Re: possible bug in VFS ?

Re: possible bug in VFS ?

[Alexander Viro]

On Sat, 13 Oct 2001, Signal9 wrote:

>                root = current->fs->rootmnt;
>                list_for_each(ptr, &root->mnt_list) {
>                         mnt = list_entry(ptr, struct vfsmount, mnt_list);
>                         sb = mnt ? mnt->mnt_sb : NULL;
>                          if (NULL != sb && dev == sb->s_dev) <============
>                                         mntget(mnt);
>                 }

	What the hell is it trying to do?

possible bug in VFS ?

[Signal9]

 When i tried bestcrypt (a crypto-fs) with the new 2.4.12 kernel, i got a 
ooops when mounting a device. The oops was in this line:

(in bcrypt-0.8-6/mod/bc_dev24.c)

               root = current->fs->rootmnt;
               list_for_each(ptr, &root->mnt_list) {
                        mnt = list_entry(ptr, struct vfsmount, mnt_list);
                        sb = mnt ? mnt->mnt_sb : NULL;
                         if (NULL != sb && dev == sb->s_dev) <============
                                        mntget(mnt);
                }

 The oops was a pointer dereference to 0x9. I added some printk's to see the 
values of the pointers. I did see that in the last 'struct vfsmount' linked 
inside root->mnt_list, the mnt_sb field is '0x1', so when it tries to access 
sb->sb_dev it dereferences a pointer to 0x9. The field mnt_devname was NULL.

 ¿Is this a bug in the kernel or a bug in bestcrypt?

 Cheers,

 - Doing

PD: Please send replies with CC to me, since i'm not subscribed to the list :)

Re: possible bug in VFS ?

[Signal9]

On Saturday 13 October 2001 00:06, you wrote:
> On Sat, 13 Oct 2001, Signal9 wrote:
> >                root = current->fs->rootmnt;
> >                list_for_each(ptr, &root->mnt_list) {
> >                         mnt = list_entry(ptr, struct vfsmount, mnt_list);
> >                         sb = mnt ? mnt->mnt_sb : NULL;
> >                          if (NULL != sb && dev == sb->s_dev)
> > <============ mntget(mnt);
> >                 }
>
> 	What the hell is it trying to do?

 Here goes the complete function:
static 
int bc_lock_dev(struct bc_disk *bd, struct bc_device *bc, kdev_t dev, 
		int lock)
{
        struct super_block *sb;
        struct vfsmount    *mnt, *root;
        struct list_head   *ptr;

        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;

        if (!bd->bd_flags.configured) {
                if (!lock)
                        return 0;
                printk(KERN_ERR "bc: attempt to lock free device.\n");
                return -ENXIO;
        }

        if (lock && !bd->bd_flags.mounted) {
                root = current->fs->rootmnt;            
                list_for_each(ptr, &root->mnt_list) {
                        mnt = list_entry(ptr, struct vfsmount, mnt_list);
                        sb = mnt ? mnt->mnt_sb : NULL;
             
	           printk (KERN_WARNING "\n\n[++++] The pointer to sb is: %08x\nAnd 
the name is: %s\n\n",
                                        sb, mnt->mnt_devname);
             
	           if (NULL != sb && dev == sb->s_dev) 
                                        mntget(mnt);
                }
                bd->bd_flags.mounted = 1;
                bc->bc_refcnt++;
        } else if (!lock && bd->bd_flags.mounted) {
                root = current->fs->rootmnt;            
                list_for_each(ptr, &root->mnt_list) {
                        mnt = list_entry(ptr, struct vfsmount, mnt_list);
                        sb = mnt ? mnt->mnt_sb : NULL;

                        if (NULL != sb && dev == sb->s_dev)
                                        mntget(mnt);
                }
                bd->bd_flags.mounted = 0;
                bc->bc_refcnt--;
       }
        return 0;
}

Re: possible bug in VFS ?

[Alexander Viro]

On Sat, 13 Oct 2001, Signal9 wrote:

>  Here goes the complete function:

[snip]

It's completely broken.  To start with, it's leaking vfsmounts like
hell.  But the real question is "what the hell is it trying to do?"