| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Dec 2008 10:58:24 -0600
From: Eric Sandeen <sandeen@...hat.com>
To: Yasunori Goto <y-goto@...fujitsu.com>
CC: tytso@....edu, adilger@....com, Li Zefan <lizf@...fujitsu.com>,
linux-ext4@...r.kernel.org, Miao Xie <miaox@...fujitsu.com>,
Linux Kernel ML <linux-kernel@...r.kernel.org>
Subject: Re: [Patch/BUG] (ext4) s_mb_maxs[] of ext4_sb_info is too small size
Yasunori Goto wrote:
> Hello.
>
> I chased the cause of following ext4 oops report which is tested on
> ia64 box.
>
> http://bugzilla.kernel.org/show_bug.cgi?id=12018
>
> The cause is the size of s_mb_maxs array that is
> defined as "unsigned short" in ext4_sb_info structure.
> Unsigned short is too small.
>
> In this bug report, Li-san formatted with 64Kbyte block size like
> the following. Ia64 has 64Kbyte page size, then this
> block size is acceptable.
>
> # mkfs.ext4 -b 65536 /dev/md0
>
> In this case, the maximum value of s_mb_maxs[] becomes
> (blocksize << 2) = 256K by the following code.
>
> 2482 int ext4_mb_init(struct super_block *sb, int needs_recovery)
> :
> :
> 2508 max = sb->s_blocksize << 2; <---- max becomes 0x40000.
> 2509 do {
> 2510 sbi->s_mb_offsets[i] = offset;
> 2511 sbi->s_mb_maxs[i] = max; <--- over flow!!!
> 2512 offset += 1 << (sb->s_blocksize_bits - i);
> 2513 max = max >> 1;
> 2514 i++;
> 2515 } while (i <= sb->s_blocksize_bits + 1);
>
> Then, some s_mb_maxs[] becomes 0 due to overflow.
> It is cause of this oops. The following patch is to fix it.
Looks good to mee; and these lines before it:
sbi->s_mb_maxs[0] = sb->s_blocksize << 3;
sbi->s_mb_offsets[0] = 0;
mean that we would have a problem "even" on 8k blocks, yes?
-Eric
> Thanks.
>
> ----
>
> The size of s_mb_maxs that is defined in ext4_sb_info is too small.
> When block size is 64K, which is possible on ia64,
> the maximum value of s_mb_maxs becomes 256K(0x40000).
> However, s_mb_maxs is defined as unsigned short. This is cause of panic.
>
> Signed-off-by: Yasunori Goto <y-goto@...fujitsu.com>
> Cc: Li Zefan <lizf@...fujitsu.com>
> Cc: Miao Xie <miaox@...fujitsu.com>
>
> ---
> fs/ext4/ext4_sb.h | 3 ++-
> fs/ext4/mballoc.c | 2 ++
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> Index: test2/fs/ext4/ext4_sb.h
> ===================================================================
> --- test2.orig/fs/ext4/ext4_sb.h 2008-12-16 11:20:18.000000000 +0900
> +++ test2/fs/ext4/ext4_sb.h 2008-12-16 14:17:32.000000000 +0900
> @@ -101,7 +101,8 @@ struct ext4_sb_info {
> spinlock_t s_reserve_lock;
> spinlock_t s_md_lock;
> tid_t s_last_transaction;
> - unsigned short *s_mb_offsets, *s_mb_maxs;
> + unsigned short *s_mb_offsets;
> + unsigned int *s_mb_maxs;
>
> /* tunables */
> unsigned long s_stripe;
> Index: test2/fs/ext4/mballoc.c
> ===================================================================
> --- test2.orig/fs/ext4/mballoc.c 2008-12-16 11:20:18.000000000 +0900
> +++ test2/fs/ext4/mballoc.c 2008-12-16 14:23:21.000000000 +0900
> @@ -2493,6 +2493,8 @@ int ext4_mb_init(struct super_block *sb,
> if (sbi->s_mb_offsets == NULL) {
> return -ENOMEM;
> }
> +
> + i = (sb->s_blocksize_bits + 2) * sizeof(unsigned int);
> sbi->s_mb_maxs = kmalloc(i, GFP_KERNEL);
> if (sbi->s_mb_maxs == NULL) {
> kfree(sbi->s_mb_maxs);
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists