From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukas Czerner <lczerner@redhat.com>,
Theodore Tso <tytso@mit.edu>, Ilya Dryomov <idryomov@gmail.com>
Subject: [PATCH 3.18 03/25] ext4: fix bitmap position validation
Date: Mon, 30 Apr 2018 12:23:10 -0700 [thread overview]
Message-ID: <20180430183910.946761096@linuxfoundation.org> (raw)
In-Reply-To: <20180430183910.801976983@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Czerner <lczerner@redhat.com>
commit 22be37acce25d66ecf6403fc8f44df9c5ded2372 upstream.
Currently in ext4_valid_block_bitmap() we expect the bitmap to be
positioned anywhere between 0 and s_blocksize clusters, but that's
wrong because the bitmap can be placed anywhere in the block group. This
causes false positives when validating bitmaps on perfectly valid file
system layouts. Fix it by checking whether the bitmap is within the group
boundary.
The problem can be reproduced using the following
mkfs -t ext3 -E stride=256 /dev/vdb1
mount /dev/vdb1 /mnt/test
cd /mnt/test
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.16.3.tar.xz
tar xf linux-4.16.3.tar.xz
This will result in the warnings in the logs
EXT4-fs error (device vdb1): ext4_validate_block_bitmap:399: comm tar: bg 84: block 2774529: invalid block bitmap
[ Changed slightly for clarity and to not drop a overflow test -- TYT ]
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Ilya Dryomov <idryomov@gmail.com>
Fixes: 7dac4a1726a9 ("ext4: add validity checks for bitmap block numbers")
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/balloc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -321,6 +321,7 @@ static ext4_fsblk_t ext4_valid_block_bit
struct ext4_sb_info *sbi = EXT4_SB(sb);
ext4_grpblk_t offset;
ext4_grpblk_t next_zero_bit;
+ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
ext4_fsblk_t blk;
ext4_fsblk_t group_first_block;
@@ -338,7 +339,7 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether block bitmap block number is set */
blk = ext4_block_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -346,7 +347,7 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether the inode bitmap block number is set */
blk = ext4_inode_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -354,8 +355,8 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether the inode table block number is set */
blk = ext4_inode_table(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
- EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
return blk;
next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
next prev parent reply other threads:[~2018-04-30 19:23 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-30 19:23 [PATCH 3.18 00/25] 3.18.108-stable review Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 01/25] ext4: set h_journal if there is a failure starting a reserved handle Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 02/25] ext4: add validity checks for bitmap block numbers Greg Kroah-Hartman
2018-04-30 19:23 ` Greg Kroah-Hartman [this message]
2018-04-30 19:23 ` [PATCH 3.18 04/25] usbip: usbip_host: fix to hold parent lock for device_attach() calls Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 05/25] usbip: vhci_hcd: Fix usb device and sockfd leaks Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 06/25] USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 07/25] USB: serial: cp210x: add ID for NI USB serial console Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 08/25] usb: core: Add quirk for HP v222w 16GB Mini Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 09/25] USB: Increment wakeup count on remote wakeup Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 10/25] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 11/25] virtio: add ability to iterate over vqs Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 12/25] virtio_console: free buffers after reset Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 13/25] tty: n_gsm: Fix long delays with control frame timeouts in ADM mode Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 14/25] tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 15/25] tty: Use __GFP_NOFAIL for tty_ldisc_get() Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 16/25] ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 17/25] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 18/25] mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 19/25] mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 20/25] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 21/25] kobject: dont use WARN for registration failures Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 22/25] scsi: sd: Defer spinning up drive while SANITIZE is in progress Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 23/25] ASoC: fsl_esai: Fix divisor calculation failure at lower ratio Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 24/25] libceph: validate con->state at the top of try_write() Greg Kroah-Hartman
2018-04-30 19:23 ` [PATCH 3.18 25/25] Revert "perf tests: Decompress kernel module before objdump" Greg Kroah-Hartman
2018-05-01 1:04 ` [PATCH 3.18 00/25] 3.18.108-stable review kernelci.org bot
2018-05-01 6:14 ` Harsh Shandilya
2018-05-01 15:02 ` Greg Kroah-Hartman
2018-05-01 13:18 ` Guenter Roeck
2018-05-01 15:02 ` Greg Kroah-Hartman
2018-05-01 19:04 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180430183910.946761096@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=lczerner@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).