Patch "xfs: fix brainos in the refcount scrubber's rmap fragment processor" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 16 Nov 2020 08:59:14 -0500

This is a note to let you know that I've just added the patch titled

    xfs: fix brainos in the refcount scrubber's rmap fragment processor

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfs-fix-brainos-in-the-refcount-scrubber-s-rmap-frag.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3e25c3c5839f37a685ee728bc36e4c7c4636e6d1
Author: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Date:   Sun Nov 8 16:32:42 2020 -0800

    xfs: fix brainos in the refcount scrubber's rmap fragment processor
    
    [ Upstream commit 54e9b09e153842ab5adb8a460b891e11b39e9c3d ]
    
    Fix some serious WTF in the reference count scrubber's rmap fragment
    processing.  The code comment says that this loop is supposed to move
    all fragment records starting at or before bno onto the worklist, but
    there's no obvious reason why nr (the number of items added) should
    increment starting from 1, and breaking the loop when we've added the
    target number seems dubious since we could have more rmap fragments that
    should have been added to the worklist.
    
    This seems to manifest in xfs/411 when adding one to the refcount field.
    
    Fixes: dbde19da9637 ("xfs: cross-reference the rmapbt data with the refcountbt")
    Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
    Reviewed-by: Christoph Hellwig <hch@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/xfs/scrub/refcount.c b/fs/xfs/scrub/refcount.c
index beaeb6fa31197..dd672e6bbc75c 100644
--- a/fs/xfs/scrub/refcount.c
+++ b/fs/xfs/scrub/refcount.c
@@ -170,7 +170,6 @@ xchk_refcountbt_process_rmap_fragments(
 	 */
 	INIT_LIST_HEAD(&worklist);
 	rbno = NULLAGBLOCK;
-	nr = 1;
 
 	/* Make sure the fragments actually /are/ in agbno order. */
 	bno = 0;
@@ -184,15 +183,14 @@ xchk_refcountbt_process_rmap_fragments(
 	 * Find all the rmaps that start at or before the refc extent,
 	 * and put them on the worklist.
 	 */
+	nr = 0;
 	list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
-		if (frag->rm.rm_startblock > refchk->bno)
-			goto done;
+		if (frag->rm.rm_startblock > refchk->bno || nr > target_nr)
+			break;
 		bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
 		if (bno < rbno)
 			rbno = bno;
 		list_move_tail(&frag->list, &worklist);
-		if (nr == target_nr)
-			break;
 		nr++;
 	}
 






