>> Description of problem: ext3_dx_find_entry() may trigger an infinite loop if de's rec_len is 0 (e.g. : bad block, corruption) : ~~~ static struct buffer_head * ext3_dx_find_entry(struct dentry *dentry, struct ext3_dir_entry_2 **res_dir, int *err) { [...] for (; de < top; de = ext3_next_entry(de)) if (ext3_match (namelen, name, de)) { <= %RIP is somewhere within that loop if (!ext3_check_dir_entry("ext3_find_entry", dir, de, bh, (block<<EXT3_BLOCK_SIZE_BITS(sb)) +((char *)de - bh->b_data))) { brelse (bh); goto errout; } *res_dir = de; dx_release (frames); return bh; } ~~~ There would be 2 upstream commit that would resolve the issue : 1) upstream "ext3: Use search_dirblock() in ext3_dx_find_entry()" http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5026e90b8668 The search_dirblock() makes sure that rec_len is not zero. 2) upstream "ext3: validate directory entry data before use" http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=275c0a8f See vmcore analysis in next comment.
Lukas, can you take a look at this one? Sounds like patches exist upstream. Thanks, -Eric
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions