From kettenis@elgar.kettenis.dyndns.org  Mon Oct 14 13:16:45 2002
Return-Path: <kettenis@elgar.kettenis.dyndns.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4D5B337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 13:16:45 -0700 (PDT)
Received: from walton.kettenis.dyndns.org (a169250.upc-a.chello.nl [62.163.169.250])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BDE9E43E9C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 13:16:43 -0700 (PDT)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: from elgar.kettenis.dyndns.org (elgar.kettenis.dyndns.org [192.168.0.2])
	by walton.kettenis.dyndns.org (8.12.5/8.12.5) with ESMTP id g9EKGfA1000376
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 22:16:41 +0200 (CEST)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: from elgar.kettenis.dyndns.org (localhost [127.0.0.1])
	by elgar.kettenis.dyndns.org (8.12.6/8.12.6) with ESMTP id g9EKGfW6003888
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Oct 2002 22:16:41 +0200 (CEST)
	(envelope-from kettenis@elgar.kettenis.dyndns.org)
Received: (from kettenis@localhost)
	by elgar.kettenis.dyndns.org (8.12.6/8.12.6/Submit) id g9EKGelQ003887;
	Mon, 14 Oct 2002 22:16:40 +0200 (CEST)
Message-Id: <200210142016.g9EKGelQ003887@elgar.kettenis.dyndns.org>
Date: Mon, 14 Oct 2002 22:16:40 +0200 (CEST)
From: Mark Kettenis <kettenis@chello.nl>
Reply-To: Mark Kettenis <kettenis@chello.nl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] for panic in ext2fs
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         44060
>Category:       kern
>Synopsis:       [PATCH] for panic in ext2fs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 14 13:20:02 PDT 2002
>Closed-Date:    Sat Nov 16 18:15:32 PST 2002
>Last-Modified:  Sat Nov 16 18:15:32 PST 2002
>Originator:     Mark Kettenis
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD elgar.kettenis.dyndns.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Oct 14 13:24:27 CEST 2002 kettenis@elgar.kettenis.dyndns.org:/usr/obj/usr/src/sys/GENERIC i386

>Description:
There's a bug in ext2fs that leads to a kernel panic in -CURRENT
(unless option NO_GEOM is present in your config).

>How-To-Repeat:
In my case this happens when I try to run the GDB testsuite with the
GDB sources mounted from an ext2fs filesystem.

>Fix:

The attached patch fixes the bug.  In the fragment of code displayed
in the patch, `ep' is a pointer into `bp->b_data' (where `bp' is a
`struct buf').  Since the code leading up to this point brelse()'s the
buffer, we're potentially accessing memory that's no longer there.  In
a GEOMised kernel this seems to be happening, and the resulting page
fault leads to a kernel panic.  Storing the value of ep->name_len in a
local variable should solve the problem.  It turns out there is
already such a variable called `namelen', so this patch simply uses
that variable.  Seems to solve the problem for me.  This patch is
against version 1.36 of ext2_lookup.c

   http://members.chello.nl/~m.m.kettenis/FreeBSD/5-current/ext2fs.patch.

Mark

--- /usr/src/sys/gnu/ext2fs/ext2_lookup.c.orig	Thu Aug 15 22:55:01 2002
+++ /usr/src/sys/gnu/ext2fs/ext2_lookup.c	Mon Oct 14 21:19:30 2002
@@ -563,10 +563,9 @@ found:
 	 * Check that directory length properly reflects presence
 	 * of this entry.
 	 */
-	if (entryoffsetinblock + EXT2_DIR_REC_LEN(ep->name_len)
-		> dp->i_size) {
+	if (entryoffsetinblock + EXT2_DIR_REC_LEN(namlen) > dp->i_size) {
 		ext2_dirbad(dp, dp->i_offset, "i_size too small");
-		dp->i_size = entryoffsetinblock+EXT2_DIR_REC_LEN(ep->name_len);
+		dp->i_size = entryoffsetinblock + EXT2_DIR_REC_LEN(namlen);
 		dp->i_flag |= IN_CHANGE | IN_UPDATE;
 	}
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: bde 
State-Changed-When: Sat Nov 16 18:11:31 PST 2002 
State-Changed-Why:  
Fixed rev.1.37 (-current) and rev.1.21.2.3 (RELENG_4) of ext2_lookup.c 
using the same patch as in ufs_lookup.c where this problem had been fixed 
long ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44060 
>Unformatted:
