This is a note to let you know that I've just added the patch titled xfs: check for obviously bad level values in the bmbt root to the 4.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xfs-check-for-obviously-bad-level-values-in-the-bmbt-root.patch and it can be found in the queue-4.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b3bf607d58520ea8c0666aeb4be60dbb724cd3a2 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx> Date: Thu, 2 Feb 2017 15:13:59 -0800 Subject: xfs: check for obviously bad level values in the bmbt root From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> commit b3bf607d58520ea8c0666aeb4be60dbb724cd3a2 upstream. We can't handle a bmbt that's taller than BTREE_MAXLEVELS, and there's no such thing as a zero-level bmbt (for that we have extents format), so if we see this, send back an error code. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Reviewed-by: Christoph Hellwig <hch@xxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/xfs/libxfs/xfs_inode_fork.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/fs/xfs/libxfs/xfs_inode_fork.c +++ b/fs/xfs/libxfs/xfs_inode_fork.c @@ -26,6 +26,7 @@ #include "xfs_inode.h" #include "xfs_trans.h" #include "xfs_inode_item.h" +#include "xfs_btree.h" #include "xfs_bmap_btree.h" #include "xfs_bmap.h" #include "xfs_error.h" @@ -429,11 +430,13 @@ xfs_iformat_btree( /* REFERENCED */ int nrecs; int size; + int level; ifp = XFS_IFORK_PTR(ip, whichfork); dfp = (xfs_bmdr_block_t *)XFS_DFORK_PTR(dip, whichfork); size = XFS_BMAP_BROOT_SPACE(mp, dfp); nrecs = be16_to_cpu(dfp->bb_numrecs); + level = be16_to_cpu(dfp->bb_level); /* * blow out if -- fork has less extents than can fit in @@ -446,7 +449,8 @@ xfs_iformat_btree( XFS_IFORK_MAXEXT(ip, whichfork) || XFS_BMDR_SPACE_CALC(nrecs) > XFS_DFORK_SIZE(dip, mp, whichfork) || - XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks)) { + XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) || + level == 0 || level > XFS_BTREE_MAXLEVELS) { xfs_warn(mp, "corrupt inode %Lu (btree).", (unsigned long long) ip->i_ino); XFS_CORRUPTION_ERROR("xfs_iformat_btree", XFS_ERRLEVEL_LOW, Patches currently in stable-queue which might be from darrick.wong@xxxxxxxxxx are queue-4.10/xfs-correct-null-checks-and-error-processing-in-xfs_initialize_perag.patch queue-4.10/xfs-mark-speculative-prealloc-cow-fork-extents-unwritten.patch queue-4.10/xfs-fix-toctou-race-when-locking-an-inode-to-access-the-data-map.patch queue-4.10/xfs-use-iomap-new-flag-for-newly-allocated-delalloc-blocks.patch queue-4.10/xfs-handle-indlen-shortage-on-delalloc-extent-merge.patch queue-4.10/xfs-reject-all-unaligned-direct-writes-to-reflinked-files.patch queue-4.10/xfs-allow-unwritten-extents-in-the-cow-fork.patch queue-4.10/xfs-tune-down-agno-asserts-in-the-bmap-code.patch queue-4.10/xfs-verify-free-block-header-fields.patch queue-4.10/xfs-check-for-obviously-bad-level-values-in-the-bmbt-root.patch queue-4.10/xfs-don-t-fail-xfs_extent_busy-allocation.patch queue-4.10/xfs-sync-eofblocks-scans-under-iolock-are-livelock-prone.patch queue-4.10/xfs-pull-up-iolock-from-xfs_free_eofblocks.patch queue-4.10/xfs-fail-_dir_open-when-readahead-fails.patch queue-4.10/xfs-reset-b_first_retry_time-when-clear-the-retry-status-of-xfs_buf_t.patch queue-4.10/xfs-update-ctime-and-mtime-on-clone-destinatation-inodes.patch queue-4.10/xfs-split-indlen-reservations-fairly-when-under-reserved.patch queue-4.10/xfs-filter-out-obviously-bad-btree-pointers.patch queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-chunk-alignment.patch queue-4.10/xfs-only-reclaim-unwritten-cow-extents-periodically.patch queue-4.10/xfs-try-any-ag-when-allocating-the-first-btree-block-when-reflinking.patch queue-4.10/xfs-fix-and-streamline-error-handling-in-xfs_end_io.patch queue-4.10/xfs-fix-eofblocks-race-with-file-extending-async-dio-writes.patch queue-4.10/xfs-fix-uninitialized-variable-in-_reflink_convert_cow.patch queue-4.10/xfs-don-t-reserve-blocks-for-right-shift-transactions.patch queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-alignment-mask.patch