Re: Reiserfs kernel-crashing bug in 2.4.20 (and UML)

From: Andrew Morton
Date: Sat Aug 23 2003 - 22:43:51 EST

Next message: Greg KH: "Re: USB 2.0 and USB Sony DRU-500A unreliable"
Previous message: TeJun Huh: "Re: Race condition in 2.4 tasklet handling (cli() broken?)"
In reply to: dan: "Reiserfs kernel-crashing bug in 2.4.20 (and UML)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dan@xxxxxxxxxxxx wrote:
>
> Let's get this out of the way first: I KNOW IT'S A HARDWARE BUG. My
> system wrote corrupted data to the drive. I've already recovered the
> partition but I have a dd'd copy around to figure this out.
>
> With that out of the way:
>
> I can reliably insta-reboot my kernel or cause user-mode-linux to crash
> out when doing a directory lookup in one corrupted directory.
>
> The catch is, (and there's always a catch) neither oopses. real kernel on
> real hardware just flashes the screen and reboots, user-mode-linux just
> drops back to the host's shell prompt.
>
> Here's what I've found using UML on it:
>
> The directory is one block, but we're reading data 100+k into it. Perhaps
> a sanity check that we're actually within the buffer we want to be?

You're absolutely right. Filesystem drivers should try hard to not crash
the box when fed random crap.

> + if (d_reclen < 0)
> + return -EIO;

It needs to be checked for some upper bound as well.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: USB 2.0 and USB Sony DRU-500A unreliable"
Previous message: TeJun Huh: "Re: Race condition in 2.4 tasklet handling (cli() broken?)"
In reply to: dan: "Reiserfs kernel-crashing bug in 2.4.20 (and UML)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]