| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1201735077.3873.22.camel@localhost.localdomain> Date: Wed, 30 Jan 2008 15:17:57 -0800 From: Mingming Cao <cmm@...ibm.com> To: Andrew Morton <akpm@...ux-foundation.org> Cc: Eric Sandeen <sandeen@....com>, "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>, Girish Shilamkar <girish@...sterfs.com>, snakebyte@....de Subject: Re: Fw: [Bugme-new] [Bug 9849] New: NULL pointer deref in journal_wait_on_commit_record On Wed, 2008-01-30 at 12:00 -0800, Andrew Morton wrote: > > Begin forwarded message: > > Date: Wed, 30 Jan 2008 03:24:08 -0800 (PST) > From: bugme-daemon@...zilla.kernel.org > To: bugme-new@...ts.osdl.org > Subject: [Bugme-new] [Bug 9849] New: NULL pointer deref in journal_wait_on_commit_record > > > http://bugzilla.kernel.org/show_bug.cgi?id=9849 > > Summary: NULL pointer deref in journal_wait_on_commit_record > Product: File System > Version: 2.5 > KernelVersion: 2.6.24-03997-g85004cc > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: ext4 > AssignedTo: fs_ext4@...nel-bugs.osdl.org > ReportedBy: snakebyte@....de > > > Latest working kernel version: - > Earliest failing kernel version: 2.6.24-03863-g0ba6c33 > Distribution: Ubuntu > Problem Description: > > using a corrupted image causes an oops in unmount, seems as if > journal_wait_on_commit_record() gets passed a NULL pointer > The buufer head pointer passed to journal_wait_on_commit_record() could be NULL if the previous journal_submit_commit_record() failed or journal has already aborted. Looking at the jbd2 debug messages, before the oops happen, the jbd2 is aborted due to trying to access the next log block beyond the end of device. This might be caused by using a corrupted image. We need to check the error returns from journal_submit_commit_record() and avoid calling journal_wait_on_commit_record() in the failure case. Signed-off-by: Mingming Cao <cmm@...ibm.com> The buufer head pointer passed to journal_wait_on_commit_record() could be NULL if the previous journal_submit_commit_record() failed or journal has already aborted. We need to check the error returns from journal_submit_commit_record() and avoid calling journal_wait_on_commit_record() in the failure case. Signed-off-by: Mingming Cao <cmm@...ibm.com> --- fs/jbd2/commit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: linux-2.6.24-rc8/fs/jbd2/commit.c =================================================================== --- linux-2.6.24-rc8.orig/fs/jbd2/commit.c 2008-01-30 14:12:10.000000000 -0800 +++ linux-2.6.24-rc8/fs/jbd2/commit.c 2008-01-30 15:09:50.000000000 -0800 @@ -872,7 +872,8 @@ wait_for_iobuf: if (err) __jbd2_journal_abort_hard(journal); } - err = journal_wait_on_commit_record(cbh); + if (!err && !is_journal_aborted(journal)) + err = journal_wait_on_commit_record(cbh); if (err) jbd2_journal_abort(journal, err); - To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists