This is a note to let you know that I've just added the patch titled xfs: filter out obviously bad btree pointers to the 4.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xfs-filter-out-obviously-bad-btree-pointers.patch and it can be found in the queue-4.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From d5a91baeb6033c3392121e4d5c011cdc08dfa9f7 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx> Date: Thu, 2 Feb 2017 15:13:58 -0800 Subject: xfs: filter out obviously bad btree pointers From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> commit d5a91baeb6033c3392121e4d5c011cdc08dfa9f7 upstream. Don't let anybody load an obviously bad btree pointer. Since the values come from disk, we must return an error, not just ASSERT. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Reviewed-by: Eric Sandeen <sandeen@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/xfs/libxfs/xfs_bmap.c | 5 +---- fs/xfs/libxfs/xfs_btree.c | 3 ++- fs/xfs/libxfs/xfs_btree.h | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) --- a/fs/xfs/libxfs/xfs_bmap.c +++ b/fs/xfs/libxfs/xfs_bmap.c @@ -1278,7 +1278,6 @@ xfs_bmap_read_extents( /* REFERENCED */ xfs_extnum_t room; /* number of entries there's room for */ - bno = NULLFSBLOCK; mp = ip->i_mount; ifp = XFS_IFORK_PTR(ip, whichfork); exntf = (whichfork != XFS_DATA_FORK) ? XFS_EXTFMT_NOSTATE : @@ -1291,9 +1290,7 @@ xfs_bmap_read_extents( ASSERT(level > 0); pp = XFS_BMAP_BROOT_PTR_ADDR(mp, block, 1, ifp->if_broot_bytes); bno = be64_to_cpu(*pp); - ASSERT(bno != NULLFSBLOCK); - ASSERT(XFS_FSB_TO_AGNO(mp, bno) < mp->m_sb.sb_agcount); - ASSERT(XFS_FSB_TO_AGBNO(mp, bno) < mp->m_sb.sb_agblocks); + /* * Go down the tree until leaf level is reached, following the first * pointer (leftmost) at each level. --- a/fs/xfs/libxfs/xfs_btree.c +++ b/fs/xfs/libxfs/xfs_btree.c @@ -810,7 +810,8 @@ xfs_btree_read_bufl( xfs_daddr_t d; /* real disk block address */ int error; - ASSERT(fsbno != NULLFSBLOCK); + if (!XFS_FSB_SANITY_CHECK(mp, fsbno)) + return -EFSCORRUPTED; d = XFS_FSB_TO_DADDR(mp, fsbno); error = xfs_trans_read_buf(mp, tp, mp->m_ddev_targp, d, mp->m_bsize, lock, &bp, ops); --- a/fs/xfs/libxfs/xfs_btree.h +++ b/fs/xfs/libxfs/xfs_btree.h @@ -456,7 +456,7 @@ static inline int xfs_btree_get_level(st #define XFS_FILBLKS_MAX(a,b) max_t(xfs_filblks_t, (a), (b)) #define XFS_FSB_SANITY_CHECK(mp,fsb) \ - (XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \ + (fsb && XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \ XFS_FSB_TO_AGBNO(mp, fsb) < mp->m_sb.sb_agblocks) /* Patches currently in stable-queue which might be from darrick.wong@xxxxxxxxxx are queue-4.10/xfs-correct-null-checks-and-error-processing-in-xfs_initialize_perag.patch queue-4.10/xfs-mark-speculative-prealloc-cow-fork-extents-unwritten.patch queue-4.10/xfs-fix-toctou-race-when-locking-an-inode-to-access-the-data-map.patch queue-4.10/xfs-use-iomap-new-flag-for-newly-allocated-delalloc-blocks.patch queue-4.10/xfs-handle-indlen-shortage-on-delalloc-extent-merge.patch queue-4.10/xfs-reject-all-unaligned-direct-writes-to-reflinked-files.patch queue-4.10/xfs-allow-unwritten-extents-in-the-cow-fork.patch queue-4.10/xfs-tune-down-agno-asserts-in-the-bmap-code.patch queue-4.10/xfs-verify-free-block-header-fields.patch queue-4.10/xfs-check-for-obviously-bad-level-values-in-the-bmbt-root.patch queue-4.10/xfs-don-t-fail-xfs_extent_busy-allocation.patch queue-4.10/xfs-sync-eofblocks-scans-under-iolock-are-livelock-prone.patch queue-4.10/xfs-pull-up-iolock-from-xfs_free_eofblocks.patch queue-4.10/xfs-fail-_dir_open-when-readahead-fails.patch queue-4.10/xfs-reset-b_first_retry_time-when-clear-the-retry-status-of-xfs_buf_t.patch queue-4.10/xfs-update-ctime-and-mtime-on-clone-destinatation-inodes.patch queue-4.10/xfs-split-indlen-reservations-fairly-when-under-reserved.patch queue-4.10/xfs-filter-out-obviously-bad-btree-pointers.patch queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-chunk-alignment.patch queue-4.10/xfs-only-reclaim-unwritten-cow-extents-periodically.patch queue-4.10/xfs-try-any-ag-when-allocating-the-first-btree-block-when-reflinking.patch queue-4.10/xfs-fix-and-streamline-error-handling-in-xfs_end_io.patch queue-4.10/xfs-fix-eofblocks-race-with-file-extending-async-dio-writes.patch queue-4.10/xfs-fix-uninitialized-variable-in-_reflink_convert_cow.patch queue-4.10/xfs-don-t-reserve-blocks-for-right-shift-transactions.patch queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-alignment-mask.patch