| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bug-200069-13602-EOF1V11qlm@https.bugzilla.kernel.org/>
Date: Sat, 16 Jun 2018 20:04:22 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: linux-ext4@...nel.org
Subject: [Bug 200069] BUG() triggered in start_this_handle()
(jbd2/transaction.c) when operating and umounting a crafted ext4 image
https://bugzilla.kernel.org/show_bug.cgi?id=200069
Theodore Tso (tytso@....edu) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tytso@....edu
--- Comment #4 from Theodore Tso (tytso@....edu) ---
OK, what's going on with this image is the following:
* The s_first_ino is 3 --- it's supposed to be 11, and should never be less
than that number. The kernel currently doesn't check to make sure value of
s_first_ino is valid. This is a recipe for disaster, but what's really
triggering the problem is....
* The directory entry for foo/bar/baz points at inode #8 -- the journal inode.
So when the workload unlinks foo/bar/baz, this drops the refcount to zero, and
when we unmount the file system and release the journal inode,
ext4_evict_inode() tries to delete the journal inode, after we almost
completely done with the unmount. This triggers the BUG_ON at
fs/jbd2/transaction.c:319.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Powered by blists - more mailing lists