lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20081216170409.34EA.E1E9C6FF@jp.fujitsu.com>
Date:	Tue, 16 Dec 2008 17:25:44 +0900
From:	Yasunori Goto <y-goto@...fujitsu.com>
To:	tytso@....edu, adilger@....com
Cc:	Li Zefan <lizf@...fujitsu.com>, linux-ext4@...r.kernel.org,
	Miao Xie <miaox@...fujitsu.com>,
	Linux Kernel ML <linux-kernel@...r.kernel.org>
Subject: [Patch/BUG] (ext4) s_mb_maxs[] of ext4_sb_info is too small size

Hello.

I chased the cause of following ext4 oops report which is tested on
ia64 box.

http://bugzilla.kernel.org/show_bug.cgi?id=12018

The cause is the size of s_mb_maxs array that is
defined as "unsigned short" in ext4_sb_info structure.
Unsigned short is too small.

In this bug report, Li-san formatted with 64Kbyte block size like
the following. Ia64 has 64Kbyte page size, then this
block size is acceptable.

# mkfs.ext4 -b 65536 /dev/md0

In this case, the maximum value of s_mb_maxs[] becomes 
(blocksize << 2) = 256K by the following code.

2482 int ext4_mb_init(struct super_block *sb, int needs_recovery)
               : 
               :
2508         max = sb->s_blocksize << 2;    <---- max becomes 0x40000.
2509         do {
2510                 sbi->s_mb_offsets[i] = offset;
2511                 sbi->s_mb_maxs[i] = max;            <--- over flow!!!
2512                 offset += 1 << (sb->s_blocksize_bits - i);
2513                 max = max >> 1;
2514                 i++;
2515         } while (i <= sb->s_blocksize_bits + 1);

Then, some s_mb_maxs[] becomes 0 due to overflow.
It is cause of this oops. The following patch is to fix it.

Thanks.

----

The size of s_mb_maxs that is defined in ext4_sb_info is too small.
When block size is 64K, which is possible on ia64,
the maximum value of s_mb_maxs becomes 256K(0x40000).
However, s_mb_maxs is defined as unsigned short. This is cause of panic.

Signed-off-by: Yasunori Goto <y-goto@...fujitsu.com>
Cc: Li Zefan <lizf@...fujitsu.com>
Cc: Miao Xie <miaox@...fujitsu.com>

---
 fs/ext4/ext4_sb.h |    3 ++-
 fs/ext4/mballoc.c |    2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

Index: test2/fs/ext4/ext4_sb.h
===================================================================
--- test2.orig/fs/ext4/ext4_sb.h	2008-12-16 11:20:18.000000000 +0900
+++ test2/fs/ext4/ext4_sb.h	2008-12-16 14:17:32.000000000 +0900
@@ -101,7 +101,8 @@ struct ext4_sb_info {
 	spinlock_t s_reserve_lock;
 	spinlock_t s_md_lock;
 	tid_t s_last_transaction;
-	unsigned short *s_mb_offsets, *s_mb_maxs;
+	unsigned short *s_mb_offsets;
+	unsigned int *s_mb_maxs;
 
 	/* tunables */
 	unsigned long s_stripe;
Index: test2/fs/ext4/mballoc.c
===================================================================
--- test2.orig/fs/ext4/mballoc.c	2008-12-16 11:20:18.000000000 +0900
+++ test2/fs/ext4/mballoc.c	2008-12-16 14:23:21.000000000 +0900
@@ -2493,6 +2493,8 @@ int ext4_mb_init(struct super_block *sb,
 	if (sbi->s_mb_offsets == NULL) {
 		return -ENOMEM;
 	}
+
+	i = (sb->s_blocksize_bits + 2) * sizeof(unsigned int);
 	sbi->s_mb_maxs = kmalloc(i, GFP_KERNEL);
 	if (sbi->s_mb_maxs == NULL) {
 		kfree(sbi->s_mb_maxs);

-- 
Yasunori Goto 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ