LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Mingming Cao <cmm@us.ibm.com>
To: Andrew Morton <akpm@osdl.org>
Cc: ext2-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH] use-before-uninitialized value in ext3(2)_find_ goal
Date: 19 May 2004 11:51:43 -0700 [thread overview]
Message-ID: <1084992705.15395.1276.camel@w-ming2.beaverton.ibm.com> (raw)
In-Reply-To: <20040519043235.30d47edb.akpm@osdl.org>
[-- Attachment #1: Type: text/plain, Size: 2506 bytes --]
I am looking at the how the goal for block allocation is determined in
in ext3_find_goal(), so I wrote a very simple test to do random write by
one process on one file (write() ,then lseek then write then lseek).
The test shows a bug there.
There is a uninitialized goal value being referenced in both ext3 and
ext2 find goal block functions (ext3_find_goal() and ext2_find_goal()).
In the non-sequential write case, these functions check the goal
value(non zero) before calling ext3(2)_find_near() to find the goal
block to allocate. Since the goal value is uninitialized(non zero), the
ext3(2)_find_near() is never being called in the non-sequential write,
thus ext3(2)_find_goal() failed to guide a goal block in the random
write case.
ext3(2)_new_block() takes the junk goal value and will turn it to goal 0
since it's normally beyond the filesystem block number limit.
The fix is trivial.
There is a uninitialized goal value being referenced in both ext3 and ext2 find goal block functions (ext3_find_goal() and ext2_find_goal()). In the non-sequential write case, these functions check the goal value(non zero) before calling ext3(2)_find_near() to find the goal block to allocate. Since the goal value is uninitialized(non zero), the ext3(2)_find_near() is never being called in the non-sequential write, thus ext3(2)_find_goal() failed to guide a goal block in the random write case. ext3(2)_new_block() takes the junk goal value and will turn it to goal 0 since it's normally beyond the filesystem block number limit. The fix is trivial.
---
src-ming/fs/ext2/inode.c | 1 +
src-ming/fs/ext3/inode.c | 1 +
2 files changed, 2 insertions(+)
diff -puN fs/ext3/inode.c~ext3_find_goal_uninitialization_fix fs/ext3/inode.c
--- src/fs/ext3/inode.c~ext3_find_goal_uninitialization_fix 2004-05-19 18:30:13.857197080 -0700
+++ src-ming/fs/ext3/inode.c 2004-05-19 18:45:31.689665336 -0700
@@ -748,6 +748,7 @@ out:
if (err == -EAGAIN)
goto changed;
+ goal = 0;
down(&ei->truncate_sem);
if (ext3_find_goal(inode, iblock, chain, partial, &goal) < 0) {
up(&ei->truncate_sem);
diff -puN fs/ext2/inode.c~ext3_find_goal_uninitialization_fix fs/ext2/inode.c
--- src/fs/ext2/inode.c~ext3_find_goal_uninitialization_fix 2004-05-19 18:30:13.861196472 -0700
+++ src-ming/fs/ext2/inode.c 2004-05-19 18:45:40.586312840 -0700
@@ -584,6 +584,7 @@ out:
if (err == -EAGAIN)
goto changed;
+ goal = 0;
if (ext2_find_goal(inode, iblock, chain, partial, &goal) < 0)
goto changed;
_
[-- Attachment #2: ext3_find_goal_uninitialization_fix.patch --]
[-- Type: text/plain, Size: 1636 bytes --]
There is a uninitialized goal value being referenced in both ext3 and ext2 find goal block functions (ext3_find_goal() and ext2_find_goal()). In the non-sequential write case, these functions check the goal value(non zero) before calling ext3(2)_find_near() to find the goal block to allocate. Since the goal value is uninitialized(non zero), the ext3(2)_find_near() is never being called in the non-sequential write, thus ext3(2)_find_goal() failed to guide a goal block in the random write case. ext3(2)_new_block() takes the junk goal value and will turn it to goal 0 since it's normally beyond the filesystem block number limit. The fix is trivial.
---
src-ming/fs/ext2/inode.c | 1 +
src-ming/fs/ext3/inode.c | 1 +
2 files changed, 2 insertions(+)
diff -puN fs/ext3/inode.c~ext3_find_goal_unintialization_fix fs/ext3/inode.c
--- src/fs/ext3/inode.c~ext3_find_goal_unintialization_fix 2004-05-19 18:30:13.857197080 -0700
+++ src-ming/fs/ext3/inode.c 2004-05-19 18:45:31.689665336 -0700
@@ -748,6 +748,7 @@ out:
if (err == -EAGAIN)
goto changed;
+ goal = 0;
down(&ei->truncate_sem);
if (ext3_find_goal(inode, iblock, chain, partial, &goal) < 0) {
up(&ei->truncate_sem);
diff -puN fs/ext2/inode.c~ext3_find_goal_unintialization_fix fs/ext2/inode.c
--- src/fs/ext2/inode.c~ext3_find_goal_unintialization_fix 2004-05-19 18:30:13.861196472 -0700
+++ src-ming/fs/ext2/inode.c 2004-05-19 18:45:40.586312840 -0700
@@ -584,6 +584,7 @@ out:
if (err == -EAGAIN)
goto changed;
+ goal = 0;
if (ext2_find_goal(inode, iblock, chain, partial, &goal) < 0)
goto changed;
_
next parent reply other threads:[~2004-05-19 18:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20040519043235.30d47edb.akpm@osdl.org>
2004-05-19 18:51 ` Mingming Cao [this message]
2004-05-19 19:53 ` Chris Wright
2004-05-19 20:33 ` [Ext2-devel] " Mingming Cao
2004-05-19 21:06 ` Matthew Wilcox
2004-05-19 22:32 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1084992705.15395.1276.camel@w-ming2.beaverton.ibm.com \
--to=cmm@us.ibm.com \
--cc=akpm@osdl.org \
--cc=ext2-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--subject='Re: [PATCH] use-before-uninitialized value in ext3(2)_find_ goal' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).