Hi Al,
Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes:
> The whole image would be an overkill, but System.map and disassembly of
> __fput would be useful... The thing is, delayed_fput() does this:
> for (; node; node = next) {
> next = llist_next(node);
> __fput(llist_entry(node, struct file, f_u.fu_llist));
> }
> and llist_entry() here is just a cast - f_u.fu_list is at offset zero.
> So to get NULL passed to __fput() here you'd need node == NULL. Even
> unmapped address that has escaped the loop condition would've oopsed
> before reaching __fput() - we *do* fetch node->next (i.e.
> file->f_u.fu_list.next) before going into __fput(); that isn't going
> to be reordered away.
>
> Besides, f_mode is quite a bit into struct file and dereferencing has
> happened at address 0, unless I'm misreading that oops...
No, I guess you are right.
System.map file is available here: http://natisbad.org/System.map. A
disassembly of __fput() and delayed_fput() is inlined below. Note:
kernel is compiled with LOADADDR set to 0x8000.
__fput() (via arm-linux-gnueabi-objdump -S -EL -D -b binary -m arm
--start-address=0x000838a4 --stop-address=0x83a94 Image):
000838a4 <.data+0x838a4>:
838a4: e92d4ff0 push {r4, r5, r6, r7, r8, r9, sl, fp, lr}
838a8: e1a06000 mov r6, r0
838ac: e24dd00c sub sp, sp, #12
838b0: e590700c ldr r7, [r0, #12]
838b4: e5908008 ldr r8, [r0, #8]
838b8: e5904010 ldr r4, [r0, #16]
838bc: eb132240 bl 0x54c1c4
838c0: e5965010 ldr r5, [r6, #16]
838c4: e5963020 ldr r3, [r6, #32]
838c8: e1d520b0 ldrh r2, [r5]
838cc: e3130002 tst r3, #2
838d0: e2022a0f and r2, r2, #61440 ; 0xf000
838d4: 03a0a010 moveq sl, #16
838d8: 13a0a008 movne sl, #8
838dc: e3520901 cmp r2, #16384 ; 0x4000
838e0: 038aa101 orreq sl, sl, #1073741824 ; 0x40000000
838e4: e2139401 ands r9, r3, #16777216 ; 0x1000000
838e8: 0a000046 beq 0x83a08
838ec: e5962074 ldr r2, [r6, #116] ; 0x74
838f0: e2863074 add r3, r6, #116 ; 0x74
838f4: e1520003 cmp r2, r3
838f8: 1a000058 bne 0x83a60
838fc: e1a00006 mov r0, r6
83900: eb00f5b3 bl 0xc0fd4
83904: e596301c ldr r3, [r6, #28]
83908: e3130a02 tst r3, #8192 ; 0x2000
8390c: e5963014 ldr r3, [r6, #20]
83910: 1a000049 bne 0x83a3c
83914: e5933034 ldr r3, [r3, #52] ; 0x34
83918: e3530000 cmp r3, #0
8391c: 0a000002 beq 0x8392c
83920: e1a00004 mov r0, r4
83924: e1a01006 mov r1, r6
83928: e12fff33 blx r3
8392c: e1d430b0 ldrh r3, [r4]
83930: e2033a0f and r3, r3, #61440 ; 0xf000
83934: e3530a02 cmp r3, #8192 ; 0x2000
83938: 0a00004b beq 0x83a6c
8393c: e5963014 ldr r3, [r6, #20]
83940: e3530000 cmp r3, #0
83944: 0a000001 beq 0x83950
83948: e5930000 ldr r0, [r3]
8394c: ebff1733 bl 0x49620
83950: e5960030 ldr r0, [r6, #48] ; 0x30
83954: ebfe8f2a bl 0x27604
83958: e5963020 ldr r3, [r6, #32]
8395c: e3130002 tst r3, #2
83960: 1a000013 bne 0x839b4
83964: e3a03000 mov r3, #0
83968: e586300c str r3, [r6, #12]
8396c: e5863008 str r3, [r6, #8]
83970: e5863010 str r3, [r6, #16]
83974: e59f1110 ldr r1, [pc, #272] ; 0x83a8c
83978: e3e04000 mvn r4, #0
8397c: e3e05000 mvn r5, #0
83980: e1c120d0 ldrd r2, [r1]
83984: e0922004 adds r2, r2, r4
83988: e0a33005 adc r3, r3, r5
8398c: e1c120f0 strd r2, [r1]
83990: e59f10f8 ldr r1, [pc, #248] ; 0x83a90
83994: e1a00006 mov r0, r6
83998: ebfee9d7 bl 0x3e0fc
8399c: e1a00007 mov r0, r7
839a0: eb004756 bl 0x95700
839a4: e1a00008 mov r0, r8
839a8: e28dd00c add sp, sp, #12
839ac: e8bd4ff0 pop {r4, r5, r6, r7, r8, r9, sl, fp, lr}
839b0: ea005ea3 b 0x9b444
839b4: e596300c ldr r3, [r6, #12]
839b8: e5960008 ldr r0, [r6, #8]
839bc: e5933028 ldr r3, [r3, #40] ; 0x28
839c0: e28320b0 add r2, r3, #176 ; 0xb0
839c4: f5d2f000 pld [r2]
839c8: e1921f9f ldrex r1, [r2]
839cc: e2411001 sub r1, r1, #1
839d0: e182cf91 strex ip, r1, [r2]
839d4: e33c0000 teq ip, #0
839d8: 1afffffa bne 0x839c8
839dc: e1d330b0 ldrh r3, [r3]
839e0: e2032a0b and r2, r3, #45056 ; 0xb000
839e4: e3520a02 cmp r2, #8192 ; 0x2000
839e8: 0affffdd beq 0x83964
839ec: e2033a0f and r3, r3, #61440 ; 0xf000
839f0: e3530a01 cmp r3, #4096 ; 0x1000
839f4: 0affffda beq 0x83964
839f8: e3530903 cmp r3, #49152 ; 0xc000
839fc: 0affffd8 beq 0x83964
83a00: eb005fdc bl 0x9b978
83a04: eaffffd6 b 0x83964
83a08: e286b008 add fp, r6, #8
83a0c: e596100c ldr r1, [r6, #12]
83a10: e1a0200a mov r2, sl
83a14: e1a0000b mov r0, fp
83a18: eb00ca6e bl 0xb63d8
83a1c: e58d9000 str r9, [sp]
83a20: e58d9004 str r9, [sp, #4]
83a24: e1a00005 mov r0, r5
83a28: e1a0100a mov r1, sl
83a2c: e1a0200b mov r2, fp
83a30: e3a03001 mov r3, #1
83a34: eb00c98c bl 0xb606c
83a38: eaffffab b 0x838ec
83a3c: e593c040 ldr ip, [r3, #64] ; 0x40
83a40: e35c0000 cmp ip, #0
83a44: 0affffb2 beq 0x83914
83a48: e3e00000 mvn r0, #0
83a4c: e1a01006 mov r1, r6
83a50: e3a02000 mov r2, #0
83a54: e12fff3c blx ip
83a58: e5963014 ldr r3, [r6, #20]
83a5c: eaffffac b 0x83914
83a60: e1a00006 mov r0, r6
83a64: eb00d816 bl 0xb9ac4
83a68: eaffffa3 b 0x838fc
83a6c: e5940118 ldr r0, [r4, #280] ; 0x118
83a70: e3500000 cmp r0, #0
83a74: 0affffb0 beq 0x8393c
83a78: e5963020 ldr r3, [r6, #32]
83a7c: e3130901 tst r3, #16384 ; 0x4000
83a80: 1affffad bne 0x8393c
83a84: eb0008bd bl 0x85d80
83a88: eaffffab b 0x8393c
83a8c: c07eb4c0 rsbsgt fp, lr, r0, asr #9
83a90: c008b860 andgt fp, r8, r0, ror #16
delayed_fput() (via arm-linux-gnueabi-objdump -S -EL -D -b binary -m arm
--start-address=0x83a94 --stop-address=0x83ad0 Image):
00083a94 <.data+0x83a94>:
83a94: e92d4010 push {r4, lr}
83a98: e59f202c ldr r2, [pc, #44] ; 0x83acc
83a9c: e3a03000 mov r3, #0
83aa0: e1920f9f ldrex r0, [r2]
83aa4: e1821f93 strex r1, r3, [r2]
83aa8: e3310000 teq r1, #0
83aac: 1afffffb bne 0x83aa0
83ab0: e3500000 cmp r0, #0
83ab4: 08bd8010 popeq {r4, pc}
83ab8: e5904000 ldr r4, [r0]
83abc: ebffff78 bl 0x838a4
83ac0: e2540000 subs r0, r4, #0
83ac4: 1afffffb bne 0x83ab8
83ac8: e8bd8010 pop {r4, pc}
83acc: c07eb4c8 rsbsgt fp, lr, r8, asr #9
Cheers,
a+
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
