This is a note to let you know that I've just added the patch titled
xfs: range check ri_cnt when recovering log items
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfs-range-check-ri_cnt-when-recovering-log-items.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Wed Sep 21 10:59:34 AM CEST 2022
From: Chandan Babu R <chandan.babu@xxxxxxxxxx>
Date: Wed, 21 Sep 2022 08:53:41 +0530
Subject: xfs: range check ri_cnt when recovering log items
To: gregkh@xxxxxxxxxxxxxxxxxxx
Cc: sashal@xxxxxxxxxx, mcgrof@xxxxxxxxxx, linux-xfs@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, djwong@xxxxxxxxxx, chandan.babu@xxxxxxxxxx, amir73il@xxxxxxxxx, leah.rumancik@xxxxxxxxx
Message-ID: <20220921032352.307699-7-chandan.babu@xxxxxxxxxx>
From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx>
commit d6abecb82573fed5f7e4b595b5c0bd37707d2848 upstream.
Range check the region counter when we're reassembling regions from log
items during log recovery. In the old days ASSERT would halt the
kernel, but this isn't true any more so we have to make an explicit
error return.
Coverity-id: 1132508
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
Acked-by: Darrick J. Wong <djwong@xxxxxxxxxx>
Signed-off-by: Chandan Babu R <chandan.babu@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/xfs/xfs_log_recover.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -4293,7 +4293,16 @@ xlog_recover_add_to_trans(
kmem_zalloc(item->ri_total * sizeof(xfs_log_iovec_t),
0);
}
- ASSERT(item->ri_total > item->ri_cnt);
+
+ if (item->ri_total <= item->ri_cnt) {
+ xfs_warn(log->l_mp,
+ "log item region count (%d) overflowed size (%d)",
+ item->ri_cnt, item->ri_total);
+ ASSERT(0);
+ kmem_free(ptr);
+ return -EFSCORRUPTED;
+ }
+
/* Description region is ri_buf[0] */
item->ri_buf[item->ri_cnt].i_addr = ptr;
item->ri_buf[item->ri_cnt].i_len = len;
Patches currently in stable-queue which might be from chandan.babu@xxxxxxxxxx are
queue-5.4/xfs-refactor-agfl-length-computation-function.patch
queue-5.4/xfs-use-bitops-interface-for-buf-log-item-ail-flag-check.patch
queue-5.4/maintainers-add-chandan-as-xfs-maintainer-for-5.4.y.patch
queue-5.4/xfs-split-the-sunit-parameter-update-into-two-parts.patch
queue-5.4/xfs-slightly-tweak-an-assert-in-xfs_fs_map_blocks.patch
queue-5.4/xfs-stabilize-insert-range-start-boundary-to-avoid-cow-writeback-race.patch
queue-5.4/iomap-iomap-that-extends-beyond-eof-should-be-marked-dirty.patch
queue-5.4/xfs-constify-the-buffer-pointer-arguments-to-error-functions.patch
queue-5.4/xfs-attach-dquots-and-reserve-quota-blocks-during-unwritten-conversion.patch
queue-5.4/xfs-range-check-ri_cnt-when-recovering-log-items.patch
queue-5.4/xfs-fix-deadlock-between-agi-and-agf-when-target_ip-exists-in-xfs_rename.patch
queue-5.4/xfs-replace-eio-with-efscorrupted-for-corrupt-metadata.patch
queue-5.4/xfs-convert-eio-to-efscorrupted-when-log-contents-are-invalid.patch
queue-5.4/xfs-add-missing-assert-in-xfs_fsmap_owner_from_rmap.patch
queue-5.4/xfs-always-log-corruption-errors.patch
queue-5.4/xfs-fix-some-memory-leaks-in-log-recovery.patch
queue-5.4/xfs-don-t-commit-sunit-swidth-updates-to-disk-if-that-would-cause-repair-failures.patch
