lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sun, 1 Feb 2009 10:57:07 +0100
From:	Eric Sesterhenn <snakebyte@....de>
To:	tigran@...azian.fsnet.co.uk
Cc:	linux-kernel@...r.kernel.org
Subject: BFS: Bug during mount of corrupted image

hi,

when mounting the image at
http://www.cccmz.de/~snakebyte/bfs.56.img.bz2

I get this oops:

[  214.577138] attempt to access beyond end of device
[  214.577302] loop0: rw=0, want=40960, limit=8192
[  214.577490] BFS-fs: bfs_fill_super(): Last block not available: 40959
[  214.577729] ------------[ cut here ]------------
[  214.577851] kernel BUG at fs/inode.c:1257!
[  214.577968] invalid opcode: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[  214.578054] last sysfs file: /sys/block/ram9/range
[  214.578054] Modules linked in:
[  214.578054] 
[  214.578054] Pid: 4975, comm: mount Not tainted
(2.6.29-rc3-00173-ge4a11bd-dirty #235) System Name
[  214.578054] EIP: 0060:[<c0195507>] EFLAGS: 00010246 CPU: 0
[  214.578054] EIP is at iput+0x13/0x4e
[  214.578054] EAX: c62c000c EBX: c62c000c ECX: c62c0024 EDX: c62c0024
[  214.578054] ESI: c62c000c EDI: 00000000 EBP: c49dee44 ESP: c49dee40
[  214.578054]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  214.578054] Process mount (pid: 4975, ti=c49de000 task=c4991a40
task.ti=c49de000)
[  214.578054] Stack:
[  214.578054]  c627c9c0 c49dee60 c0193eb9 c01889c9 00000001 c49a5920
c07a1dfc c0a01da8
[  214.578054]  c49dee6c c019484c c49a5920 c49dee7c c0188846 c624e3e0
00000003 c49dee8c
[  214.578054]  c0188912 c49a5920 c01b6ada c49deea0 c01889ce 00000000
fffffffb 00000003
[  214.578054] Call Trace:
[  214.578054]  [<c0193eb9>] ?
shrink_dcache_for_umount_subtree+0x16d/0x1b5
[  214.578054]  [<c01889c9>] ? deactivate_super+0x52/0x6a
[  214.578054]  [<c019484c>] ? shrink_dcache_for_umount+0x2c/0x39
[  214.578054]  [<c0188846>] ? generic_shutdown_super+0x15/0xc4
[  214.578054]  [<c0188912>] ? kill_block_super+0x1d/0x31
[  214.578054]  [<c01b6ada>] ? vfs_quota_off+0x0/0x12
[  214.578054]  [<c01889ce>] ? deactivate_super+0x57/0x6a
[  214.578054]  [<c0188e40>] ? get_sb_bdev+0x105/0x13a
[  214.578054]  [<c0170922>] ? kstrdup+0x2a/0x4c
[  214.578054]  [<c0257a38>] ? bfs_get_sb+0x13/0x15
[  214.578054]  [<c025800e>] ? bfs_fill_super+0x0/0x376
[  214.578054]  [<c0188a1c>] ? vfs_kern_mount+0x3b/0x76
[  214.578054]  [<c0188a9b>] ? do_kern_mount+0x32/0xba
[  214.578054]  [<c019985b>] ? do_mount+0x5c7/0x604
[  214.578054]  [<c0198227>] ? copy_mount_options+0x27/0x10d
[  214.578054]  [<c01998fc>] ? sys_mount+0x64/0x9b
[  214.578054]  [<c0102dc1>] ? sysenter_do_call+0x12/0x31
[  214.578054] Code: 05 6c 02 00 00 e8 58 c1 f9 ff 5d c3 55 89 e5 e8 ae
f7 5e 00 31 c0 5d c3 55 85 c0 89 e5 53 89 c3 74 41 83 b8 6c 02 00 00 40
75 04 <0f> 0b eb fe 8d 40 24 ba 10 f8 9f c0 e8 84 52 34 00 85 c0 74 23 
[  214.578054] EIP: [<c0195507>] iput+0x13/0x4e SS:ESP 0068:c49dee40
[  214.592689] ---[ end trace ff72413a06d2e2c2 ]---

The only patch applied is against jfs so this shouldnt have an
effect on this.

The BUG_ON triggered is in iput(): BUG_ON(inode->i_state == I_CLEAR);

(gdb) l *(shrink_dcache_for_umount_subtree+0x16d)
0xc0193eb9 is in shrink_dcache_for_umount_subtree (fs/dcache.c:692).
687
dentry->d_op->d_iput(dentry, inode);
688					else
689						iput(inode);
690				}
691	
692				d_free(dentry);
693	
694				/* finished when we fall off the top of
the tree,
695				 * otherwise we ascend to the parent and
move to the
696				 * next sibling if there is one */
(gdb) l *(deactivate_super+0x52)
0xc01889c9 is in deactivate_super (fs/super.c:187).
182		if (atomic_dec_and_lock(&s->s_active, &sb_lock)) {
183			s->s_count -= S_BIAS-1;
184			spin_unlock(&sb_lock);
185			DQUOT_OFF(s, 0);
186			down_write(&s->s_umount);
187			fs->kill_sb(s);
188			put_filesystem(fs);
189			put_super(s);
190		}
191	}

Greetings, Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists