Details

[Home]

Issue of the Implementation # F0001

Brief

ext4: NULL pointer dereference in mount_fs() because of ext4_fill_super() wrongly reports success

Detailed Description

If ext4_mb_init() called from ext4_fill_super() fails and returns error code, ext4_fill_super() still returns 0.

This happens because the return value of ext4_mb_init() is not assigned to ret in the error path. So the previous value of ret (0) is returned from ext4_fill_super().

This problem leads to a kernel oops in mount_fs() when the latter tries to access the struct dentry that the mount() callback returns ("sb = root->d_sb;").

Example

[  116.851683] EXT4-fs (sdb): mount failed
[  116.859943] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
[  116.861075] IP: [<ffffffff8117cf92>] mount_fs+0x52/0x1b0
[  116.861075] PGD 7acfd067 PUD 7ccea067 PMD 0 
[  116.861075] Oops: 0000 [#1] SMP 
[  116.861075] CPU 0 
[  116.861075] Modules linked in: ext4 jbd2 vesafb ppdev snd_intel8x0
snd_ac97_codec ac97_bus psmouse snd_pcm joydev mac_hid serio_raw parport_pc snd_timer snd soundcore i2c_piix4
snd_page_alloc lp parport reiserfs usbhid hid e1000 btrfs zlib_deflate libcrc32c
[  116.861075] 
[  116.861075] Pid: 14195, comm: fault_sim Tainted: G W  O 3.2.0-36-generic #57 innotek GmbH VirtualBox
[  116.861075] RIP: 0010:[<ffffffff8117cf92>]  [<ffffffff8117cf92>] mount_fs+0x52/0x1b0
[  116.861075] RSP: 0018:ffff88007cfd3dd8  EFLAGS: 00010207
[  116.861075] RAX: 0000000000000000 RBX: ffff88007c151200 RCX: 000000000000a343
[  116.861075] RDX: 0000000000000000 RSI: ffff88007cfd3c38 RDI: 0000000000000000
[  116.861075] RBP: ffff88007cfd3e18 R08: ffffea0001f57b80 R09: ffffffffa0236028
[  116.861075] R10: 000000000000c480 R11: ffff880082c00000 R12: 0000000000000000
[  116.861075] R13: ffffffffa03627c0 R14: 0000000000000000 R15: 0000000000000000
[  116.861075] FS:  00007f1468b18740(0000) GS:ffff880082c00000(0000) knlGS:0000000000000000
[  116.861075] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  116.861075] CR2: 0000000000000068 CR3: 000000007c89f000 CR4: 00000000000006f0
[  116.861075] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  116.861075] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  116.861075] Process fault_sim (pid: 14195, threadinfo ffff88007cfd2000, task ffff8800371eae00)
[  116.861075] Stack:
[  116.861075]  0000000000000004 0000000000000000 0000000000000004 ffff88007c151200
[  116.861075]  ffffffffa03627c0 0000000000000000 ffff88007d468da0 0000000000000000
[  116.861075]  ffff88007cfd3e68 ffffffff811978fa 0000000000000004 ffff88007d468da0
[  116.861075] Call Trace:
[  116.861075]  [<ffffffff811978fa>] vfs_kern_mount+0x6a/0xc0
[  116.861075]  [<ffffffff81198e04>] do_kern_mount+0x54/0x110
[  116.861075]  [<ffffffff8119a964>] do_mount+0x1a4/0x260
[  116.861075]  [<ffffffff8119ae40>] sys_mount+0x90/0xe0
[  116.861075]  [<ffffffff81614302>] system_call_fastpath+0x16/0x1b
[  116.861075] Code: 49 89 fd 41 89 f7 74 0a f6 47 08 02 0f 84 c7 00 00 00 44  ...
[  116.861075] RIP  [<ffffffff8117cf92>] mount_fs+0x52/0x1b0
[  116.861075]  RSP <ffff88007cfd3dd8>
[  116.861075] CR2: 0000000000000068
[  116.885769] ---[ end trace 0faf6cc74fc11e3e ]---

Component

linux-kernel 3.7

Accepted

https://bugzilla.kernel.org/show_bug.cgi?id=48431
commit

Status

Fixed in kernel 3.8-rc1

[Home]