From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2601211288;
	Fri, 21 Feb 2025 15:24:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1740151464; cv=none; b=gtsTt+I9mLvrdHiE9Lg+nCMSfv302f+sYEATwgQXulc6mhdzESb+XEOj1yBm12JnjjvhmNKVOrr6KmiKvAvpF5MpQrbuty7+Dl5cN/nWWW9XODtnqClP8lS10oR/dC35n6H76bIAogqIRyAVUrM+qydly0Pkbq2zBd9m5pXwi5I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1740151464; c=relaxed/simple;
	bh=Gg4TvCrWp/nNkY4uFFn8qQ8IAVOVGLlb+5Vq3NdYd2U=;
	h=Subject:To:Cc:From:Date:In-Reply-To:Message-ID:MIME-Version:
	 Content-Type; b=hJi5mPTtKh5LCqhlsFVPN8BBh+AMu04WLpKJLZzhn8ARUlWrfy0dhW6jqF20ywyexulfkN86TjYi9+e9exEv9Poc57EjaWBYG4rZ/hruAGLnFiEoBxqjawYiYOTXBi5wzSkJn6G758AjwfJOSaKHrrUxrbWV9HreauYWuyAQ35Y=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=xAntm/Kg; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="xAntm/Kg"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B122C4CED6;
	Fri, 21 Feb 2025 15:24:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1740151463;
	bh=Gg4TvCrWp/nNkY4uFFn8qQ8IAVOVGLlb+5Vq3NdYd2U=;
	h=Subject:To:Cc:From:Date:In-Reply-To:From;
	b=xAntm/Kg1sn8g7FVoTa5QoXXkAN0PpFjJsQa/hgBfWY+wQinp/kjeeHD78E8um2xi
	 DZY657PDcQ16KsZ4C4p8a0qqzPlmejP920Dfwstvcq1KWpYznpYYuNng4JTB99j3YK
	 rdS5+bOYOR3qXLld6Z5uj7qRgZodUd0Rzgq5olkw=
Subject: Patch "xfs: fix a sloppy memory handling bug in xfs_iroot_realloc" has been added to the 6.6-stable tree
To: catherine.hoang@oracle.com,djwong@kernel.org,gregkh@linuxfoundation.org,hch@lst.de,xfs-stable@lists.linux.dev
Cc: <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Fri, 21 Feb 2025 16:23:28 +0100
In-Reply-To: <20250205214025.72516-4-catherine.hoang@oracle.com>
Message-ID: <2025022128-refocus-rubdown-38eb@gregkh>
Precedence: bulk
X-Mailing-List: xfs-stable@lists.linux.dev
List-Id: <xfs-stable.lists.linux.dev>
List-Subscribe: <mailto:xfs-stable+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:xfs-stable+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
X-stable: commit
X-Patchwork-Hint: ignore 


This is a note to let you know that I've just added the patch titled

    xfs: fix a sloppy memory handling bug in xfs_iroot_realloc

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfs-fix-a-sloppy-memory-handling-bug-in-xfs_iroot_realloc.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From stable+bounces-113969-greg=kroah.com@vger.kernel.org Wed Feb  5 22:40:47 2025
From: Catherine Hoang <catherine.hoang@oracle.com>
Date: Wed,  5 Feb 2025 13:40:04 -0800
Subject: xfs: fix a sloppy memory handling bug in xfs_iroot_realloc
To: stable@vger.kernel.org
Cc: xfs-stable@lists.linux.dev
Message-ID: <20250205214025.72516-4-catherine.hoang@oracle.com>

From: "Darrick J. Wong" <djwong@kernel.org>

commit de55149b6639e903c4d06eb0474ab2c05060e61d upstream.

While refactoring code, I noticed that when xfs_iroot_realloc tries to
shrink a bmbt root block, it allocates a smaller new block and then
copies "records" and pointers to the new block.  However, bmbt root
blocks cannot ever be leaves, which means that it's not technically
correct to copy records.  We /should/ be copying keys.

Note that this has never resulted in actual memory corruption because
sizeof(bmbt_rec) == (sizeof(bmbt_key) + sizeof(bmbt_ptr)).  However,
this will no longer be true when we start adding realtime rmap stuff,
so fix this now.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Catherine Hoang <catherine.hoang@oracle.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/libxfs/xfs_inode_fork.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -449,15 +449,15 @@ xfs_iroot_realloc(
 	}
 
 	/*
-	 * Only copy the records and pointers if there are any.
+	 * Only copy the keys and pointers if there are any.
 	 */
 	if (new_max > 0) {
 		/*
-		 * First copy the records.
+		 * First copy the keys.
 		 */
-		op = (char *)XFS_BMBT_REC_ADDR(mp, ifp->if_broot, 1);
-		np = (char *)XFS_BMBT_REC_ADDR(mp, new_broot, 1);
-		memcpy(np, op, new_max * (uint)sizeof(xfs_bmbt_rec_t));
+		op = (char *)XFS_BMBT_KEY_ADDR(mp, ifp->if_broot, 1);
+		np = (char *)XFS_BMBT_KEY_ADDR(mp, new_broot, 1);
+		memcpy(np, op, new_max * (uint)sizeof(xfs_bmbt_key_t));
 
 		/*
 		 * Then copy the pointers.


Patches currently in stable-queue which might be from catherine.hoang@oracle.com are

queue-6.6/xfs-return-bool-from-xfs_attr3_leaf_add.patch
queue-6.6/xfs-fix-a-sloppy-memory-handling-bug-in-xfs_iroot_realloc.patch
queue-6.6/xfs-streamline-xfs_filestream_pick_ag.patch
queue-6.6/xfs-merge-xfs_attr_leaf_try_add-into-xfs_attr_leaf_addname.patch
queue-6.6/xfs-don-t-free-cowblocks-from-under-dirty-pagecache-on-unshare.patch
queue-6.6/xfs-pass-the-exact-range-to-initialize-to-xfs_initialize_perag.patch
queue-6.6/xfs-assert-a-valid-limit-in-xfs_rtfind_forw.patch
queue-6.6/xfs-don-t-use-__gfp_retry_mayfail-in-xfs_initialize_perag.patch
queue-6.6/xfs-use-try_cmpxchg-in-xlog_cil_insert_pcp_aggregate.patch
queue-6.6/xfs-don-t-ifdef-around-the-exact-minlen-allocations.patch
queue-6.6/xfs-reduce-unnecessary-searches-when-searching-for-the-best-extents.patch
queue-6.6/xfs-validate-inumber-in-xfs_iget.patch
queue-6.6/xfs-support-lowmode-allocations-in-xfs_bmap_exact_minlen_extent_alloc.patch
queue-6.6/xfs-skip-background-cowblock-trims-on-inodes-open-for-write.patch
queue-6.6/xfs-remove-empty-declartion-in-header-file.patch
queue-6.6/xfs-fold-xfs_bmap_alloc_userdata-into-xfs_bmapi_allocate.patch
queue-6.6/xfs-update-the-file-system-geometry-after-recoverying-superblock-buffers.patch
queue-6.6/xfs-call-xfs_bmap_exact_minlen_extent_alloc-from-xfs_bmap_btalloc.patch
queue-6.6/xfs-distinguish-extra-split-from-real-enospc-from-xfs_attr_node_try_addname.patch
queue-6.6/xfs-error-out-when-a-superblock-buffer-update-reduces-the-agcount.patch
queue-6.6/xfs-update-the-pag-for-the-last-ag-at-recovery-time.patch
queue-6.6/xfs-check-for-delayed-allocations-before-setting-extsize.patch
queue-6.6/xfs-fix-a-typo.patch
queue-6.6/xfs-distinguish-extra-split-from-real-enospc-from-xfs_attr3_leaf_split.patch