[patch] xfsprogs: repair pagefault due to missed out sanity NULL check

[Ajeet Yadav]

I did not receive any response / review comment on solution patch I sent.

diff -Nurp xfsprogs/repair/dir2.c xfsprogs-dirty/repair/dir2.c

--- xfsprogs/repair/dir2.c 2010-07-16 13:07:09.000000000 +0900

+++ xfsprogs-dirty/repair/dir2.c 2011-01-28 18:49:21.000000000 +0900

@@ -110,9 +110,10 @@ da_read_buf(

bplist[i] = libxfs_readbuf(mp->m_dev,

XFS_FSB_TO_DADDR(mp, bmp[i].startblock),

XFS_FSB_TO_BB(mp, bmp[i].blockcount), 0);

- if (!bplist[i])

+ if (!bplist[i]){

+ nex = i;

goto failed;

-

+ }

pftrace("readbuf %p (%llu, %d)", bplist[i],

(long long)XFS_BUF_ADDR(bplist[i]),

XFS_BUF_COUNT(bplist[i]));
On Fri, Jan 28, 2011 at 8:13 PM, Ajeet Yadav <ajeet.yadav.77 at gmail.com>wrote:

> libxfs_putbuf() is called with bp = NULL, resulting in pagefault in
> libpthread.
>
> Function da_read_buf() allocate array of xfs_buf_t *
>
>    * xfs_buf_t       **bplist;*
>
> *    bplist = calloc(nex, sizeof(*bplist));*
>
> Read and fill it using
>
> *for (i = 0; i < nex; i++) {
>     bplist[i] = libxfs_readbuf()*
>
> *    if (!bplist[i]){
>         goto failed;
>     }  *
>
> *}*
>
> *failed:
>         for (i = 0; i < nex; i++)
>                 libxfs_putbuf(bplist[i]);*
>
> Now assume nex = 10,
>
> 1. Will create bplist for 10 array elements.
>
> 3. Reading from disk 0,1, 2, 3
>
> 4. When reading from disk 4, USB is removed
>
> 5. libxfs_readbuf() will at fail, pblist[4] = NULL, goto failed.
>
> 6. Since only 4 buffers were read successfully, so only 4 are in lock
> state.
>
> 7.  Error handling will unlock buffer from 1-10
>
> 8. Buffer 0-3 were read successfully, hence will have valid pdlist[i]
>
> 9. Access pblist[4] == NULL, therefore unlocking will set bp == NULL in
> libxfs_putbuf(bp);
> 10. Page fault in libpthread
>
>
> Solution patch attached with mail
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oss.sgi.com/pipermail/xfs/attachments/20110131/4e2718ae/attachment.htm>