| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jun 2014 09:57:17 -0400 From: Theodore Ts'o <tytso@....edu> To: Jan Kara <jack@...e.cz> Cc: linux-ext4@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH] ext4: Fix buffer double free in ext4_alloc_branch() On Wed, Jun 11, 2014 at 03:37:06PM +0200, Jan Kara wrote: > Error recovery in ext4_alloc_branch() calls ext4_forget() even for > buffer corresponding to indirect block it did not allocate. This leads > to brelse() being called twice for that buffer (once from ext4_forget() > and once from cleanup in ext4_ind_map_blocks()) leading to buffer use > count misaccounting. Eventually (but often much later because there > are other users of the buffer) we will see messages like: > VFS: brelse: Trying to free free buffer > > Another manifestation of this problem is an error: > JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh); > inconsistent data on disk > > The fix is easy - don't forget buffer we did not allocate. Also add an > explanatory comment because the indexing at ext4_alloc_branch() is > somewhat subtle. > > Signed-off-by: Jan Kara <jack@...e.cz> Nice catch! I've added a cc: stable@...r.kernel.org tag, and will queue this for the post-merge window bugfix push. Thanks, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists