From: Theodore Tso <tytso@mit.edu>
To: Eric Sandeen <sandeen@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-ext4@vger.kernel.org, bugme-daemon@bugzilla.kernel.org,
kernel.bugzilla@asheesh.org
Subject: Re: [Bug 11175] New: ext3 BUG in add_dirent_to_buf+0x6c/0x269
Date: Wed, 30 Jul 2008 00:03:48 -0400 [thread overview]
Message-ID: <20080730040348.GA8956@mit.edu> (raw)
In-Reply-To: <488FDA0A.5020408@redhat.com>
On Tue, Jul 29, 2008 at 10:03:38PM -0500, Eric Sandeen wrote:
> Theodore Tso wrote:
> > Hmm... disassembling the code, it's pretty clear the problem is here
> > in do_split(), around line 1208:
> >
> > map = (struct dx_map_entry *) (data2 + blocksize);
> > count = dx_make_map ((struct ext3_dir_entry_2 *) data1,
> > blocksize, hinfo, map);
> > map -= count;
> > dx_sort_map (map, count);
> > /* Split the existing block in the middle, size-wise */
> > size = 0;
> > move = 0;
> > for (i = count-1; i >= 0; i--) {
> > /* is more than half of this entry in 2nd half of the block? */
> > if (size + map[i].size/2 > blocksize/2) <====
>
> You sure this isn't our old friend
> https://bugzilla.redhat.com/show_bug.cgi?id=451068 ?
>
> which version of gcc compiled this?
As we discussed on IRC, I think you're theory is dead on. %ecx is at
the very end of the page-2, which would correspond to
map[count-1].size. And size (%esi) is zero, which rules out my scenario.
This very much looks like a GCC bug. Asheesh, can you confirm which
version of GCC you used to build your kernel?
Longer term, do_split() was coded in a very non-robust fashion.
Looking at do_split(), it was pretty easy to imagine corrupted
directory blocks that might force count to be 0 (causing the for loop
to do something insane, since i is unsigned), and adding some checks
to make sure that the split variable is neither 0 nor equal to count
might also be a really good idea.
- Ted
next prev parent reply other threads:[~2008-07-30 4:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-11175-27@http.bugzilla.kernel.org/>
2008-07-30 0:12 ` [Bug 11175] New: ext3 BUG in add_dirent_to_buf+0x6c/0x269 Andrew Morton
2008-07-30 1:08 ` Asheesh Laroia
2008-07-30 2:48 ` Theodore Tso
2008-07-30 3:03 ` Eric Sandeen
2008-07-30 4:03 ` Theodore Tso [this message]
2008-07-30 15:01 ` Asheesh Laroia
2008-07-30 15:06 ` Eric Sandeen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080730040348.GA8956@mit.edu \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=kernel.bugzilla@asheesh.org \
--cc=linux-ext4@vger.kernel.org \
--cc=sandeen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.