From: Dave Chinner <david@fromorbit.com>
To: xfs@oss.sgi.com
Subject: [PATCH 8/9] xfs: catch bad block numbers freeing extents.
Date: Wed, 6 Apr 2011 16:19:17 +1000 [thread overview]
Message-ID: <1302070758-17312-9-git-send-email-david@fromorbit.com> (raw)
In-Reply-To: <1302070758-17312-1-git-send-email-david@fromorbit.com>
From: Dave Chinner <dchinner@redhat.com>
A fuzzed filesystem crashed a kernel when freeing an extent with a
block number beyond the end of the filesystem. Convert all the debug
asserts in xfs_free_extent() to active checks so that we catch bad
extents and return that the filesytsem is corrupted rather than
crashing.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
---
fs/xfs/xfs_alloc.c | 35 ++++++++++++++++++++++++++++-------
1 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/fs/xfs/xfs_alloc.c b/fs/xfs/xfs_alloc.c
index 4bc3c64..c71e21a 100644
--- a/fs/xfs/xfs_alloc.c
+++ b/fs/xfs/xfs_alloc.c
@@ -2395,17 +2395,38 @@ xfs_free_extent(
memset(&args, 0, sizeof(xfs_alloc_arg_t));
args.tp = tp;
args.mp = tp->t_mountp;
+
+ /*
+ * validate that the block number is legal - the enables us to detect
+ * and handle a silent filesystem corruption rather than crashing.
+ */
args.agno = XFS_FSB_TO_AGNO(args.mp, bno);
- ASSERT(args.agno < args.mp->m_sb.sb_agcount);
+ if (args.agno >= args.mp->m_sb.sb_agcount)
+ return EFSCORRUPTED;
+
args.agbno = XFS_FSB_TO_AGBNO(args.mp, bno);
+ if (args.agbno >= args.mp->m_sb.sb_agblocks)
+ return EFSCORRUPTED;
+
args.pag = xfs_perag_get(args.mp, args.agno);
- if ((error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING)))
+ ASSERT(args.pag);
+
+ error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING);
+ if (error)
goto error0;
-#ifdef DEBUG
- ASSERT(args.agbp != NULL);
- ASSERT((args.agbno + len) <=
- be32_to_cpu(XFS_BUF_TO_AGF(args.agbp)->agf_length));
-#endif
+
+ /* validate the extent size is legal now we have the agf locked */
+ if (!args.agbp) {
+ error = EFSCORRUPTED;
+ goto error0;
+ }
+
+ if (args.agbno + len >
+ be32_to_cpu(XFS_BUF_TO_AGF(args.agbp)->agf_length)) {
+ error = EFSCORRUPTED;
+ goto error0;
+ }
+
error = xfs_free_ag_extent(tp, args.agbp, args.agno, args.agbno, len, 0);
error0:
xfs_perag_put(args.pag);
--
1.7.2.3
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2011-04-06 6:16 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-06 6:19 [PATCH 0/9] xfs: candidate fixes for 2.6.39 Dave Chinner
2011-04-06 6:19 ` [PATCH 1/9] xfs: fix extent format buffer allocation size Dave Chinner
2011-04-06 13:38 ` Christoph Hellwig
2011-04-07 0:05 ` Dave Chinner
2011-04-07 17:19 ` Christoph Hellwig
2011-04-06 6:19 ` [PATCH 2/9] xfs: introduce a xfssyncd workqueue Dave Chinner
2011-04-06 6:19 ` [PATCH 3/9] xfs: convert ENOSPC inode flushing to use new syncd workqueue Dave Chinner
2011-04-06 6:19 ` [PATCH 4/9] xfs: introduce background inode reclaim work Dave Chinner
2011-04-06 18:14 ` Christoph Hellwig
2011-04-07 0:06 ` Dave Chinner
2011-04-06 6:19 ` [PATCH 5/9] xfs: convert the xfsaild threads to a workqueue Dave Chinner
2011-04-06 18:12 ` Christoph Hellwig
2011-04-07 0:08 ` Dave Chinner
2011-04-06 6:19 ` [PATCH 6/9] xfs: clean up code layout in xfs_trans_ail.c Dave Chinner
2011-04-06 18:17 ` Christoph Hellwig
2011-04-07 0:08 ` Dave Chinner
2011-04-06 6:19 ` [PATCH 7/9] xfs: push the AIL from memory reclaim and periodic sync Dave Chinner
2011-04-06 18:33 ` Christoph Hellwig
2011-04-07 0:15 ` Dave Chinner
2011-04-06 6:19 ` Dave Chinner [this message]
2011-04-06 13:59 ` [PATCH 8/9] xfs: catch bad block numbers freeing extents Christoph Hellwig
2011-04-07 0:18 ` Dave Chinner
2011-04-06 6:19 ` [PATCH 9/9] xfs: convert log tail checking to a warning Dave Chinner
2011-04-06 14:02 ` Christoph Hellwig
2011-04-07 0:25 ` Dave Chinner
2011-04-07 1:57 [PATCH 0/9] xfs; candidate fixes for 2.6.39 V2 Dave Chinner
2011-04-07 1:57 ` [PATCH 8/9] xfs: catch bad block numbers freeing extents Dave Chinner
2011-04-07 21:16 ` Alex Elder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1302070758-17312-9-git-send-email-david@fromorbit.com \
--to=david@fromorbit.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.