linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Brian Foster <bfoster@redhat.com>,
	"Darrick J . Wong" <darrick.wong@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	xfs@oss.sgi.com
Subject: [PATCH AUTOSEL 4.4 11/64] xfs: fix attr leaf header freemap.size underflow
Date: Thu, 17 Sep 2020 22:15:50 -0400	[thread overview]
Message-ID: <20200918021643.2067895-11-sashal@kernel.org> (raw)
In-Reply-To: <20200918021643.2067895-1-sashal@kernel.org>

From: Brian Foster <bfoster@redhat.com>

[ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ]

The leaf format xattr addition helper xfs_attr3_leaf_add_work()
adjusts the block freemap in a couple places. The first update drops
the size of the freemap that the caller had already selected to
place the xattr name/value data. Before the function returns, it
also checks whether the entries array has encroached on a freemap
range by virtue of the new entry addition. This is necessary because
the entries array grows from the start of the block (but end of the
block header) towards the end of the block while the name/value data
grows from the end of the block in the opposite direction. If the
associated freemap is already empty, however, size is zero and the
subtraction underflows the field and causes corruption.

This is reproduced rarely by generic/070. The observed behavior is
that a smaller sized freemap is aligned to the end of the entries
list, several subsequent xattr additions land in larger freemaps and
the entries list expands into the smaller freemap until it is fully
consumed and then underflows. Note that it is not otherwise a
corruption for the entries array to consume an empty freemap because
the nameval list (i.e. the firstused pointer in the xattr header)
starts beyond the end of the corrupted freemap.

Update the freemap size modification to account for the fact that
the freemap entry can be empty and thus stale.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 445a3f2f871fb..d50f8183dda46 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1326,7 +1326,9 @@ xfs_attr3_leaf_add_work(
 	for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
 		if (ichdr->freemap[i].base == tmp) {
 			ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
-			ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t);
+			ichdr->freemap[i].size -=
+				min_t(uint16_t, ichdr->freemap[i].size,
+						sizeof(xfs_attr_leaf_entry_t));
 		}
 	}
 	ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
-- 
2.25.1


  parent reply	other threads:[~2020-09-18  2:23 UTC|newest]

Thread overview: 66+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-18  2:15 [PATCH AUTOSEL 4.4 01/64] scsi: aacraid: fix illegal IO beyond last LBA Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 02/64] m68k: q40: Fix info-leak in rtc_ioctl Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 03/64] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 04/64] ASoC: kirkwood: fix IRQ error handling Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 05/64] ata: sata_mv, avoid trigerrable BUG_ON Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 06/64] PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 07/64] mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 08/64] mfd: mfd-core: Protect against NULL call-back function pointer Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 09/64] tracing: Adding NULL checks for trace_array descriptor pointer Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 10/64] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Sasha Levin
2020-09-18  2:15 ` Sasha Levin [this message]
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 12/64] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 13/64] neigh_stat_seq_next() should increase position index Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 14/64] rt_cpu_seq_next " Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 15/64] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 16/64] ACPI: EC: Reference count query handlers under lock Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 17/64] tracing: Set kernel_stack's caller size properly Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 18/64] ext4: make dioread_nolock the default Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 19/64] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Sasha Levin
2020-09-18  2:15 ` [PATCH AUTOSEL 4.4 20/64] Bluetooth: Fix refcount use-after-free issue Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 21/64] mm: pagewalk: fix termination condition in walk_pte_range() Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 22/64] Bluetooth: prefetch channel before killing sock Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 23/64] skbuff: fix a data race in skb_queue_len() Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 24/64] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 25/64] selinux: sel_avc_get_stat_idx should increase position index Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 26/64] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 27/64] drm/omap: fix possible object reference leak Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 28/64] dmaengine: tegra-apb: Prevent race conditions on channel's freeing Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 29/64] media: go7007: Fix URB type for interrupt handling Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 30/64] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 31/64] drm/amdgpu: increase atombios cmd timeout Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 32/64] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 33/64] media: tda10071: fix unsigned sign extension overflow Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 34/64] tpm: ibmvtpm: Wait for buffer to be set before proceeding Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 35/64] tracing: Use address-of operator on section symbols Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 36/64] serial: 8250_omap: Fix sleeping function called from invalid context during probe Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 37/64] SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 38/64] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 39/64] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 40/64] mm/filemap.c: clear page error before actual read Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 41/64] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 42/64] serial: uartps: Wait for tx_empty in console setup Sasha Levin
2020-09-28 20:16   ` Naresh Kamboju
2020-09-28 22:00     ` Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 43/64] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 44/64] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 45/64] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 46/64] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 47/64] atm: fix a memory leak of vcc->user_back Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 48/64] phy: samsung: s5pv210-usb2: Add delay after reset Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 49/64] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 50/64] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 51/64] tty: serial: samsung: Correct clock selection logic Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 52/64] ALSA: hda: Fix potential race in unsol event handler Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 53/64] fuse: don't check refcount after stealing page Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 54/64] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 55/64] e1000: Do not perform reset in reset_task if we are already down Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 56/64] printk: handle blank console arguments passed in Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 57/64] vfio/pci: fix memory leaks of eventfd ctx Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 58/64] perf kcore_copy: Fix module map when there are no modules loaded Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 59/64] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 60/64] ceph: fix potential race in ceph_check_caps Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 61/64] mtd: parser: cmdline: Support MTD names containing one or more colons Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 62/64] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 63/64] vfio/pci: Clear error and request eventfd ctx after releasing Sasha Levin
2020-09-18  2:16 ` [PATCH AUTOSEL 4.4 64/64] vfio/pci: fix racy on error and request eventfd ctx Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200918021643.2067895-11-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bfoster@redhat.com \
    --cc=darrick.wong@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).