lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTimfOCwZQP=Hv+NEhFcxMpC51-RhTw@mail.gmail.com>
Date:	Fri, 29 Apr 2011 19:31:49 -0700
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Joern Engel <joern@...fs.org>, Dave Chinner <dchinner@...hat.com>,
	Al Viro <viro@...iv.linux.org.uk>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	logfs@...fs.org
Subject: Fwd: 2.6.39-rc5-git2 boot crashs

I dunno if you guys saw this. Any ideas?

Dave Chinner and Al Viro on the recipients because they were working
on iput_final etc locking changes. And logfs people for obvious
reasons.

The Code: line is buggered and seems to be missing one instruction
byte, and I think it's because the user used a web interface, and the
"<>" around the byte messed things up. But the code arount it decodes
to:

   0:	b8 30 4e 79 c2       	mov    $0xc2794e30,%eax   (probably
logfs_inode_lock address)
   5:	e8 41 a1 be 00       	call   xxx (probably _raw_spin_lock)
   a:	8d 8b f4 01 00 00    	lea    0x1f4(%ebx),%ecx
(li->li_freeing_list address)
  10:	8b 93 f4 01 00 00    	mov    0x1f4(%ebx),%edx  (li->li_freeing_list.next)
  16:	8b 83 f8 01 00 00    	mov    0x1f8(%ebx),%eax  (li->li_freeing_list.prev)
  1c:	89 42 04             	mov    %eax,0x4(%edx)   (next->prev = prev)
  1f:	89 10                	mov    %edx,(%eax)         (prev->next = next)
  ... something messed up ..
  29:	89 83 f4 01 00 00    	mov    %eax,0x1f4(%ebx)
  2f:	8d 86 54 02 00 00    	lea    0x254(%esi),%eax
  35:	89 83 f8 01 00 00    	mov    %eax,0x1f8(%ebx)

and that's basically the code that does:

  list_move(&li->li_freeing_list, &super->s_freeing_list);

and the removal from the old list has succeeded, but adding to the
super->s_freeing_list is failing.

It looks like a NULL pointer dereference with offset 4, so at a guess,
super->s_freeing_list.next is NULL, and it's the "next->prev = entry"
instruction that faults when inserting into that list.

How/why would s_freeing_list be NULL? I have no idea. But it looks
like a failed mount, so presumably it was never initialized.

              Linus

---------- Forwarded message ----------
From: werner <w.landgraf@...ru>
Date: Fri, Apr 29, 2011 at 3:10 PM
Subject: 2.6.39-rc5-git2 boot crashs
To: linux-kernel@...r.kernel.org




Pid: 5635, comm: mount Tainted: G         C 2.6.39-rc5-git2 #1 System
manufacturer System Product Name/M2N8-VMX
EIP: 0060:[<c12d01fb>] EFLAGS: 00010246 CPU: 0
EIP is at logfs_drop_inode+0x3c/0x68
EAX: 00000000 EBX: f4db8000 ECX: f4db81f4 EDX: f4db81f4
ESI: f521c000 EDI: f5232c00 EBP: f5199e70 ESP: f5199e68
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process mount (pid: 5635, ti=f5198000 task=f523ae50 task.ti=f5198000)
Stack:
 c1f2344c f4db8000 f5199e84 c10ea544 ffffffea f5232c00 f68ac1c0 f5199ec0
 c12d77cd 00000000 00000000 c10ced5c 00000000 f521c000 00000400 f521c000
 f68a4b40 00000040 000000d0 00000000 f5106cb0 f5106cb0 f5199ef8 c10d9b11
Call Trace:
 [<c10ea544>] iput+0x5c/0x119
 [<c12d77cd>] logfs_mount+0x44f/0x5cc
 [<c10ced5c>] ? __kmalloc_track_caller+0x9b/0x157
 [<c10d9b11>] mount_fs+0x68/0x13e
 [<c10b1ce3>] ? kstrdup+0x30/0x41
 [<c10ee6c3>] vfs_kern_mount+0x53/0x7f
 [<c10ee747>] do_kern_mount+0x3c/0xbb
 [<c10eede8>] do_mount+0x622/0x66f
 [<c10ed9ca>] ? copy_mount_options+0xe/0xe7
 [<c10b1c15>] ? memdup_user+0x34/0x4b
 [<c10b1c5d>] ? strndup_user+0x31/0x42
 [<c10eeea2>] sys_mount+0x6d/0x9b
 [<c1eba70c>] syscall_call+0x7/0xb
Code: 8c 01 00 00 b8 30 4e 79 c2 e8 41 a1 be 00 8d 8b f4 01 00 00 8b
93 f4 01 00 00 8b 83 f8 01 00 00 89 42 04 89 10 8b 86 54 02 00 00
 48 04 89 83 f4 01 00 00 8d 86 54 02 00 00 89 83 f8 01 00 00
EIP: [<c12d01fb>] logfs_drop_inode+0x3c/0x68 SS:ESP 0068:f5199e68
CR2: 0000000000000004
---[ end trace cd59ca17c20fba5d ]---
---
Professional hosting for everyone - http://www.host.ru
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ