Public bug reported: Binary package hint: linux-image-2.6.28-11-generic
Linux 2.6.28-11-generic #36-Ubuntu SMP Fri Mar 20 19:51:24 UTC 2009 x86_64 GNU/Linux If root directory of reiserfs partition contains regular file named .reiserfs_priv, reiserfs crashes when trying to do operations that change extended attributes (for example, unlinking a file). I think this is because function get_xa_root (fs/reiserfs/xattr.c, line 61) assumes that privroot (dentry pointing to .reiserfs_priv in partition root) points to directory, but it can really point to anything (for example, regular file). Crash occurs when an attempt is made to call inode->i_op->lookup on regular file (fs/namei.c, line 1212), which leads to null pointer dereference. dmesg output: [621321.512413] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [621321.512420] IP: [<0000000000000000>] 0x0 [621321.512425] PGD 66cd2067 PUD 17efa067 PMD 0 [621321.512429] Oops: 0010 [#1] SMP [621321.512431] last sysfs file: /sys/devices/platform/acer-wmi/rfkill/rfkill0/state [621321.512434] Dumping ftrace buffer: [621321.512436] (ftrace buffer empty) [621321.512437] CPU 0 [621321.512439] Modules linked in: mmc_block tifm_sd usb_storage reiserfs tun nls_iso8859_1 nls_cp437 vfat fat aes_x86_64 aes _generic arc4 ecb ath5k mac80211 cfg80211 i915 drm binfmt_misc ppdev bridge stp bnep input_polldev btusb joydev sbp2 lp parpo rt snd_hda_intel snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event nsc_ ircc uvcvideo snd_seq snd_timer snd_seq_device pcmcia compat_ioctl32 psmouse tifm_7xx1 acer_wmi videodev video sdhci_pci sdhc i snd soundcore irda yenta_socket rsrc_nonstatic pcmcia_core serio_raw pcspkr tifm_core led_class v4l1_compat iTCO_wdt iTCO_v endor_support output intel_agp snd_page_alloc crc_ccitt usbhid ohci1394 ieee1394 tg3 fbcon tileblit font bitblit softcursor [ last unloaded: usb_storage] [621321.512479] Pid: 29364, comm: vim Not tainted 2.6.28-11-generic #36-Ubuntu [621321.512480] RIP: 0010:[<0000000000000000>] [<0000000000000000>] 0x0 [621321.512483] RSP: 0018:ffff880065229ca0 EFLAGS: 00010286 [621321.512485] RAX: ffffffffa04d6bc0 RBX: fffffffffffffff4 RCX: 0000000000000000 [621321.512487] RDX: 0000000000000000 RSI: ffff88005d4b8b60 RDI: ffff8800481576d0 [621321.512488] RBP: ffff880065229cd8 R08: 0000000000000006 R09: 0000000000000000 [621321.512490] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88005d4b8b60 [621321.512492] R13: 0000000000000080 R14: ffff880065229ce8 R15: ffff8800481576d0 [621321.512494] FS: 00007f822bd01780(0000) GS:ffffffff80aa3000(0000) knlGS:0000000000000000 [621321.512496] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [621321.512498] CR2: 0000000000000000 CR3: 000000005daef000 CR4: 00000000000006a0 [621321.512499] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [621321.512501] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [621321.512503] Process vim (pid: 29364, threadinfo ffff880065228000, task ffff88007d045980) [621321.512505] Stack: [621321.512506] ffffffff802f0847 0000000000000000 ffff8800501cb5b0 ffff8800501cb5b0 [621321.512509] 0000000000000080 ffff88006d1a6800 0000000000000080 ffff880065229d08 [621321.512512] ffffffff802f135a 00000006dc38d979 ffffffffa04d8466 ffff880065229e78 [621321.512516] Call Trace: [621321.512517] [<ffffffff802f0847>] ? __lookup_hash+0x107/0x170 [621321.512524] [<ffffffff802f135a>] lookup_one_len+0x8a/0xa0 [621321.512527] [<ffffffffa04d33e9>] get_xa_root+0xf9/0x140 [reiserfs] [621321.512540] [<ffffffffa04d380a>] open_xa_dir+0x2a/0x170 [reiserfs] [621321.512547] [<ffffffffa04d46d9>] reiserfs_delete_xattrs+0x89/0x1b0 [reiserfs] [621321.512555] [<ffffffffa04b393f>] reiserfs_delete_inode+0xaf/0x150 [reiserfs] [621321.512563] [<ffffffff80318093>] ? inotify_inode_is_dead+0x93/0xb0 [621321.512567] [<ffffffffa04b3890>] ? reiserfs_delete_inode+0x0/0x150 [reiserfs] [621321.512575] [<ffffffff802fd8a3>] generic_delete_inode+0xc3/0x1a0 [621321.512578] [<ffffffff802fd9a5>] generic_drop_inode+0x25/0x30 [621321.512581] [<ffffffff802fc5ad>] iput+0x5d/0x70 [621321.512583] [<ffffffff802f41a3>] do_unlinkat+0x113/0x1d0 [621321.512586] [<ffffffff802e91ed>] ? fput+0x1d/0x30 [621321.512589] [<ffffffff802e568b>] ? filp_close+0x5b/0x90 [621321.512592] [<ffffffff802f4271>] sys_unlink+0x11/0x20 [621321.512595] [<ffffffff8021253a>] system_call_fastpath+0x16/0x1b [621321.512599] Code: Bad RIP value. [621321.512602] RIP [<0000000000000000>] 0x0 [621321.512605] RSP <ffff880065229ca0> [621321.512607] CR2: 0000000000000000 [621321.512609] ---[ end trace 234f48ccbf3ca0c5 ]--- ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- reiserfs: crash when extended attributes are enabled and /.reiserfs_priv is a regular file https://bugs.launchpad.net/bugs/367789 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs