| Message ID | 1525859855-9173-1-git-send-email-eugen.hristev@microchip.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | [U-Boot] fs: ext4: fix crash on ext4ls | expand |
On Wed, May 09, 2018 at 12:57:35PM +0300, Eugen Hristev wrote: > Found a crash while issuing ext4ls with a non-existent directory. > Crash test: > > => ext4ls mmc 0 1 > ** Can not find directory. ** > data abort > pc : [<3fd7c2ec>] lr : [<3fd93ed8>] > reloc pc : [<26f142ec>] lr : [<26f2bed8>] > sp : 3f963338 ip : 3fdc3dc4 fp : 3fd6b370 > r10: 00000004 r9 : 3f967ec0 r8 : 3f96db68 > r7 : 3fdc99b4 r6 : 00000000 r5 : 3f96dc88 r4 : 3fdcbc8c > r3 : fffffffa r2 : 00000000 r1 : 3f96e0bc r0 : 00000002 > Flags: nZCv IRQs off FIQs off Mode SVC_32 > Resetting CPU ... > > resetting ... > > Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig) > > Looks like crash is introduced by commit: > "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls > > Issue is that dirnode is not initialized, and then freed if the call > to ext4_ls fails. ext4_ls will not change the value of dirnode in this case > thus we have a crash with data abort. > > I added initialization and a check for dirname being NULL. > > Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls > Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de> > Cc: Tom Rini <trini@konsulko.com> > Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com> > --- > Hello, > > Regarding this fix, I am not sure if we actually need to free the node, but > according to commit "fa9ca8a" , it was added to fix Coverity case. > So, I decided to keep the free call under if statement if variable is NULL. > If a different fix is required, please advise and I can change and resend. > > Thanks ! > > fs/ext4/ext4fs.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c > index 4b36a3e..2a28031 100644 > --- a/fs/ext4/ext4fs.c > +++ b/fs/ext4/ext4fs.c > @@ -164,7 +164,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, > > int ext4fs_ls(const char *dirname) > { > - struct ext2fs_node *dirnode; > + struct ext2fs_node *dirnode = NULL; > int status; > > if (dirname == NULL) > @@ -174,7 +174,8 @@ int ext4fs_ls(const char *dirname) > FILETYPE_DIRECTORY); > if (status != 1) { > printf("** Can not find directory. **\n"); > - ext4fs_free_node(dirnode, &ext4fs_root->diropen); > + if (dirnode) > + ext4fs_free_node(dirnode, &ext4fs_root->diropen); > return 1; > } This looks good. Can you please do a v2 that also updates test/fs/fs-test.sh to have a test for this case? Thanks!
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 4b36a3e..2a28031 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -164,7 +164,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos, int ext4fs_ls(const char *dirname) { - struct ext2fs_node *dirnode; + struct ext2fs_node *dirnode = NULL; int status; if (dirname == NULL) @@ -174,7 +174,8 @@ int ext4fs_ls(const char *dirname) FILETYPE_DIRECTORY); if (status != 1) { printf("** Can not find directory. **\n"); - ext4fs_free_node(dirnode, &ext4fs_root->diropen); + if (dirnode) + ext4fs_free_node(dirnode, &ext4fs_root->diropen); return 1; }
Found a crash while issuing ext4ls with a non-existent directory. Crash test: => ext4ls mmc 0 1 ** Can not find directory. ** data abort pc : [<3fd7c2ec>] lr : [<3fd93ed8>] reloc pc : [<26f142ec>] lr : [<26f2bed8>] sp : 3f963338 ip : 3fdc3dc4 fp : 3fd6b370 r10: 00000004 r9 : 3f967ec0 r8 : 3f96db68 r7 : 3fdc99b4 r6 : 00000000 r5 : 3f96dc88 r4 : 3fdcbc8c r3 : fffffffa r2 : 00000000 r1 : 3f96e0bc r0 : 00000002 Flags: nZCv IRQs off FIQs off Mode SVC_32 Resetting CPU ... resetting ... Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig) Looks like crash is introduced by commit: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls Issue is that dirnode is not initialized, and then freed if the call to ext4_ls fails. ext4_ls will not change the value of dirnode in this case thus we have a crash with data abort. I added initialization and a check for dirname being NULL. Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de> Cc: Tom Rini <trini@konsulko.com> Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com> --- Hello, Regarding this fix, I am not sure if we actually need to free the node, but according to commit "fa9ca8a" , it was added to fix Coverity case. So, I decided to keep the free call under if statement if variable is NULL. If a different fix is required, please advise and I can change and resend. Thanks ! fs/ext4/ext4fs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)