From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Jeff Moyer <jmoyer@redhat.com>,
Nick Piggin <npiggin@kernel.dk>, Jens Axboe <axboe@kernel.dk>
Subject: [ 03/55] block: dont mark buffers beyond end of disk as mapped
Date: Sun, 27 May 2012 09:26:16 +0900 [thread overview]
Message-ID: <20120527002614.098762397@linuxfoundation.org> (raw)
In-Reply-To: <20120527005203.GA2146@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Moyer <jmoyer@redhat.com>
commit 080399aaaf3531f5b8761ec0ac30ff98891e8686 upstream.
Hi,
We have a bug report open where a squashfs image mounted on ppc64 would
exhibit errors due to trying to read beyond the end of the disk. It can
easily be reproduced by doing the following:
[root@ibm-p750e-02-lp3 ~]# ls -l install.img
-rw-r--r-- 1 root root 142032896 Apr 30 16:46 install.img
[root@ibm-p750e-02-lp3 ~]# mount -o loop ./install.img /mnt/test
[root@ibm-p750e-02-lp3 ~]# dd if=/dev/loop0 of=/dev/null
dd: reading `/dev/loop0': Input/output error
277376+0 records in
277376+0 records out
142016512 bytes (142 MB) copied, 0.9465 s, 150 MB/s
In dmesg, you'll find the following:
squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 43.106012] attempt to access beyond end of device
[ 43.106029] loop0: rw=0, want=277410, limit=277408
[ 43.106039] Buffer I/O error on device loop0, logical block 138704
[ 43.106053] attempt to access beyond end of device
[ 43.106057] loop0: rw=0, want=277412, limit=277408
[ 43.106061] Buffer I/O error on device loop0, logical block 138705
[ 43.106066] attempt to access beyond end of device
[ 43.106070] loop0: rw=0, want=277414, limit=277408
[ 43.106073] Buffer I/O error on device loop0, logical block 138706
[ 43.106078] attempt to access beyond end of device
[ 43.106081] loop0: rw=0, want=277416, limit=277408
[ 43.106085] Buffer I/O error on device loop0, logical block 138707
[ 43.106089] attempt to access beyond end of device
[ 43.106093] loop0: rw=0, want=277418, limit=277408
[ 43.106096] Buffer I/O error on device loop0, logical block 138708
[ 43.106101] attempt to access beyond end of device
[ 43.106104] loop0: rw=0, want=277420, limit=277408
[ 43.106108] Buffer I/O error on device loop0, logical block 138709
[ 43.106112] attempt to access beyond end of device
[ 43.106116] loop0: rw=0, want=277422, limit=277408
[ 43.106120] Buffer I/O error on device loop0, logical block 138710
[ 43.106124] attempt to access beyond end of device
[ 43.106128] loop0: rw=0, want=277424, limit=277408
[ 43.106131] Buffer I/O error on device loop0, logical block 138711
[ 43.106135] attempt to access beyond end of device
[ 43.106139] loop0: rw=0, want=277426, limit=277408
[ 43.106143] Buffer I/O error on device loop0, logical block 138712
[ 43.106147] attempt to access beyond end of device
[ 43.106151] loop0: rw=0, want=277428, limit=277408
[ 43.106154] Buffer I/O error on device loop0, logical block 138713
[ 43.106158] attempt to access beyond end of device
[ 43.106162] loop0: rw=0, want=277430, limit=277408
[ 43.106166] attempt to access beyond end of device
[ 43.106169] loop0: rw=0, want=277432, limit=277408
...
[ 43.106307] attempt to access beyond end of device
[ 43.106311] loop0: rw=0, want=277470, limit=2774
Squashfs manages to read in the end block(s) of the disk during the
mount operation. Then, when dd reads the block device, it leads to
block_read_full_page being called with buffers that are beyond end of
disk, but are marked as mapped. Thus, it would end up submitting read
I/O against them, resulting in the errors mentioned above. I fixed the
problem by modifying init_page_buffers to only set the buffer mapped if
it fell inside of i_size.
Cheers,
Jeff
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Acked-by: Nick Piggin <npiggin@kernel.dk>
--
Changes from v1->v2: re-used max_block, as suggested by Nick Piggin.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/block_dev.c | 6 +++---
fs/buffer.c | 4 +++-
include/linux/fs.h | 1 +
3 files changed, 7 insertions(+), 4 deletions(-)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -64,7 +64,7 @@ static void bdev_inode_switch_bdi(struct
spin_unlock(&inode_wb_list_lock);
}
-static sector_t max_block(struct block_device *bdev)
+sector_t blkdev_max_block(struct block_device *bdev)
{
sector_t retval = ~((sector_t)0);
loff_t sz = i_size_read(bdev->bd_inode);
@@ -135,7 +135,7 @@ static int
blkdev_get_block(struct inode *inode, sector_t iblock,
struct buffer_head *bh, int create)
{
- if (iblock >= max_block(I_BDEV(inode))) {
+ if (iblock >= blkdev_max_block(I_BDEV(inode))) {
if (create)
return -EIO;
@@ -157,7 +157,7 @@ static int
blkdev_get_blocks(struct inode *inode, sector_t iblock,
struct buffer_head *bh, int create)
{
- sector_t end_block = max_block(I_BDEV(inode));
+ sector_t end_block = blkdev_max_block(I_BDEV(inode));
unsigned long max_blocks = bh->b_size >> inode->i_blkbits;
if ((iblock + max_blocks) > end_block) {
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -968,6 +968,7 @@ init_page_buffers(struct page *page, str
struct buffer_head *head = page_buffers(page);
struct buffer_head *bh = head;
int uptodate = PageUptodate(page);
+ sector_t end_block = blkdev_max_block(I_BDEV(bdev->bd_inode));
do {
if (!buffer_mapped(bh)) {
@@ -976,7 +977,8 @@ init_page_buffers(struct page *page, str
bh->b_blocknr = block;
if (uptodate)
set_buffer_uptodate(bh);
- set_buffer_mapped(bh);
+ if (block < end_block)
+ set_buffer_mapped(bh);
}
block++;
bh = bh->b_this_page;
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2029,6 +2029,7 @@ extern void unregister_blkdev(unsigned i
extern struct block_device *bdget(dev_t);
extern struct block_device *bdgrab(struct block_device *bdev);
extern void bd_set_size(struct block_device *, loff_t size);
+extern sector_t blkdev_max_block(struct block_device *bdev);
extern void bd_forget(struct inode *inode);
extern void bdput(struct block_device *);
extern void invalidate_bdev(struct block_device *);
next prev parent reply other threads:[~2012-05-27 1:56 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-27 0:52 [ 00/55] 3.0.33-stable review Greg KH
2012-05-27 0:26 ` [ 01/55] tilegx: enable SYSCALL_WRAPPERS support Greg KH
2012-05-27 0:26 ` [ 02/55] block: fix buffer overflow when printing partition UUIDs Greg KH
2012-05-27 0:26 ` Greg KH [this message]
2012-05-27 0:26 ` [ 04/55] PARISC: fix PA1.1 oops on boot Greg KH
2012-05-27 0:26 ` [ 05/55] PARISC: fix crash in flush_icache_page_asm on PA1.1 Greg KH
2012-05-27 0:26 ` [ 06/55] PARISC: fix panic on prefetch(NULL) on PA7300LC Greg KH
2012-05-27 0:26 ` [ 07/55] isdn/gigaset: ratelimit CAPI message dumps Greg KH
2012-05-27 0:26 ` [ 08/55] vfs: make AIO use the proper rw_verify_area() area helpers Greg KH
2012-05-27 0:26 ` [ 09/55] cfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB Greg KH
2012-05-27 0:26 ` [ 10/55] Fix blocking allocations called very early during bootup Greg KH
2012-05-27 0:26 ` [ 11/55] s390/pfault: fix task state race Greg KH
2012-05-27 0:26 ` [ 12/55] SCSI: mpt2sas: Fix for panic happening because of improper memory allocation Greg KH
2012-05-27 0:26 ` [ 13/55] RDMA/cxgb4: Drop peer_abort when no endpoint found Greg KH
2012-05-27 0:26 ` [ 14/55] KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat Greg KH
2012-05-27 0:26 ` [ 15/55] SELinux: if sel_make_bools errors dont leave inconsistent state Greg KH
2012-05-27 0:26 ` [ 16/55] drivers/staging/comedi/comedi_fops.c: add missing vfree Greg KH
2012-05-27 0:26 ` [ 17/55] perf/x86: Update event scheduling constraints for AMD family 15h models Greg KH
2012-05-27 0:26 ` [ 18/55] mtd: sm_ftl: fix typo in major number Greg KH
2012-05-27 0:26 ` [ 19/55] ahci: Detect Marvell 88SE9172 SATA controller Greg KH
2012-05-27 0:26 ` [ 20/55] um: Fix __swp_type() Greg KH
2012-05-27 0:26 ` [ 21/55] um: Implement a custom pte_same() function Greg KH
2012-05-27 0:26 ` [ 22/55] docs: update HOWTO for 2.6.x -> 3.x versioning Greg KH
2012-05-27 0:26 ` [ 23/55] USB: cdc-wdm: poll must return POLLHUP if device is gone Greg KH
2012-05-27 0:26 ` [ 24/55] workqueue: skip nr_running sanity check in worker_enter_idle() if trustee is active Greg KH
2012-05-27 0:26 ` [ 25/55] mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages Greg KH
2012-05-27 0:26 ` [ 26/55] md: using GFP_NOIO to allocate bio for flush request Greg KH
2012-05-27 0:26 ` [ 27/55] Add missing call to uart_update_timeout() Greg KH
2012-05-27 0:26 ` [ 28/55] tty: Allow uart_register/unregister/register Greg KH
2012-05-27 0:26 ` [ 29/55] USB: ftdi-sio: add support for Physik Instrumente E-861 Greg KH
2012-05-27 0:26 ` [ 30/55] usb-storage: unusual_devs entry for Yarvik PMP400 MP4 player Greg KH
2012-05-27 0:26 ` [ 31/55] USB: ffs-test: fix length argument of out function call Greg KH
2012-05-27 0:26 ` [ 32/55] drivers/rtc/rtc-pl031.c: configure correct wday for 2000-01-01 Greg KH
2012-05-27 0:26 ` [ 33/55] SCSI: hpsa: Fix problem with MSA2xxx devices Greg KH
2012-05-27 0:26 ` [ 34/55] usb: usbtest: two super speed fixes for usbtest Greg KH
2012-05-27 0:26 ` [ 35/55] USB: Remove races in devio.c Greg KH
2012-05-27 0:26 ` [ 36/55] USB: serial: ti_usb_3410_5052: Add support for the FRI2 serial console Greg KH
2012-05-27 0:26 ` [ 37/55] usb: gadget: fsl_udc_core: dTDs next dtd pointer need to be updated once written Greg KH
2012-05-27 0:26 ` [ 38/55] usb: add USB_QUIRK_RESET_RESUME for M-Audio 88es Greg KH
2012-05-27 0:26 ` [ 39/55] xhci: Add Lynx Point to list of Intel switchable hosts Greg KH
2012-05-27 0:26 ` [ 40/55] usb-xhci: Handle COMP_TX_ERR for isoc tds Greg KH
2012-05-27 0:26 ` [ 41/55] xhci: Reset reserved command ring TRBs on cleanup Greg KH
2012-05-27 0:26 ` [ 42/55] xhci: Add new short TX quirk for Fresco Logic host Greg KH
2012-05-27 0:26 ` [ 43/55] drm/i915: Avoid a double-read of PCH_IIR during interrupt handling Greg KH
2012-05-27 0:26 ` [ 44/55] drm/i915: [GEN7] Use HW scheduler for fixed function shaders Greg KH
2012-05-27 0:26 ` [ 45/55] drm/i915: dont clobber the pipe param in sanitize_modesetting Greg KH
2012-05-27 0:26 ` [ 46/55] nouveau: nouveau_set_bo_placement takes TTM flags Greg KH
2012-05-27 0:27 ` [ 47/55] [media] smsusb: add autodetection support for USB ID 2040:c0a0 Greg KH
2012-05-27 0:27 ` [ 48/55] media: uvcvideo: Fix ENUMINPUT handling Greg KH
2012-05-27 0:27 ` [ 49/55] x86/mce: Fix check for processor context when machine check was taken Greg KH
2012-05-27 0:27 ` [ 50/55] mmc: sdio: avoid spurious calls to interrupt handlers Greg KH
2012-05-27 0:27 ` [ 51/55] tile: fix bug where fls(0) was not returning 0 Greg KH
2012-05-27 0:27 ` [ 52/55] isci: fix oem parameter validation on single controller skus Greg KH
2012-05-27 0:27 ` [ 53/55] ARM: 7365/1: drop unused parameter from flush_cache_user_range Greg KH
2012-05-27 0:27 ` [ 54/55] ARM: 7409/1: Do not call flush_cache_user_range with mmap_sem held Greg KH
2012-05-27 0:27 ` [ 55/55] i2c: davinci: Free requested IRQ in remove Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120527002614.098762397@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=axboe@kernel.dk \
--cc=jmoyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=npiggin@kernel.dk \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.