| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Dec 2008 17:25:44 +0900
From: Yasunori Goto <y-goto@...fujitsu.com>
To: tytso@....edu, adilger@....com
Cc: Li Zefan <lizf@...fujitsu.com>, linux-ext4@...r.kernel.org,
Miao Xie <miaox@...fujitsu.com>,
Linux Kernel ML <linux-kernel@...r.kernel.org>
Subject: [Patch/BUG] (ext4) s_mb_maxs[] of ext4_sb_info is too small size
Hello.
I chased the cause of following ext4 oops report which is tested on
ia64 box.
http://bugzilla.kernel.org/show_bug.cgi?id=12018
The cause is the size of s_mb_maxs array that is
defined as "unsigned short" in ext4_sb_info structure.
Unsigned short is too small.
In this bug report, Li-san formatted with 64Kbyte block size like
the following. Ia64 has 64Kbyte page size, then this
block size is acceptable.
# mkfs.ext4 -b 65536 /dev/md0
In this case, the maximum value of s_mb_maxs[] becomes
(blocksize << 2) = 256K by the following code.
2482 int ext4_mb_init(struct super_block *sb, int needs_recovery)
:
:
2508 max = sb->s_blocksize << 2; <---- max becomes 0x40000.
2509 do {
2510 sbi->s_mb_offsets[i] = offset;
2511 sbi->s_mb_maxs[i] = max; <--- over flow!!!
2512 offset += 1 << (sb->s_blocksize_bits - i);
2513 max = max >> 1;
2514 i++;
2515 } while (i <= sb->s_blocksize_bits + 1);
Then, some s_mb_maxs[] becomes 0 due to overflow.
It is cause of this oops. The following patch is to fix it.
Thanks.
----
The size of s_mb_maxs that is defined in ext4_sb_info is too small.
When block size is 64K, which is possible on ia64,
the maximum value of s_mb_maxs becomes 256K(0x40000).
However, s_mb_maxs is defined as unsigned short. This is cause of panic.
Signed-off-by: Yasunori Goto <y-goto@...fujitsu.com>
Cc: Li Zefan <lizf@...fujitsu.com>
Cc: Miao Xie <miaox@...fujitsu.com>
---
fs/ext4/ext4_sb.h | 3 ++-
fs/ext4/mballoc.c | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
Index: test2/fs/ext4/ext4_sb.h
===================================================================
--- test2.orig/fs/ext4/ext4_sb.h 2008-12-16 11:20:18.000000000 +0900
+++ test2/fs/ext4/ext4_sb.h 2008-12-16 14:17:32.000000000 +0900
@@ -101,7 +101,8 @@ struct ext4_sb_info {
spinlock_t s_reserve_lock;
spinlock_t s_md_lock;
tid_t s_last_transaction;
- unsigned short *s_mb_offsets, *s_mb_maxs;
+ unsigned short *s_mb_offsets;
+ unsigned int *s_mb_maxs;
/* tunables */
unsigned long s_stripe;
Index: test2/fs/ext4/mballoc.c
===================================================================
--- test2.orig/fs/ext4/mballoc.c 2008-12-16 11:20:18.000000000 +0900
+++ test2/fs/ext4/mballoc.c 2008-12-16 14:23:21.000000000 +0900
@@ -2493,6 +2493,8 @@ int ext4_mb_init(struct super_block *sb,
if (sbi->s_mb_offsets == NULL) {
return -ENOMEM;
}
+
+ i = (sb->s_blocksize_bits + 2) * sizeof(unsigned int);
sbi->s_mb_maxs = kmalloc(i, GFP_KERNEL);
if (sbi->s_mb_maxs == NULL) {
kfree(sbi->s_mb_maxs);
--
Yasunori Goto
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists