: [<f8ae08ae>] xfs_vn_permission+0x0/0x13 [xfs]
     
125. Mar  1 10:32:03 linux kernel: [<f8ae08bd>] xfs_vn_permission+0xf/0x13 [xfs]
     
126. Mar  1 10:32:03 linux kernel: [<c0487419>] permission+0x9e/0xdb
     
127. Mar  1 10:32:03 linux kernel: [<c04887d0>] may_open+0x5c/0x205
     
128. Mar  1 10:32:03 linux kernel: [<c048a8b4>] open_namei+0x27d/0x576
     
129. Mar  1 10:32:03 linux kernel: [<c047fdb7>] do_filp_open+0x2a/0x3e
     
130. Mar  1 10:32:03 linux kernel: [<c047fafe>] get_unused_fd_flags+0x52/0xc5
     
131. Mar  1 10:32:03 linux kernel: [<c047fe13>] do_sys_open+0x48/0xca
     
132. Mar  1 10:32:03 linux kernel: [<c047fece>] sys_open+0x1c/0x1e
     
133. Mar  1 10:32:03 linux kernel: [<c040518a>] syscall_call+0x7/0xb
     
134. Mar  1 10:32:03 linux kernel: =======================
     
135. Mar  1 10:32:03 linux kernel: Code: 00 00 c6 40 02 00 66 c7 00 00 04 8b 47 2c 5b 5e \
     
136. 5f e9 08 bc 03 00 55 57 56 53 89 c3 83 ec 0c 8b 40 20 8b 40 4c 8b 40 14 8d 78 04 <0f> \
     
137.                 b6 40 02 c7 44 24 08 00 00 00 00 89 44 24 04 e9 96 00 00 00
     
138. Mar  1 10:32:03 linux kernel: EIP: [<f8a96141>] xfs_attr_shortform_getvalue+0x15/0xdb \
     
139. [xfs] SS:ESP 0068:f268cdbc
     
140. 
     

复制代码

1. 
   
2. > Hello :)
   
3. >
   
4. > My system just crashed because of a power fluctuation and the root
   
5. > filesystem was damaged.
   
6. > The system booted up just fine, but when samba tried to start up
   
7. > the kernel oops'd.
   
8. >
   
9. > xfs_repair was apparently able to repair the damage, though I seem
   
10. > to have lost some files.
    
11. >
    
12. > I do realize that a lot of awful things can happen if you just cut
    
13. > the power, but the kernel shouldn't oops on a mounted file
    
14. > system, right?
    
15. 
    
16. right.
    
17. 
    
18. here's the disassembly of that function in your kernrel FWIW:
    
19. 
    
20. 0001012c <xfs_attr_shortform_getvalue>:
    
21.    1012c:       55                      push   %ebp
    
22.    1012d:       57                      push   %edi
    
23.    1012e:       56                      push   %esi
    
24.    1012f:       53                      push   %ebx
    
25.    10130:       89 c3                   mov    %eax,%ebx
    
26.    10132:       83 ec 0c                sub    $0xc,%esp
    
27.    10135:       8b 40 20                mov    0x20(%eax),%eax
    
28.    10138:       8b 40 4c                mov    0x4c(%eax),%eax
    
29.    1013b:       8b 40 14                mov    0x14(%eax),%eax
    
30.    1013e:       8d 78 04                lea    0x4(%eax),%edi
    
31.    10141:       0f b6 40 02             movzbl 0x2(%eax),%eax <--- boom.
    
32.    10145:       c7 44 24 08 00 00 00    movl   $0x0,0x8(%esp)
    
33.    1014c:       00
    
34.    1014d:       89 44 24 04             mov    %eax,0x4(%esp)
    
35.    10151:       e9 96 00 00 00          jmp    101ec
    
36. <xfs_attr_shortform_getvalue+0xc0>
    
37. ...
    
38. 
    
39. at this point eax is "sf" (0x0) and edi is "sfe" (0x04)
    
40. 
    
41. Mar  1 10:32:03 linux kernel: eax: 00000000   ebx: f268cddc   ecx:
    
42. f8ae4d9d   edx: 08d26645
    
43. Mar  1 10:32:03 linux kernel: esi: f04d1600   edi: 00000004   ebp:
    
44. f8ae4d91   esp: f268cdbc
    
45. 
    
46. first part of the function:
    
47. 
    
48. int
    
49. xfs_attr_shortform_getvalue(xfs_da_args_t *args)
    
50. {
    
51.         xfs_attr_shortform_t *sf;
    
52.         xfs_attr_sf_entry_t *sfe;
    
53.         int i;
    
54. 
    
55.         ASSERT(args->dp->i_d.di_aformat == XFS_IFINLINE);
    
56.         sf = (xfs_attr_shortform_t *)args->dp->i_afp->if_u1.if_data;
    
57.         sfe = &sf->list[0];
    
58.         for (i = 0;
    
59.              i < sf->hdr.count; <--- died here, sf is 0
    
60.              sfe = XFS_ATTR_SF_NEXTENTRY(sfe), i++) {
    
61. 
    
62. we blew up on sf->hdr.count because sf is NULL (hdr.count is 0x2 into sf)
    
63. 
    
64. maybe the sgi guys can take it from there ;)  Did you also happen to
    
65. save the xfs_repair output?
    
66. 
    
67. -Eric
    

复制代码

问题的定位，in this case nothing to do with xdb,
简洁明快，且该收手时就收手。

1. 
   
2. Eric Sandeen wrote:
   
3. > Did you also happen to save the xfs_repair output?
   
4. 
   
5. No, but I made a complete copy of the file system before
   
6. repairing it, so I can easily recreate it... :)
   
7. 
   
8. Thomas
   
9. 
   
10. 
    
11. ["xfs_repair" (text/plain)]
    
12. 
    
13. Phase 1 - find and verify superblock...
    
14. 
    
15. Phase 2 - using internal log
    
16.         - zero log...
    
17.         - scan filesystem freespace and inode maps...
    
18.         - found root inode chunk
    
19. 
    
20. Phase 3 - for each AG...
    
21.         - scan and clear agi unlinked lists...
    
22.         - process known inodes and perform inode discovery...
    
23.         - agno = 0
    
24. 
    
25. data fork in ino 128638 claims free block 19018
    
26.         - agno = 1
    
27.         - agno = 2
    
28. b5ac7b90: Badness in key lookup (length)
    
29. bp=(bno 11701280, len 32768 bytes) key=(bno 11701280, len 8192 bytes)
    
30. b5ac7b90: Badness in key lookup (length)
    
31. bp=(bno 11708896, len 32768 bytes) key=(bno 11708896, len 8192 bytes)
    
32. b5ac7b90: Badness in key lookup (length)
    
33. bp=(bno 11739296, len 32768 bytes) key=(bno 11739296, len 8192 bytes)
    
34. b5ac7b90: Badness in key lookup (length)
    
35. bp=(bno 11751440, len 32768 bytes) key=(bno 11751440, len 8192 bytes)
    
36. b5ac7b90: Badness in key lookup (length)
    
37. bp=(bno 11754176, len 32768 bytes) key=(bno 11754176, len 8192 bytes)
    
38. b5ac7b90: Badness in key lookup (length)
    
39. bp=(bno 12026592, len 32768 bytes) key=(bno 12026592, len 8192 bytes)
    
40.         - agno = 3
    
41. b50c6b90: Badness in key lookup (length)
    
42. bp=(bno 15569728, len 32768 bytes) key=(bno 15569728, len 8192 bytes)
    
43. b50c6b90: Badness in key lookup (length)
    
44. bp=(bno 15626080, len 32768 bytes) key=(bno 15626080, len 8192 bytes)
    
45.         - agno = 4
    
46.         - agno = 5
    
47.         - agno = 6
    
48.         - agno = 7
    
49. b41ffb90: Badness in key lookup (length)
    
50. bp=(bno 31116224, len 32768 bytes) key=(bno 31116224, len 8192 bytes)
    
51. b41ffb90: Badness in key lookup (length)
    
52. bp=(bno 31117856, len 32768 bytes) key=(bno 31117856, len 8192 bytes)
    
53. b41ffb90: Badness in key lookup (length)
    
54. bp=(bno 31128704, len 32768 bytes) key=(bno 31128704, len 8192 bytes)
    
55. b41ffb90: Badness in key lookup (length)
    
56. bp=(bno 31239104, len 32768 bytes) key=(bno 31239104, len 8192 bytes)
    
57. b41ffb90: Badness in key lookup (length)
    
58. bp=(bno 31261408, len 32768 bytes) key=(bno 31261408, len 8192 bytes)
    
59.         - agno = 8
    
60. local inode 33609156 attr too small (size = 0, min size = 4)
    
61. bad attribute fork in inode 33609156, clearing attr fork
    
62. clearing inode 33609156 attributes
    
63. cleared inode 33609156
    
64.         - agno = 9
    
65. b50c6b90: Badness in key lookup (length)
    
66. bp=(bno 38861808, len 32768 bytes) key=(bno 38861808, len 8192 bytes)
    
67.         - agno = 10
    
68. b41ffb90: Badness in key lookup (length)
    
69. bp=(bno 42752032, len 32768 bytes) key=(bno 42752032, len 8192 bytes)
    
70.         - agno = 11
    
71.         - agno = 12
    
72. b50c6b90: Badness in key lookup (length)
    
73. bp=(bno 50475360, len 32768 bytes) key=(bno 50475360, len 8192 bytes)
    
74. b50c6b90: Badness in key lookup (length)
    
75. bp=(bno 50629312, len 32768 bytes) key=(bno 50629312, len 8192 bytes)
    
76.         - agno = 13
    
77.         - agno = 14
    
78.         - agno = 15
    
79.         - process newly discovered inodes...
    
80. 
    
81. Phase 4 - check for duplicate blocks...
    
82.         - setting up duplicate extent list...
    
83.         - check for inodes claiming duplicate blocks...
    
84.         - agno = 0
    
85.         - agno = 1
    
86.         - agno = 2
    
87.         - agno = 3
    
88.         - agno = 4
    
89.         - agno = 5
    
90.         - agno = 6
    
91.         - agno = 7
    
92.         - agno = 8
    
93. bad bmap btree ptr 0xc3a0000100000000 in ino 33609156
    
94. bad data fork in inode 33609156
    
95. cleared inode 33609156
    
96.         - agno = 9
    
97.         - agno = 10
    
98.         - agno = 11
    
99.         - agno = 12
    
100.         - agno = 13
     
101.         - agno = 14
     
102.         - agno = 15
     
103. 
     
104. Phase 5 - rebuild AG headers and trees...
     
105.         - reset superblock...
     
106. 
     
107. Phase 6 - check inode connectivity...
     
108.         - resetting contents of realtime bitmap and summary inodes
     
109.         - traversing filesystem ...
     
110. entry "locking.tdb" in directory inode 33585205 points to free inode 33609156
     
111. bad hash table for directory inode 33585205 (no data entry): rebuilding
     
112. rebuilding directory inode 33585205
     
113.         - traversal finished ...
     
114.         - moving disconnected inodes to lost+found ...
     
115. disconnected inode 12636191, moving to lost+found
     
116. disconnected inode 12643748, moving to lost+found
     
117. disconnected inode 12643751, moving to lost+found
     
118. disconnected inode 12674162, moving to lost+found
     
119. disconnected inode 12674190, moving to lost+found
     
120. disconnected inode 12686342, moving to lost+found
     
121. disconnected inode 12689047, moving to lost+found
     
122. disconnected inode 12689059, moving to lost+found
     
123. disconnected inode 12961449, moving to lost+found
     
124. disconnected inode 16816212, moving to lost+found
     
125. disconnected inode 16872569, moving to lost+found
     
126. disconnected inode 33609179, moving to lost+found
     
127. disconnected inode 33609189, moving to lost+found
     
128. disconnected inode 33610799, moving to lost+found
     
129. disconnected inode 33610824, moving to lost+found
     
130. disconnected inode 33610838, moving to lost+found
     
131. disconnected inode 33610839, moving to lost+found
     
132. disconnected inode 33621664, moving to lost+found
     
133. disconnected inode 33621671, moving to lost+found
     
134. disconnected inode 33621672, moving to lost+found
     
135. disconnected inode 33732053, moving to lost+found
     
136. disconnected inode 33754372, moving to lost+found
     
137. disconnected inode 41977984, moving to lost+found
     
138. disconnected inode 46179860, moving to lost+found
     
139. disconnected inode 54526415, moving to lost+found
     
140. disconnected inode 54680382, moving to lost+found
     
141. 
     
142. Phase 7 - verify and correct link counts...
     
143. done
     

复制代码

认真劲，令人佩服。

1. 
   
2. oh, like a dd image?  great.  You can use xfs_metadump to make a more
   
3. transportable image... xfs folks might even be able to use that to recreate the oops.
   
4. 
   
5. -Eric
   

复制代码

虽然收了手，留句话，交个朋友。

[ 本帖最后由 sisi8408 于 2008-3-2 13:48 编辑 ]

sisi8408

1. 
   
2. static int wake_idle (int cpu, struct task_struct *p)
   
3. {
   
4.         cpumask_t tmp;
   
5.         struct sched_domain *sd;
   
6.         int i;
   
7.         /*
   
8.          * If it is idle, then it is the best cpu to run this task.
   
9.          *
   
10.          * This cpu is also the best, if it has more than one task already.
    
11.          *
    
12.          * Siblings must be also busy(in most cases) as they didn't already
    
13.          * pickup the extra load from this cpu and hence we need not check
    
14.          * sibling runqueue info. This will avoid the checks and cache miss
    
15.          * penalities associated with that.
    
16.          */
    
17.         if (idle_cpu(cpu) || cpu_rq(cpu)->nr_running > 1)
    
18.                 return cpu;
    
19. 
    
20.         for_each_domain(cpu, sd) {
    
21.                 if (sd->flags & SD_WAKE_IDLE) {
    
22.                         cpus_and(tmp, sd->span, p->cpus_allowed);
    
23.                         for_each_cpu_mask(i, tmp) {
    
24.                                 if (idle_cpu(i)) {
    
25.                                         if (i != task_cpu(p)) {
    
26.                                                 schedstat_inc(p, se.nr_wakeups_idle);
    
27.                                         }
    
28.                                         return i;
    
29.                                 }
    
30.                         }
    
31.                 } else {
    
32.                         /* 2.6.24.4
    
33.                          * how about the second sd with flag SD_WAKE_IDLE ??
    
34.                          */
    
35.                         break;
    
36.                 }
    
37.         }
    
38.         return cpu;
    
39. }
    

复制代码

sisi8408

1. 
   
2. Index: linux-2.6.24.4-rt4/kernel/sched_cpupri.h
   
3. ===================================================================
   
4. --- /dev/null        1970-01-01 00:00:00.000000000 +0000
   
5. +++ linux-2.6.24.4-rt4/kernel/sched_cpupri.h        2008-03-24 19:06:32.000000000 -0400
   
6. @@ -0,0 +1,36 @@
   
7. +#ifndef _LINUX_CPUPRI_H
   
8. +#define _LINUX_CPUPRI_H
   
9. +
   
10. +#include <linux/sched.h>
    
11. +
    
12. +#define CPUPRI_NR_PRIORITIES 2+MAX_RT_PRIO /*nicer: (2+MAX_RT_PRIO) */
    
13. +#define CPUPRI_NR_PRI_WORDS CPUPRI_NR_PRIORITIES/BITS_PER_LONG
    
14. +
    
15. 
    

复制代码