https://bugzilla.novell.com/show_bug.cgi?id=668878
https://bugzilla.novell.com/show_bug.cgi?id=668878#c5
Tamas Visegrady changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tamas.visegrady@gmail.com
--- Comment #5 from Tamas Visegrady 2011-02-13 15:52:09 UTC ---
Just ran into this after running "-t auto" mount on an all-zeroes USB stick by
accident. Identical dump with 2.6.37-20-desktop.
The error path in reiserfs_fill_super() indeed sets s_fs_info to NULL, but
there's a non-NULL check in reiserfs_kill_sb() before using s->s_fs_info.
However, doesn't reiserfs_kill_sb+0x1c dereference the superblock pointer *s at
+0x1c?
---------------------
static void reiserfs_kill_sb(struct super_block *s)
{
if (REISERFS_SB(s)) { // s->s_fs_info
if (REISERFS_SB(s)->xattr_root) { // s->s_fs_info->xattr...
d_invalidate(REISERFS_SB(s)->xattr_root);
..
---------------------
0000000000011b40 :
reiserfs_kill_sb():
11b40: 48 83 ec 18 sub $0x18,%rsp
11b44: 48 89 6c 24 08 mov %rbp,0x8(%rsp)
11b49: 48 89 1c 24 mov %rbx,(%rsp)
11b4d: 48 89 fd mov %rdi,%rbp
11b50: 4c 89 64 24 10 mov %r12,0x10(%rsp)
// s
11b55: 48 8b 87 78 02 00 00 mov 0x278(%rdi),%rax
// s->s_fs_info
11b5c: 48 8b 98 f8 00 00 00 mov 0xf8(%rax),%rbx
(cf.NULL pointer dereference at ...000000f8 ^^^^)
11b63: 48 85 db test %rbx,%rbx
11b66: 0f 84 9b 00 00 00 je 11c07
11b6c: 4c 8d 63 08 lea 0x8(%rbx),%r12
11b70: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
11b73: R_X86_64_32S dcache_lock
---------------------
reiserfs_fill_super() is called from mount_bdev() before
deactivate_locked_super() calls back to reiserfs_kill_sb():
---------------------
(mount_bdev())
..
error = fill_super(s, data, flags & MS_SILENT ? 1 : 0);
if (error) {
deactivate_locked_super(s);
..
---------------------
void deactivate_locked_super(struct super_block *s)
..
if (atomic_dec_and_test(&s->s_active)) {
fs->kill_sb(s);
..
---------------------
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.