From: Amir Goldstein <amir73il@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sasha Levin <sashal@kernel.org>,
Dave Chinner <david@fromorbit.com>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
Christoph Hellwig <hch@lst.de>,
Luis Chamberlain <mcgrof@kernel.org>,
Theodore Ts'o <tytso@mit.edu>,
Leah Rumancik <leah.rumancik@gmail.com>,
Chandan Babu R <chandan.babu@oracle.com>,
Adam Manzanares <a.manzanares@samsung.com>,
Tyler Hicks <code@tyhicks.com>, Jan Kara <jack@suse.cz>,
linux-xfs@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH 5.10 v2 1/5] xfs: detect overflows in bmbt records
Date: Fri, 27 May 2022 16:02:15 +0300 [thread overview]
Message-ID: <20220527130219.3110260-2-amir73il@gmail.com> (raw)
In-Reply-To: <20220527130219.3110260-1-amir73il@gmail.com>
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit acf104c2331c1ba2a667e65dd36139d1555b1432 upstream.
Detect file block mappings with a blockcount that's either so large that
integer overflows occur or are zero, because neither are valid in the
filesystem. Worse yet, attempting directory modifications causes the
iext code to trip over the bmbt key handling and takes the filesystem
down. We can fix most of this by preventing the bad metadata from
entering the incore structures in the first place.
Found by setting blockcount=0 in a directory data fork mapping and
watching the fireworks.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
---
fs/xfs/libxfs/xfs_bmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
index d9a692484eae..de9c27ef68d8 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -6229,6 +6229,11 @@ xfs_bmap_validate_extent(
xfs_fsblock_t endfsb;
bool isrt;
+ if (irec->br_startblock + irec->br_blockcount <= irec->br_startblock)
+ return __this_address;
+ if (irec->br_startoff + irec->br_blockcount <= irec->br_startoff)
+ return __this_address;
+
isrt = XFS_IS_REALTIME_INODE(ip);
endfsb = irec->br_startblock + irec->br_blockcount - 1;
if (isrt && whichfork == XFS_DATA_FORK) {
--
2.25.1
next prev parent reply other threads:[~2022-05-27 13:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-27 13:02 [PATCH 5.10 v2 0/5] xfs fixes for 5.10.y (part 1) Amir Goldstein
2022-05-27 13:02 ` Amir Goldstein [this message]
2022-05-27 13:02 ` [PATCH 5.10 v2 2/5] xfs: show the proper user quota options Amir Goldstein
2022-05-27 13:02 ` [PATCH 5.10 v2 3/5] xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks Amir Goldstein
2022-05-27 13:02 ` [PATCH 5.10 v2 4/5] xfs: fix an ABBA deadlock in xfs_rename Amir Goldstein
2022-05-27 13:02 ` [PATCH 5.10 v2 5/5] xfs: Fix CIL throttle hang when CIL space used going backwards Amir Goldstein
2022-06-03 14:32 ` [PATCH 5.10 v2 0/5] xfs fixes for 5.10.y (part 1) Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220527130219.3110260-2-amir73il@gmail.com \
--to=amir73il@gmail.com \
--cc=a.manzanares@samsung.com \
--cc=chandan.babu@oracle.com \
--cc=code@tyhicks.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=leah.rumancik@gmail.com \
--cc=linux-xfs@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.