Подробности

[В начало]

Проблема в реализации № F0002

Краткое описание

ext4: разыменование нулевого указателя в ext4_calculate_overhead()

Подробное описание

Вызов memset() в функции ext4_calculate_overhead() перед проверкой указателя на NULL может привести к падению, если предыдущее выделение памяти закончится безуспешно.

Пример

[17412.234392] BUG: unable to handle kernel NULL pointer dereference at           (null)
[17412.236324] IP: [<ffffffffa0361e57>] ext4_calculate_overhead+0x67/0x210 [ext4]
[17412.236761] PGD 7d312067 PUD 7d8b9067 PMD 0 
[17412.236761] Oops: 0002 [#1] SMP 
[17412.236761] CPU 0 
[17412.236761] Modules linked in: ext4 jbd2 vesafb ppdev snd_intel8x0 psmouse joydev parport_pc snd_ac97_codec
ac97_bus serio_raw mac_hid snd_pcm snd_timer snd i2c_piix4 soundcore snd_page_alloc lp parport reiserfs usbhid 
hid e1000 btrfs zlib_deflate libcrc32c
[17412.236761] 
[17412.236761] Pid: 22798, comm: fault_sim Tainted: G        W  O 3.2.0-36-generic #57 innotek GmbH VirtualBox
[17412.236761] RIP: 0010:[<ffffffffa0361e57>]  [<ffffffffa0361e57>] ext4_calculate_overhead+0x67/0x210 [ext4]
[17412.236761] RSP: 0018:ffff880036d4bc28  EFLAGS: 00010246
[17412.236761] RAX: 0000000000000000 RBX: ffff880079ce7400 RCX: 0000000000000200
[17412.236761] RDX: 0000000000001000 RSI: 0000000000000000 RDI: 0000000000000000
[17412.236761] RBP: ffff880036d4bc68 R08: 000000000000ffff R09: 000000000000ffff
[17412.236761] R10: 0000000000000001 R11: 0000000000000002 R12: ffff88007affac00
[17412.236761] R13: 0000000000000000 R14: ffff88007affac00 R15: 0000000000000004
[17412.236761] FS:  00007f6193004740(0000) GS:ffff880082c00000(0000) knlGS:0000000000000000
[17412.236761] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[17412.236761] CR2: 0000000000000000 CR3: 000000007c597000 CR4: 00000000000006f0
[17412.236761] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17412.236761] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[17412.236761] Process fault_sim (pid: 22798, threadinfo ffff880036d4a000, task ffff88007ebb4500)
[17412.236761] Stack:
[17412.236761]  ffff880036d4bc38 ffff88007af7f000 ffff880036d4bc68 ffff88007affac00
[17412.236761]  ffff88007affac00 ffff88007af7f000 ffff880079ce7400 ffff880063cc5548
[17412.236761]  ffff880036d4bd28 ffffffffa0363483 ffff88007fc25ab8 ffff88007affac00
[17412.236761] Call Trace:
[17412.236761]  [<ffffffffa0363483>] ext4_fill_super+0x1483/0x1a70 [ext4]
[17412.236761]  [<ffffffff8117c3f6>] mount_bdev+0x1c6/0x210
[17412.236761]  [<ffffffffa0362000>] ? ext4_calculate_overhead+0x210/0x210 [ext4]
[17412.236761]  [<ffffffffa03543d5>] ext4_mount+0x15/0x20 [ext4]
[17412.236761]  [<ffffffff8117cf83>] mount_fs+0x43/0x1b0
[17412.236761]  [<ffffffff811978fa>] vfs_kern_mount+0x6a/0xc0
[17412.236761]  [<ffffffff81198e04>] do_kern_mount+0x54/0x110
[17412.236761]  [<ffffffff8119a964>] do_mount+0x1a4/0x260
[17412.236761]  [<ffffffff8119ae40>] sys_mount+0x90/0xe0
[17412.236761]  [<ffffffff81614302>] system_call_fastpath+0x16/0x1b
[17412.236761] Code: 89 c7 ba 00 10 00 00 0f 85 8b 01 00 00 40 f6 c7 02 0f 85 96 01 ...
[17412.236761] RIP  [<ffffffffa0361e57>] ext4_calculate_overhead+0x67/0x210 [ext4]
[17412.236761]  RSP <ffff880036d4bc28>
[17412.236761] CR2: 0000000000000000
[17412.261444] ---[ end trace d1e88ed83705ddd2 ]---

Компонент

linux-kernel 3.7

Принято

https://lkml.org/lkml/2012/11/28/354
commit

Статус

Исправлено в kernel 3.8-rc1

[В начало]