lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20091202222321.GB17579@ioremap.net>
Date:	Thu, 3 Dec 2009 01:23:21 +0300
From:	Evgeniy Polyakov <zbr@...emap.net>
To:	Alexander Beregalov <a.beregalov@...il.com>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	jens.axboe@...cle.com
Subject: Re: 2.6.32-rc8: pohmelfs: NULL pointer dereference

Hi Alexander.

Thanks a lot for you report and analysis!

On Wed, Dec 02, 2009 at 04:11:52AM +0300, Alexander Beregalov (a.beregalov@...il.com) wrote:
> BUG: unable to handle kernel NULL pointer dereference at 000000b8
> IP: [<c10a96f9>] bdi_queue_work+0x9/0xa0
> 
>  [<c10a97e6>] ? sync_inodes_sb+0x46/0x120
>  [<c13cbafd>] ? printk+0x18/0x1b
>  [<f840d8cb>] ? pohmelfs_kill_super+0xb/0x20 [pohmelfs]
>  [<c1090b8a>] ? deactivate_locked_super+0x4a/0x70
>  [<c1090ccf>] ? get_sb_nodev+0x6f/0x80
>  [<f840d8fc>] ? pohmelfs_get_sb+0x1c/0x20 [pohmelfs]
>  [<f840e120>] ? pohmelfs_fill_super+0x0/0x530 [pohmelfs]
>  [<c108fe50>] ? vfs_kern_mount+0x40/0xd0
> 
> 
> The problem is that pohmelfs_fill_super() does not set sb->s_bdi.
> Behavior was changed by
> b6e51316da writeback: separate starting of sync vs opportunistic writeback
> d8a8559cd7 writeback: get rid of generic_sync_sb_inodes() export

Looks like this change broke things:

-long sync_inodes_sb(struct super_block *sb)
+void sync_inodes_sb(struct super_block *sb)
{
-       struct writeback_control wbc = {
-               .sb             = sb,
-               .bdi            = sb->s_bdi,
-               .sync_mode      = WB_SYNC_ALL,
-               .range_start    = 0,
-               .range_end      = LLONG_MAX,
-       };
-       long nr_to_write = LONG_MAX; /* doesn't actually matter */
-
-       wbc.nr_to_write = nr_to_write;
-       bdi_start_writeback(&wbc);
-       wait_sb_inodes(&wbc);
-       return nr_to_write - wbc.nr_to_write;
+       bdi_sync_writeback(sb->s_bdi, sb);
+       wait_sb_inodes(sb);

POHMELFS does not set sb->s_bdi, so it will be dereferenced in
bdi_queue_work() and crash. Jens, should it check whether bdi is NULL in
bdi_sync_writeback()?

-- 
	Evgeniy Polyakov
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ