lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sat, 27 Mar 2010 19:16:15 GMT
From:	bugzilla-daemon@...zilla.kernel.org
To:	linux-ext4@...r.kernel.org
Subject: [Bug 13549] Kernel oops while online resizing of an ext4 filesystem

https://bugzilla.kernel.org/show_bug.cgi?id=13549





--- Comment #18 from Eric Sandeen <sandeen@...hat.com>  2010-03-27 19:16:09 ---
Reproducer works perfectly, thanks.

So here's the issue; sbi->flex_groups[] doesn't get filled out in
ext4_fill_flex_info() because:

        if (groups_per_flex < 2) {
                sbi->s_log_groups_per_flex = 0;
                return 1;
        }

but resize is unconditionally doing this in ext4_group_add as long as the
FLEX_BG feature is set:

                atomic_add(input->free_blocks_count,
                           &sbi->s_flex_groups[flex_group].free_blocks);

so for a NULL s_flex groups it went boom.

Every other access to ->s_flex_groups checks s_log_groups_per_flex first, so
this should be the proper fix:

Index: linux-2.6/fs/ext4/resize.c
===================================================================
--- linux-2.6.orig/fs/ext4/resize.c
+++ linux-2.6/fs/ext4/resize.c
@@ -930,7 +930,8 @@ int ext4_group_add(struct super_block *s
     percpu_counter_add(&sbi->s_freeinodes_counter,
                EXT4_INODES_PER_GROUP(sb));

-    if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) {
+    if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG) &&
+        sbi->s_log_groups_per_flex) {
         ext4_group_t flex_group;
         flex_group = ext4_flex_group(sbi, input->group);
         atomic_add(input->free_blocks_count,

This fixes the reproducer, need to double check it on Alessandro's image.

-Eric

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ