On Thu, Dec 07, 2017 at 11:08:18AM +0530, Chandan Rajendra wrote:
> On a ppc64 machine, when mounting a fuzzed ext2 image (generated by
> fsfuzzer) the following call trace is seen,
> ...
>
> This happens because the directory that ext4_find_entry() looks up has
> inode->i_size that is less than the block size of the filesystem. This
> causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not
> reading any of the directory file's blocks. This renders the entries in
> bh_use[] array to continue to have garbage data. buffer_uptodate() on
> bh_use[0] can then return a zero value upon which brelse() function is
> invoked.
Thanks for reporting the problem. Your patch wasn't quite right since
ret is not an int, but rather a struct buffer_head *, and the right
thing to do in this instnace is to return NULL:
> nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
> + if (!nblocks) {
> + ret = NULL;
> + goto cleanup_and_exit;
> + }
I'll fix up your patch and include it in the ext4 tree, thanks.
- Ted
