xfs: fix negative array access in xfs_getbmap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Darrick J. Wong" <djwong@xxxxxxxxxx>

[ Upstream commit 1bba82fe1afac69c85c1f5ea137c8e73de3c8032 ]

In commit 8ee81ed581ff, Ye Bin complained about an ASSERT in the bmapx
code that trips if we encounter a delalloc extent after flushing the
pagecache to disk.  The ioctl code does not hold MMAPLOCK so it's
entirely possible that a racing write page fault can create a delalloc
extent after the file has been flushed.  The proposed solution was to
replace the assertion with an early return that avoids filling out the
bmap recordset with a delalloc entry if the caller didn't ask for it.

At the time, I recall thinking that the forward logic sounded ok, but
felt hesitant because I suspected that changing this code would cause
something /else/ to burst loose due to some other subtlety.

syzbot of course found that subtlety.  If all the extent mappings found
after the flush are delalloc mappings, we'll reach the end of the data
fork without ever incrementing bmv->bmv_entries.  This is new, since
before we'd have emitted the delalloc mappings even though the caller
didn't ask for them.  Once we reach the end, we'll try to set
BMV_OF_LAST on the -1st entry (because bmv_entries is zero) and go
corrupt something else in memory.  Yay.

I really dislike all these stupid patches that fiddle around with debug
code and break things that otherwise worked well enough.  Nobody was
complaining that calling XFS_IOC_BMAPX without BMV_IF_DELALLOC would
return BMV_OF_DELALLOC records, and now we've gone from "weird behavior
that nobody cared about" to "bad behavior that must be addressed
immediately".

Maybe I'll just ignore anything from Huawei from now on for my own sake.

Reported-by: syzbot+c103d3808a0de5faaf80@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/linux-xfs/20230412024907.GP360889@frogsfrogsfrogs/
Fixes: 8ee81ed581ff ("xfs: fix BUG_ON in xfs_getbmap()")
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
Signed-off-by: Dave Chinner <david@xxxxxxxxxxxxx>
Signed-off-by: Leah Rumancik <leah.rumancik@xxxxxxxxx>
Acked-by: Chandan Babu R <chandanbabu@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/xfs/xfs_bmap_util.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -558,7 +558,9 @@ xfs_getbmap(
 		if (!xfs_iext_next_extent(ifp, &icur, &got)) {
 			xfs_fileoff_t	end = XFS_B_TO_FSB(mp, XFS_ISIZE(ip));
 
-			out[bmv->bmv_entries - 1].bmv_oflags |= BMV_OF_LAST;
+			if (bmv->bmv_entries > 0)
+				out[bmv->bmv_entries - 1].bmv_oflags |=
+								BMV_OF_LAST;
 
 			if (whichfork != XFS_ATTR_FORK && bno < end &&
 			    !xfs_getbmap_full(bmv)) {


Patches currently in stable-queue which might be from leah.rumancik@xxxxxxxxx are

queue-6.1/xfs-fix-the-calculation-for-end-and-length.patch
queue-6.1/xfs-journal-geometry-is-not-properly-bounds-checked.patch
queue-6.1/xfs-use-i_prev_unlinked-to-distinguish-inodes-that-are-not-on-the-unlinked-list.patch
queue-6.1/xfs-load-uncached-unlinked-inodes-into-memory-on-demand.patch
queue-6.1/xfs-fix-extent-busy-updating.patch
queue-6.1/xfs-reload-entire-unlinked-bucket-lists.patch
queue-6.1/xfs-block-reservation-too-large-for-minleft-allocation.patch
queue-6.1/xfs-don-t-use-bmbt-btree-split-workers-for-io-completion.patch
queue-6.1/xfs-prefer-free-inodes-at-enospc-over-chunk-allocation.patch
queue-6.1/xfs-quotacheck-failure-can-race-with-background-inode-inactivation.patch
queue-6.1/xfs-dquot-shrinker-doesn-t-check-for-xfs_dqflag_freeing.patch
queue-6.1/xfs-buffer-pins-need-to-hold-a-buffer-reference.patch
queue-6.1/xfs-fix-agf-vs-inode-cluster-buffer-deadlock.patch
queue-6.1/xfs-fix-bug_on-in-xfs_getbmap.patch
queue-6.1/xfs-remove-warn-when-dquot-cache-insertion-fails.patch
queue-6.1/xfs-correct-calculation-for-agend-and-blockcount.patch
queue-6.1/xfs-defered-work-could-create-precommits.patch
queue-6.1/xfs-fix-low-space-alloc-deadlock.patch
queue-6.1/xfs-fix-unlink-vs-cluster-buffer-instantiation-race.patch
queue-6.1/xfs-set-bnobt-cntbt-numrecs-correctly-when-formatting-new-ags.patch
queue-6.1/xfs-fix-negative-array-access-in-xfs_getbmap.patch
queue-6.1/xfs-collect-errors-from-inodegc-for-unlinked-inode-recovery.patch
queue-6.1/xfs-fix-deadlock-on-xfs_inodegc_worker.patch
queue-6.1/xfs-fix-reloading-entire-unlinked-bucket-lists.patch
queue-6.1/xfs-fix-uninitialized-variable-access.patch
queue-6.1/xfs-fix-ag-count-overflow-during-growfs.patch
queue-6.1/xfs-make-inode-unlinked-bucket-recovery-work-with-quotacheck.patch




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux