mirror of
https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
synced 2024-11-07 04:09:21 +00:00
9e3b003554
commit 9d5afec6b8bd46d6ed821aa1579634437f58ef1f upstream. On a ppc64 machine, when mounting a fuzzed ext2 image (generated by fsfuzzer) the following call trace is seen, VFS: brelse: Trying to free free buffer WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40 .__brelse.part.6+0x20/0x40 (unreliable) .ext4_find_entry+0x384/0x4f0 .ext4_lookup+0x84/0x250 .lookup_slow+0xdc/0x230 .walk_component+0x268/0x400 .path_lookupat+0xec/0x2d0 .filename_lookup+0x9c/0x1d0 .vfs_statx+0x98/0x140 .SyS_newfstatat+0x48/0x80 system_call+0x58/0x6c This happens because the directory that ext4_find_entry() looks up has inode->i_size that is less than the block size of the filesystem. This causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not reading any of the directory file's blocks. This renders the entries in bh_use[] array to continue to have garbage data. buffer_uptodate() on bh_use[0] can then return a zero value upon which brelse() function is invoked. This commit fixes the bug by returning -ENOENT when the directory file has no associated blocks. Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com> Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
||
---|---|---|
.. | ||
acl.c | ||
acl.h | ||
balloc.c | ||
bitmap.c | ||
block_validity.c | ||
dir.c | ||
ext4.h | ||
ext4_extents.h | ||
ext4_jbd2.c | ||
ext4_jbd2.h | ||
extents.c | ||
extents_status.c | ||
extents_status.h | ||
file.c | ||
fsync.c | ||
hash.c | ||
ialloc.c | ||
indirect.c | ||
inline.c | ||
inode.c | ||
ioctl.c | ||
Kconfig | ||
Makefile | ||
mballoc.c | ||
mballoc.h | ||
migrate.c | ||
mmp.c | ||
move_extent.c | ||
namei.c | ||
page-io.c | ||
resize.c | ||
super.c | ||
symlink.c | ||
truncate.h | ||
xattr.c | ||
xattr.h | ||
xattr_security.c | ||
xattr_trusted.c | ||
xattr_user.c |