On Tue, Feb 05, 2008 at 04:24:18PM +1100, David Chinner wrote:
> Sven, Tomas, Andrea:
>
> Can you try the patch attached below to see if it fixes the
> xfs_file_readdir() oops you are seeing and let me know if it fixes
> the problem?
Works for me(TM) :)
My testbox survived 24h with this patch, no problems.
Tobias
>
> It looks like we're deferencing a pointer beyond the end of a buffer
> if the buffer is filled exactly. This bug does not crash ia64 (even
> with memory poisoning enabled), which is why the targeted corner
> case testing I did a while back did not pick this up when fixing a
> similar bug a month ago.
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> Principal Engineer
> SGI Australian Software Group
>
> ---
> Fix yet another corner case oops in xfs_file_readdir().
>
> Signed-off-by: Dave Chinner <dgc@xxxxxxx>
> ---
> fs/xfs/linux-2.6/xfs_file.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> Index: 2.6.x-xfs-new/fs/xfs/linux-2.6/xfs_file.c
> ===================================================================
> --- 2.6.x-xfs-new.orig/fs/xfs/linux-2.6/xfs_file.c 2008-01-16
> 16:24:01.000000000 +1100
> +++ 2.6.x-xfs-new/fs/xfs/linux-2.6/xfs_file.c 2008-02-05 15:13:17.153110696
> +1100
> @@ -351,8 +351,8 @@ xfs_file_readdir(
>
> size = buf.used;
> de = (struct hack_dirent *)buf.dirent;
> - curr_offset = de->offset /* & 0x7fffffff */;
> while (size > 0) {
> + curr_offset = de->offset /* & 0x7fffffff */;
> if (filldir(dirent, de->name, de->namlen,
> curr_offset & 0x7fffffff,
> de->ino, de->d_type)) {
> @@ -363,7 +363,6 @@ xfs_file_readdir(
> sizeof(u64));
> size -= reclen;
> de = (struct hack_dirent *)((char *)de + reclen);
> - curr_offset = de->offset /* & 0x7fffffff */;
> }
> }
>
|