Details
[Home]
Issue of the Implementation # K0002
Brief
(ext4) Calling kfree for uninitialized pointer in ext4_mb_init_backend
Detailed Description
At fs/ext4/mballoc.c:2389, memory is allocated for sbi->s_group_info array. The elements of this array (pointers themselves) are initialized when ext4_mb_add_groupinfo() is called (line 2408).
If ext4_mb_add_groupinfo() fails for some reason (e.g. if memory allocation at line 2296 fails), ext4_mb_init_backend() tries to call kfree() for each element in sbi->s_group_info array, including the ones that have not been initialized yet (fs/ext4/mballoc.c:2414):
err_freebuddy:
cachep = get_groupinfo_cache(sb->s_blocksize_bits);
while (i-- > 0)
kmem_cache_free(cachep, ext4_get_group_info(sb, i));
i = num_meta_group_infos;
while (i-- > 0)
kfree(sbi->s_group_info[i]); /* <= oops here */
iput(sbi->s_buddy_cache);
The problem showed up when the tests for ext4 from Linux Test Project (ext4-alloc-test, test #7, to be exact) were running.
'num_meta_group_infos' (the number of elements in the array) was 12. The first 2 calls to ext4_mb_add_groupinfo() (ln 2408) succeeded but the 3rd one failed.
kfree(sbi->s_group_info[11]) resulted in a kernel oops
Possible solutions
fs/ext4/mballoc.c:2389: - sbi->s_group_info = kmalloc(array_size, GFP_KERNEL); + sbi->s_group_info = kzalloc(array_size, GFP_KERNEL);
Component
linux-kernel 2.6.38
References
Accepted
Kernel Bug Tracker, bug #30872
Status
Fixed in the kernel 2.6.39-rc1
[Home]