From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Kamlakant Patel <kamlakant.patel@broadcom.com>,
Jayachandran C <jchandra@broadcom.com>,
Brian Norris <computersforpeace@gmail.com>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 42/50] jffs2: Fix segmentation fault found in stress test
Date: Mon, 5 May 2014 14:43:24 +0200 [thread overview]
Message-ID: <7e33def95196b4123dbab2635583dc6fb906f995.1399292849.git.jslaby@suse.cz> (raw)
In-Reply-To: <7d4f4737432af6216e86975e587331b9d8b08063.1399292849.git.jslaby@suse.cz>
In-Reply-To: <cover.1399292849.git.jslaby@suse.cz>
From: Kamlakant Patel <kamlakant.patel@broadcom.com>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit 3367da5610c50e6b83f86d366d72b41b350b06a2 upstream.
Creating a large file on a JFFS2 partition sometimes crashes with this call
trace:
[ 306.476000] CPU 13 Unable to handle kernel paging request at virtual address c0000000dfff8002, epc == ffffffffc03a80a8, ra == ffffffffc03a8044
[ 306.488000] Oops[#1]:
[ 306.488000] Cpu 13
[ 306.492000] $ 0 : 0000000000000000 0000000000000000 0000000000008008 0000000000008007
[ 306.500000] $ 4 : c0000000dfff8002 000000000000009f c0000000e0007cde c0000000ee95fa58
[ 306.508000] $ 8 : 0000000000000001 0000000000008008 0000000000010000 ffffffffffff8002
[ 306.516000] $12 : 0000000000007fa9 000000000000ff0e 000000000000ff0f 80e55930aebb92bb
[ 306.524000] $16 : c0000000e0000000 c0000000ee95fa5c c0000000efc80000 ffffffffc09edd70
[ 306.532000] $20 : ffffffffc2b60000 c0000000ee95fa58 0000000000000000 c0000000efc80000
[ 306.540000] $24 : 0000000000000000 0000000000000004
[ 306.548000] $28 : c0000000ee950000 c0000000ee95f738 0000000000000000 ffffffffc03a8044
[ 306.556000] Hi : 00000000000574a5
[ 306.560000] Lo : 6193b7a7e903d8c9
[ 306.564000] epc : ffffffffc03a80a8 jffs2_rtime_compress+0x98/0x198
[ 306.568000] Tainted: G W
[ 306.572000] ra : ffffffffc03a8044 jffs2_rtime_compress+0x34/0x198
[ 306.580000] Status: 5000f8e3 KX SX UX KERNEL EXL IE
[ 306.584000] Cause : 00800008
[ 306.588000] BadVA : c0000000dfff8002
[ 306.592000] PrId : 000c1100 (Netlogic XLP)
[ 306.596000] Modules linked in:
[ 306.596000] Process dd (pid: 170, threadinfo=c0000000ee950000, task=c0000000ee6e0858, tls=0000000000c47490)
[ 306.608000] Stack : 7c547f377ddc7ee4 7ffc7f967f5d7fae 7f617f507fc37ff4 7e7d7f817f487f5f
7d8e7fec7ee87eb3 7e977ff27eec7f9e 7d677ec67f917f67 7f3d7e457f017ed7
7fd37f517f867eb2 7fed7fd17ca57e1d 7e5f7fe87f257f77 7fd77f0d7ede7fdb
7fba7fef7e197f99 7fde7fe07ee37eb5 7f5c7f8c7fc67f65 7f457fb87f847e93
7f737f3e7d137cd9 7f8e7e9c7fc47d25 7dbb7fac7fb67e52 7ff17f627da97f64
7f6b7df77ffa7ec5 80057ef17f357fb3 7f767fa27dfc7fd5 7fe37e8e7fd07e53
7e227fcf7efb7fa1 7f547e787fa87fcc 7fcb7fc57f5a7ffb 7fc07f6c7ea97e80
7e2d7ed17e587ee0 7fb17f9d7feb7f31 7f607e797e887faa 7f757fdd7c607ff3
7e877e657ef37fbd 7ec17fd67fe67ff7 7ff67f797ff87dc4 7eef7f3a7c337fa6
7fe57fc97ed87f4b 7ebe7f097f0b8003 7fe97e2a7d997cba 7f587f987f3c7fa9
...
[ 306.676000] Call Trace:
[ 306.680000] [<ffffffffc03a80a8>] jffs2_rtime_compress+0x98/0x198
[ 306.684000] [<ffffffffc0394f10>] jffs2_selected_compress+0x110/0x230
[ 306.692000] [<ffffffffc039508c>] jffs2_compress+0x5c/0x388
[ 306.696000] [<ffffffffc039dc58>] jffs2_write_inode_range+0xd8/0x388
[ 306.704000] [<ffffffffc03971bc>] jffs2_write_end+0x16c/0x2d0
[ 306.708000] [<ffffffffc01d3d90>] generic_file_buffered_write+0xf8/0x2b8
[ 306.716000] [<ffffffffc01d4e7c>] __generic_file_aio_write+0x1ac/0x350
[ 306.720000] [<ffffffffc01d50a0>] generic_file_aio_write+0x80/0x168
[ 306.728000] [<ffffffffc021f7dc>] do_sync_write+0x94/0xf8
[ 306.732000] [<ffffffffc021ff6c>] vfs_write+0xa4/0x1a0
[ 306.736000] [<ffffffffc02202e8>] SyS_write+0x50/0x90
[ 306.744000] [<ffffffffc0116cc0>] handle_sys+0x180/0x1a0
[ 306.748000]
[ 306.748000]
Code: 020b202d 0205282d 90a50000 <90840000> 14a40038 00000000 0060602d 0000282d 016c5823
[ 306.760000] ---[ end trace 79dd088435be02d0 ]---
Segmentation fault
This crash is caused because the 'positions' is declared as an array of signed
short. The value of position is in the range 0..65535, and will be converted
to a negative number when the position is greater than 32767 and causes a
corruption and crash. Changing the definition to 'unsigned short' fixes this
issue
Signed-off-by: Jayachandran C <jchandra@broadcom.com>
Signed-off-by: Kamlakant Patel <kamlakant.patel@broadcom.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/jffs2/compr_rtime.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c
index 16a5047903a6..406d9cc84ba8 100644
--- a/fs/jffs2/compr_rtime.c
+++ b/fs/jffs2/compr_rtime.c
@@ -33,7 +33,7 @@ static int jffs2_rtime_compress(unsigned char *data_in,
unsigned char *cpage_out,
uint32_t *sourcelen, uint32_t *dstlen)
{
- short positions[256];
+ unsigned short positions[256];
int outpos = 0;
int pos=0;
@@ -74,7 +74,7 @@ static int jffs2_rtime_decompress(unsigned char *data_in,
unsigned char *cpage_out,
uint32_t srclen, uint32_t destlen)
{
- short positions[256];
+ unsigned short positions[256];
int outpos = 0;
int pos=0;
--
1.9.2
next prev parent reply other threads:[~2014-05-05 12:46 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 12:28 [PATCH 3.12 00/50] 3.12.19-stable review Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 01/50] openvswitch: fix vport-netdev unregister Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 02/50] brcmsmac: fix deadlock on missing firmware Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 03/50] /dev/mem: handle out-of-bounds read/write Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 04/50] drivers/net: tulip_remove_one needs to call pci_disable_device() Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 05/50] Bluetooth: Add support for Intel Bluetooth device [8087:0a2a] Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 06/50] iommu/amd: Fix PASID format in INVALIDATE_IOTLB_PAGES command Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 07/50] usbatm: Fix dynamic_debug / ratelimited atm_dbg and atm_rldbg macros Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 08/50] printk: pr_debug_ratelimited: check state first to reduce "callbacks suppressed" messages Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 09/50] dcache: restore error on restart in prepend_path Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 10/50] __dentry_path() fixes Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 11/50] i2c: i801: enable Intel BayTrail SMBUS Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 12/50] e1000e: Fix no connectivity when driver loaded with cable out Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 13/50] ACPI / EC: Process rather than discard events in acpi_ec_clear Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 14/50] ARM: 7840/1: LPAE: don't reject mapping /dev/mem above 4GB Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 15/50] x86/quirks: Add workaround for AMD F16h Erratum792 Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 16/50] amd64_edac: Fix logic to determine channel for F15 M30h processors Jiri Slaby
2014-05-05 12:42 ` [PATCH 3.12 17/50] backing_dev: fix hung task on sync Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 18/50] bdi: avoid oops on device removal Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 19/50] virtio_balloon: don't softlockup on huge balloon changes Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 20/50] ipmi: Fix a race restarting the timer Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 21/50] KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 22/50] net: ipv4: current group_info should be put after using Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 24/50] powerpc/8xx: mfspr SPRN_TBRx in lieu of mftb/mftbu is not supported Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 25/50] ACPI / sleep: remove panic in case hardware has changed after S4 Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 26/50] user namespace: fix incorrect memory barriers Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 27/50] x86: Adjust irq remapping quirk for older revisions of 5500/5520 chipsets Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 28/50] PCI: designware: Fix RC BAR to be single 64-bit non-prefetchable memory BAR Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 29/50] PCI: designware: Fix iATU programming for cfg1, io and mem viewport Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 30/50] ACPI / button: Add ACPI Button event via netlink routine Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 31/50] staging: comedi: 8255_pci: initialize MITE data window Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 32/50] tty: Set correct tty name in 'active' sysfs attribute Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 33/50] tty: Fix low_latency BUG Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 35/50] Bluetooth: Fix removing Long Term Key Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 36/50] xfs: fix directory hash ordering bug Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 37/50] Btrfs: skip submitting barrier for missing device Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 38/50] Btrfs: fix deadlock with nested trans handles Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 39/50] ext4: fix error return from ext4_ext_handle_uninitialized_extents() Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 40/50] ext4: fix partial cluster handling for bigalloc file systems Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 41/50] ext4: fix premature freeing of partial clusters split across leaf blocks Jiri Slaby
2014-05-05 12:43 ` Jiri Slaby [this message]
2014-05-05 12:43 ` [PATCH 3.12 43/50] jffs2: Fix crash due to truncation of csize Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 44/50] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 45/50] jffs2: remove from wait queue after schedule() Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 46/50] sparc32: fix build failure for arch_jump_label_transform Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 47/50] sparc64: don't treat 64-bit syscall return codes as 32-bit Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 48/50] sparc64: Make sure %pil interrupts are enabled during hypervisor yield Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 49/50] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Jiri Slaby
2014-05-05 12:43 ` [PATCH 3.12 50/50] exit: call disassociate_ctty() before exit_task_namespaces() Jiri Slaby
2014-05-05 15:45 ` [PATCH 3.12 00/50] 3.12.19-stable review Guenter Roeck
2014-05-06 14:57 ` Shuah Khan
2014-05-09 8:32 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e33def95196b4123dbab2635583dc6fb906f995.1399292849.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=computersforpeace@gmail.com \
--cc=jchandra@broadcom.com \
--cc=kamlakant.patel@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).