jffs2: Fix crash due to truncation of csize

Linux-MTD Mailing List linux-mtd at lists.infradead.org
Sat Apr 5 02:59:03 EDT 2014 

Gitweb:     http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=41bf1a24c1001f4d0d41a78e1ac575d2f14789d7
Commit:     41bf1a24c1001f4d0d41a78e1ac575d2f14789d7
Parent:     3367da5610c50e6b83f86d366d72b41b350b06a2
Author:     Ajesh Kunhipurayil Vijayan <ajesh at broadcom.com>
AuthorDate: Mon Jan 6 19:06:55 2014 +0530
Committer:  Brian Norris <computersforpeace at gmail.com>
CommitDate: Mon Mar 10 22:42:28 2014 -0700

    jffs2: Fix crash due to truncation of csize
    
    mounting JFFS2 partition sometimes crashes with this call trace:
    
    [ 1322.240000] Kernel bug detected[#1]:
    [ 1322.244000] Cpu 2
    [ 1322.244000] $ 0   : 0000000000000000 0000000000000018 000000003ff00070 0000000000000001
    [ 1322.252000] $ 4   : 0000000000000000 c0000000f3980150 0000000000000000 0000000000010000
    [ 1322.260000] $ 8   : ffffffffc09cd5f8 0000000000000001 0000000000000088 c0000000ed300de8
    [ 1322.268000] $12   : e5e19d9c5f613a45 ffffffffc046d464 0000000000000000 66227ba5ea67b74e
    [ 1322.276000] $16   : c0000000f1769c00 c0000000ed1e0200 c0000000f3980150 0000000000000000
    [ 1322.284000] $20   : c0000000f3a80000 00000000fffffffc c0000000ed2cfbd8 c0000000f39818f0
    [ 1322.292000] $24   : 0000000000000004 0000000000000000
    [ 1322.300000] $28   : c0000000ed2c0000 c0000000ed2cfab8 0000000000010000 ffffffffc039c0b0
    [ 1322.308000] Hi    : 000000000000023c
    [ 1322.312000] Lo    : 000000000003f802
    [ 1322.316000] epc   : ffffffffc039a9f8 check_tn_node+0x88/0x3b0
    [ 1322.320000]     Not tainted
    [ 1322.324000] ra    : ffffffffc039c0b0 jffs2_do_read_inode_internal+0x1250/0x1e48
    [ 1322.332000] Status: 5400f8e3    KX SX UX KERNEL EXL IE
    [ 1322.336000] Cause : 00800034
    [ 1322.340000] PrId  : 000c1004 (Netlogic XLP)
    [ 1322.344000] Modules linked in:
    [ 1322.348000] Process jffs2_gcd_mtd7 (pid: 264, threadinfo=c0000000ed2c0000, task=c0000000f0e68dd8, tls=0000000000000000)
    [ 1322.356000] Stack : c0000000f1769e30 c0000000ed010780 c0000000ed010780 c0000000ed300000
            c0000000f1769c00 c0000000f3980150 c0000000f3a80000 00000000fffffffc
            c0000000ed2cfbd8 ffffffffc039c0b0 ffffffffc09c6340 0000000000001000
            0000000000000dec ffffffffc016c9d8 c0000000f39805a0 c0000000f3980180
            0000008600000000 0000000000000000 0000000000000000 0000000000000000
            0001000000000dec c0000000f1769d98 c0000000ed2cfb18 0000000000010000
            0000000000010000 0000000000000044 c0000000f3a80000 c0000000f1769c00
            c0000000f3d207a8 c0000000f1769d98 c0000000f1769de0 ffffffffc076f9c0
            0000000000000009 0000000000000000 0000000000000000 ffffffffc039cf90
            0000000000000017 ffffffffc013fbdc 0000000000000001 000000010003e61c
            ...
    [ 1322.424000] Call Trace:
    [ 1322.428000] [<ffffffffc039a9f8>] check_tn_node+0x88/0x3b0
    [ 1322.432000] [<ffffffffc039c0b0>] jffs2_do_read_inode_internal+0x1250/0x1e48
    [ 1322.440000] [<ffffffffc039cf90>] jffs2_do_crccheck_inode+0x70/0xd0
    [ 1322.448000] [<ffffffffc03a1b80>] jffs2_garbage_collect_pass+0x160/0x870
    [ 1322.452000] [<ffffffffc03a392c>] jffs2_garbage_collect_thread+0xdc/0x1f0
    [ 1322.460000] [<ffffffffc01541c8>] kthread+0xb8/0xc0
    [ 1322.464000] [<ffffffffc0106d18>] kernel_thread_helper+0x10/0x18
    [ 1322.472000]
    [ 1322.472000]
    Code: 67bd0050  94a4002c  2c830001 <00038036> de050218  2403fffc  0080a82d  00431824  24630044
    [ 1322.480000] ---[ end trace b052bb90e97dfbf5 ]---
    
    The variable csize in structure jffs2_tmp_dnode_info is of type uint16_t, but it
    is used to hold the compressed data length(csize) which is declared as uint32_t.
    So, when the value of csize exceeds 16bits, it gets truncated when assigned to
    tn->csize. This is causing a kernel BUG.
    Changing the definition of csize in jffs2_tmp_dnode_info to uint32_t fixes the issue.
    
    Signed-off-by: Ajesh Kunhipurayil Vijayan <ajesh at broadcom.com>
    Signed-off-by: Kamlakant Patel <kamlakant.patel at broadcom.com>
    Cc: <stable at vger.kernel.org>
    Signed-off-by: Brian Norris <computersforpeace at gmail.com>
---
 fs/jffs2/nodelist.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jffs2/nodelist.h b/fs/jffs2/nodelist.h
index e4619b0..fa35ff7 100644
--- a/fs/jffs2/nodelist.h
+++ b/fs/jffs2/nodelist.h
@@ -231,7 +231,7 @@ struct jffs2_tmp_dnode_info
 	uint32_t version;
 	uint32_t data_crc;
 	uint32_t partial_crc;
-	uint16_t csize;
+	uint32_t csize;
 	uint16_t overlapped;
 };

More information about the linux-mtd-cvs mailing list