From: Eric Biggers <ebiggers@kernel.org>
To: stable@vger.kernel.org
Cc: linux-ext4@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>
Subject: [PATCH 5.15 09/10] ext4: fix unaligned memory access in ext4_fc_reserve_space()
Date: Wed, 4 Jan 2023 23:13:58 -0800 [thread overview]
Message-ID: <20230105071359.257952-10-ebiggers@kernel.org> (raw)
In-Reply-To: <20230105071359.257952-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
commit 8415ce07ecf0cc25efdd5db264a7133716e503cf upstream.
As is done elsewhere in the file, build the struct ext4_fc_tl on the
stack and memcpy() it into the buffer, rather than directly writing it
to a potentially-unaligned location in the buffer.
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Cc: <stable@vger.kernel.org> # v5.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221106224841.279231-6-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
fs/ext4/fast_commit.c | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index f92eb89a8a2b2..fe65df2d41dd4 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -604,6 +604,15 @@ static void ext4_fc_submit_bh(struct super_block *sb, bool is_tail)
/* Ext4 commit path routines */
+/* memcpy to fc reserved space and update CRC */
+static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src,
+ int len, u32 *crc)
+{
+ if (crc)
+ *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len);
+ return memcpy(dst, src, len);
+}
+
/* memzero and update CRC */
static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len,
u32 *crc)
@@ -629,12 +638,13 @@ static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len,
*/
static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
{
- struct ext4_fc_tl *tl;
+ struct ext4_fc_tl tl;
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct buffer_head *bh;
int bsize = sbi->s_journal->j_blocksize;
int ret, off = sbi->s_fc_bytes % bsize;
int pad_len;
+ u8 *dst;
/*
* After allocating len, we should have space at least for a 0 byte
@@ -658,16 +668,18 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
return sbi->s_fc_bh->b_data + off;
}
/* Need to add PAD tag */
- tl = (struct ext4_fc_tl *)(sbi->s_fc_bh->b_data + off);
- tl->fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD);
+ dst = sbi->s_fc_bh->b_data + off;
+ tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD);
pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN;
- tl->fc_len = cpu_to_le16(pad_len);
- if (crc)
- *crc = ext4_chksum(sbi, *crc, tl, EXT4_FC_TAG_BASE_LEN);
- if (pad_len > 0)
- ext4_fc_memzero(sb, tl + 1, pad_len, crc);
+ tl.fc_len = cpu_to_le16(pad_len);
+ ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc);
+ dst += EXT4_FC_TAG_BASE_LEN;
+ if (pad_len > 0) {
+ ext4_fc_memzero(sb, dst, pad_len, crc);
+ dst += pad_len;
+ }
/* Don't leak uninitialized memory in the unused last byte. */
- *((u8 *)(tl + 1) + pad_len) = 0;
+ *dst = 0;
ext4_fc_submit_bh(sb, false);
@@ -679,15 +691,6 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
return sbi->s_fc_bh->b_data;
}
-/* memcpy to fc reserved space and update CRC */
-static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src,
- int len, u32 *crc)
-{
- if (crc)
- *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len);
- return memcpy(dst, src, len);
-}
-
/*
* Complete a fast commit by writing tail tag.
*
--
2.39.0
next prev parent reply other threads:[~2023-01-05 7:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-05 7:13 [PATCH 5.15 00/10] ext4 fast-commit fixes for 5.15-stable Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 01/10] ext4: remove unused enum EXT4_FC_COMMIT_FAILED Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 02/10] ext4: use ext4_debug() instead of jbd_debug() Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 03/10] ext4: introduce EXT4_FC_TAG_BASE_LEN helper Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 04/10] ext4: factor out ext4_fc_get_tl() Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 05/10] ext4: fix potential out of bound read in ext4_fc_replay_scan() Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 06/10] ext4: disable fast-commit of encrypted dir operations Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 07/10] ext4: don't set up encryption key during jbd2 transaction Eric Biggers
2023-01-05 7:13 ` [PATCH 5.15 08/10] ext4: add missing validation of fast-commit record lengths Eric Biggers
2023-01-05 7:13 ` Eric Biggers [this message]
2023-01-05 7:13 ` [PATCH 5.15 10/10] ext4: fix off-by-one errors in fast-commit block filling Eric Biggers
2023-01-05 12:01 ` [PATCH 5.15 00/10] ext4 fast-commit fixes for 5.15-stable Greg KH
2023-01-17 22:29 ` Eric Biggers
2023-01-18 6:15 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230105071359.257952-10-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.