Hi all, While performing some code audits of the fsmap code, I noticed some off by one errors in the realtime bitmap query code that provides the rt fsmap implementation. The first problem I found is that while the rtbitmap range query function will constrain the starting and ending rtextent parameters to match the actual rt volume, it does so by changing the struct passed in by the caller. This is a no-no, since query functions themselves are not supposed to change the global state. The second problem is an off-by-one error in the rtbitmap fsmap function itself. The fsmap record emitter function has the neat property that it can detect gaps between the fsmap record we're about to emit and the last one it emitted. When this happens, it first emits an fsmap record to fill the gap and then emits the one it was called about. When the last block of the queried range is in use, we synthesize a fsmap record just outside the query range, which has the effect of emitting an "unknown owner" fsmap record for the inuse space. Unfortunately, we don't range check the last block value, with the result that the "unknown owner" fsmap can claim to extend beyond the end of the rt volume! So range check that. The third problem is similar to the first: each fsmap backend is passed the keys of the range to query and some scratch space. The backend can change anything it wants in the scratch space, but it's not supposed to change the keys. Unfortunately, range checking in the backend functions /did/ change the keys, which causes subsequent backends to be called with incorrect keys. Fix this. If you're going to start using this mess, you probably ought to just pull from my git trees, which are linked below. This is an extraordinary way to destroy everything. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fsmap-fixes-5.15 --- fs/xfs/libxfs/xfs_rtbitmap.c | 14 ++++++----- fs/xfs/xfs_fsmap.c | 52 ++++++++++++++++++++++++------------------ fs/xfs/xfs_rtalloc.h | 7 ++---- 3 files changed, 40 insertions(+), 33 deletions(-)
