[U-Boot] [PATCH v2 1/2] fs: ext4: fix crash on ext4ls

[U-Boot] [PATCH v2 1/2] fs: ext4: fix crash on ext4ls

[Eugen Hristev]

Found a crash while issuing ext4ls with a non-existent directory.
Crash test:

=> ext4ls mmc 0 1
** Can not find directory. **
data abort
pc : [<3fd7c2ec>]          lr : [<3fd93ed8>]
reloc pc : [<26f142ec>]    lr : [<26f2bed8>]
sp : 3f963338  ip : 3fdc3dc4     fp : 3fd6b370
r10: 00000004  r9 : 3f967ec0     r8 : 3f96db68
r7 : 3fdc99b4  r6 : 00000000     r5 : 3f96dc88  r4 : 3fdcbc8c
r3 : fffffffa  r2 : 00000000     r1 : 3f96e0bc  r0 : 00000002
Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
Resetting CPU ...

resetting ...

Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig)

Looks like crash is introduced by commit:
"fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls

Issue is that dirnode is not initialized, and then freed if the call
to ext4_ls fails. ext4_ls will not change the value of dirnode in this case
thus we have a crash with data abort.

I added initialization and a check for dirname being NULL.

Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Cc: Tom Rini <trini@konsulko.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
---
Changes in v2:
 - Added test case in test/fs/fs-test.sh in a different commit

 fs/ext4/ext4fs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 4b36a3e..2a28031 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -164,7 +164,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
 
 int ext4fs_ls(const char *dirname)
 {
-	struct ext2fs_node *dirnode;
+	struct ext2fs_node *dirnode = NULL;
 	int status;
 
 	if (dirname == NULL)
@@ -174,7 +174,8 @@ int ext4fs_ls(const char *dirname)
 				  FILETYPE_DIRECTORY);
 	if (status != 1) {
 		printf("** Can not find directory. **\n");
-		ext4fs_free_node(dirnode, &ext4fs_root->diropen);
+		if (dirnode)
+			ext4fs_free_node(dirnode, &ext4fs_root->diropen);
 		return 1;
 	}
 
-- 
2.7.4

[U-Boot] [PATCH v2 2/2] test: fs: fs-test: Modified test 1 to do a ls to a nonexistent dir

[Eugen Hristev]

Added a simple ls to a nonexistent directory for test 1.
In case the driver is broken for a nonexistent directory, U-boot
might crash.

Here is an example failed output:

=> # Test Case 1 - ls
=> ext4ls host 0:0
<DIR>       4096 .
<DIR>       4096 ..
<DIR>      16384 lost+found
<DIR>       4096 SUBDIR
      2621440000 2.5GB.file
         1048576 1MB.file
=> # In addition, test with a nonexistent directory to see if we crash.
=> ext4ls host 0:0 invalid_d
** Can not find directory. **
./test/fs/fs-test.sh: line 161: 25786 Segmentation fault      (core dumped) $UBOOT  <<EOF

Subsequent tests will fail if U-boot crashes.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
---

Hello,

Not sure whether this is the best test for this case, but I tried to do
a separate case and:
cannot really tell if it passed or not by just watching the output
(several FS show nothing, EXT4 shows "Can not find directory"),
so not really any string I can grep for to send to pass_fail function.
So, I decided to add another command to test no 1, which is a basic 'ls' test
to some 'invalid_d' directory.
Like this, we won't see anything in the output, but, if U-boot crashes, the
whole test series fails.


 test/fs/fs-test.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/fs/fs-test.sh b/test/fs/fs-test.sh
index 20d5dd8..6bb5311 100755
--- a/test/fs/fs-test.sh
+++ b/test/fs/fs-test.sh
@@ -225,6 +225,8 @@ setenv bind 'if test "\$sb" != sb; then sb bind 0 "$1"; fi'
 run bind
 # Test Case 1 - ls
 ${PREFIX}ls host${SUFFIX} $6
+# In addition, test with a nonexistent directory to see if we crash.
+${PREFIX}ls host${SUFFIX} invalid_d
 #
 # We want ${PREFIX}size host 0:0 $3 for host commands and
 # sb size hostfs - $3 for hostfs commands.
-- 
2.7.4

[U-Boot] [PATCH v2 1/2] fs: ext4: fix crash on ext4ls

[Tom Rini]

On Wed, May 09, 2018 at 04:28:37PM +0300, Eugen Hristev wrote:

> Found a crash while issuing ext4ls with a non-existent directory.
> Crash test:
> 
> => ext4ls mmc 0 1
> ** Can not find directory. **
> data abort
> pc : [<3fd7c2ec>]          lr : [<3fd93ed8>]
> reloc pc : [<26f142ec>]    lr : [<26f2bed8>]
> sp : 3f963338  ip : 3fdc3dc4     fp : 3fd6b370
> r10: 00000004  r9 : 3f967ec0     r8 : 3f96db68
> r7 : 3fdc99b4  r6 : 00000000     r5 : 3f96dc88  r4 : 3fdcbc8c
> r3 : fffffffa  r2 : 00000000     r1 : 3f96e0bc  r0 : 00000002
> Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
> Resetting CPU ...
> 
> resetting ...
> 
> Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig)
> 
> Looks like crash is introduced by commit:
> "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> 
> Issue is that dirnode is not initialized, and then freed if the call
> to ext4_ls fails. ext4_ls will not change the value of dirnode in this case
> thus we have a crash with data abort.
> 
> I added initialization and a check for dirname being NULL.
> 
> Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
> Cc: Tom Rini <trini@konsulko.com>
> Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180510/17a1439b/attachment.sig>

[U-Boot] [PATCH v2 2/2] test: fs: fs-test: Modified test 1 to do a ls to a nonexistent dir

[Tom Rini]

On Wed, May 09, 2018 at 04:28:38PM +0300, Eugen Hristev wrote:

> Added a simple ls to a nonexistent directory for test 1.
> In case the driver is broken for a nonexistent directory, U-boot
> might crash.
> 
> Here is an example failed output:
> 
> => # Test Case 1 - ls
> => ext4ls host 0:0
> <DIR>       4096 .
> <DIR>       4096 ..
> <DIR>      16384 lost+found
> <DIR>       4096 SUBDIR
>       2621440000 2.5GB.file
>          1048576 1MB.file
> => # In addition, test with a nonexistent directory to see if we crash.
> => ext4ls host 0:0 invalid_d
> ** Can not find directory. **
> ./test/fs/fs-test.sh: line 161: 25786 Segmentation fault      (core dumped) $UBOOT  <<EOF
> 
> Subsequent tests will fail if U-boot crashes.
> 
> Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>

Reviewed-by: Tom Rini <trini@konsulko.com>

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180510/7fc3b99f/attachment.sig>

[U-Boot] [U-Boot,v2,1/2] fs: ext4: fix crash on ext4ls

[Tom Rini]

On Wed, May 09, 2018 at 04:28:37PM +0300, Eugen Hristev wrote:

> Found a crash while issuing ext4ls with a non-existent directory.
> Crash test:
> 
> => ext4ls mmc 0 1
> ** Can not find directory. **
> data abort
> pc : [<3fd7c2ec>]          lr : [<3fd93ed8>]
> reloc pc : [<26f142ec>]    lr : [<26f2bed8>]
> sp : 3f963338  ip : 3fdc3dc4     fp : 3fd6b370
> r10: 00000004  r9 : 3f967ec0     r8 : 3f96db68
> r7 : 3fdc99b4  r6 : 00000000     r5 : 3f96dc88  r4 : 3fdcbc8c
> r3 : fffffffa  r2 : 00000000     r1 : 3f96e0bc  r0 : 00000002
> Flags: nZCv  IRQs off  FIQs off  Mode SVC_32
> Resetting CPU ...
> 
> resetting ...
> 
> Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig)
> 
> Looks like crash is introduced by commit:
> "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> 
> Issue is that dirnode is not initialized, and then freed if the call
> to ext4_ls fails. ext4_ls will not change the value of dirnode in this case
> thus we have a crash with data abort.
> 
> I added initialization and a check for dirname being NULL.
> 
> Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
> Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
> Cc: Tom Rini <trini@konsulko.com>
> Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180524/481a5dce/attachment.sig>

[U-Boot] [U-Boot, v2, 2/2] test: fs: fs-test: Modified test 1 to do a ls to a nonexistent dir

[Tom Rini]

On Wed, May 09, 2018 at 04:28:38PM +0300, Eugen Hristev wrote:

> Added a simple ls to a nonexistent directory for test 1.
> In case the driver is broken for a nonexistent directory, U-boot
> might crash.
> 
> Here is an example failed output:
> 
> => # Test Case 1 - ls
> => ext4ls host 0:0
> <DIR>       4096 .
> <DIR>       4096 ..
> <DIR>      16384 lost+found
> <DIR>       4096 SUBDIR
>       2621440000 2.5GB.file
>          1048576 1MB.file
> => # In addition, test with a nonexistent directory to see if we crash.
> => ext4ls host 0:0 invalid_d
> ** Can not find directory. **
> ./test/fs/fs-test.sh: line 161: 25786 Segmentation fault      (core dumped) $UBOOT  <<EOF
> 
> Subsequent tests will fail if U-boot crashes.
> 
> Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
> Reviewed-by: Tom Rini <trini@konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180524/0330da82/attachment.sig>