[PATCH] JFFS2 Fix of panics caused by wrong condition for hole frag creation in write_begin

[PATCH] JFFS2 Fix of panics caused by wrong condition for hole frag creation in write_begin

[Alexey Korolev]

Hi,


JFFS2 in Linux 2.6.24 fails to kernel panic on random read/write/truncate operatons. We investigated the issue it is caused by
bug in conditions for hole fragment creation in write_begin function. Offset of starting offset which is used to identify should we create hole frag or not is calculated improperly.
As result hole frags are not created when they must be - it leads to internal memory corruptions and kernel panic. 

The following patch fixes the bug in JFFS2 write_begin hole frag conditions. 
Please include the patch. 

Signed-off-by: Alexey Korolev <akorolev@infradead.org>
Signed-off-by: Vasiliy Leonenko <vasiliy.leonenko@mail.ru>
=========================================
diff -aupNr a/fs/jffs2/file.c b/fs/jffs2/file.c
--- a/fs/jffs2/file.c	2008-02-11 08:51:11.000000000 +0300
+++ b/fs/jffs2/file.c	2008-04-11 13:54:08.000000000 +0400
@@ -129,13 +129,14 @@ static int jffs2_write_begin(struct file
 	struct inode *inode = mapping->host;
 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
 	pgoff_t index = pos >> PAGE_CACHE_SHIFT;
-	uint32_t pageofs = pos & (PAGE_CACHE_SIZE - 1);
+	uint32_t pageofs;
 	int ret = 0;
 
 	pg = __grab_cache_page(mapping, index);
 	if (!pg)
 		return -ENOMEM;
 	*pagep = pg;
+	pageofs = pg->index << PAGE_CACHE_SHIFT;
 
 	D1(printk(KERN_DEBUG "jffs2_write_begin()\n"));
=========================================

Thanks,
Alexey

Re: [PATCH] JFFS2 Fix of panics caused by wrong condition for hole frag creation in write_begin

[Jörn Engel]

On Mon, 14 April 2008 17:55:22 +0100, Alexey Korolev wrote:
> 
> JFFS2 in Linux 2.6.24 fails to kernel panic on random read/write/truncate operatons. We investigated the issue it is caused by
> bug in conditions for hole fragment creation in write_begin function. Offset of starting offset which is used to identify should we create hole frag or not is calculated improperly.
> As result hole frags are not created when they must be - it leads to internal memory corruptions and kernel panic. 
> 
> The following patch fixes the bug in JFFS2 write_begin hole frag conditions. 
> Please include the patch. 

Description is rather wide.

Reviewed-By: Joern Engel <joern@logfs.org>

> Signed-off-by: Alexey Korolev <akorolev@infradead.org>
> Signed-off-by: Vasiliy Leonenko <vasiliy.leonenko@mail.ru>
> =========================================
> diff -aupNr a/fs/jffs2/file.c b/fs/jffs2/file.c
> --- a/fs/jffs2/file.c	2008-02-11 08:51:11.000000000 +0300
> +++ b/fs/jffs2/file.c	2008-04-11 13:54:08.000000000 +0400
> @@ -129,13 +129,14 @@ static int jffs2_write_begin(struct file
>  	struct inode *inode = mapping->host;
>  	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
>  	pgoff_t index = pos >> PAGE_CACHE_SHIFT;
> -	uint32_t pageofs = pos & (PAGE_CACHE_SIZE - 1);
> +	uint32_t pageofs;
>  	int ret = 0;
>  
>  	pg = __grab_cache_page(mapping, index);
>  	if (!pg)
>  		return -ENOMEM;
>  	*pagep = pg;
> +	pageofs = pg->index << PAGE_CACHE_SHIFT;
>  
>  	D1(printk(KERN_DEBUG "jffs2_write_begin()\n"));
> =========================================
> 
> Thanks,
> Alexey

Jörn

-- 
My second remark is that our intellectual powers are rather geared to
master static relations and that our powers to visualize processes
evolving in time are relatively poorly developed.
-- Edsger W. Dijkstra

Re: [PATCH] JFFS2 Fix of panics caused by wrong condition for hole frag creation in write_begin

[David Woodhouse]

On Mon, 2008-04-14 at 17:55 +0100, Alexey Korolev wrote:
> Hi,
> 
> 
> JFFS2 in Linux 2.6.24 fails to kernel panic on random read/write/truncate operatons. We investigated the issue it is caused by
> bug in conditions for hole fragment creation in write_begin function. Offset of starting offset which is used to identify should we create hole frag or not is calculated improperly.
> As result hole frags are not created when they must be - it leads to internal memory corruptions and kernel panic. 
> 
> The following patch fixes the bug in JFFS2 write_begin hole frag conditions. 
> Please include the patch. 

Well spotted, Alexey. Thanks!

I've simplified it a little and sent it to Linus.

-- 
dwmw2

Re: [PATCH] JFFS2 Fix of panics caused by wrong condition for hole frag creation in write_begin

[David Woodhouse]

On Mon, 2008-04-14 at 20:40 +0100, David Woodhouse wrote:
> 
> Well spotted, Alexey. Thanks!
> 
> I've simplified it a little and sent it to Linus.

And now I've resent it with a _correct_ address for Linus...

-- 
dwmw2