From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Baokun Li <libaokun1@huawei.com>,
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com>,
Theodore Tso <tytso@mit.edu>,
stable@kernel.org
Subject: [PATCH 5.4 43/74] ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
Date: Mon, 6 Nov 2023 14:04:03 +0100 [thread overview]
Message-ID: <20231106130303.227585695@linuxfoundation.org> (raw)
In-Reply-To: <20231106130301.687882731@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit bc056e7163ac7db945366de219745cf94f32a3e6 upstream.
When we calculate the end position of ext4_free_extent, this position may
be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if
ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the
computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not
the first case of adjusting the best extent, that is, new_bex_end > 0, the
following BUG_ON will be triggered:
=========================================================
kernel BUG at fs/ext4/mballoc.c:5116!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279
RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430
Call Trace:
<TASK>
ext4_mb_use_best_found+0x203/0x2f0
ext4_mb_try_best_found+0x163/0x240
ext4_mb_regular_allocator+0x158/0x1550
ext4_mb_new_blocks+0x86a/0xe10
ext4_ext_map_blocks+0xb0c/0x13a0
ext4_map_blocks+0x2cd/0x8f0
ext4_iomap_begin+0x27b/0x400
iomap_iter+0x222/0x3d0
__iomap_dio_rw+0x243/0xcb0
iomap_dio_rw+0x16/0x80
=========================================================
A simple reproducer demonstrating the problem:
mkfs.ext4 -F /dev/sda -b 4096 100M
mount /dev/sda /tmp/test
fallocate -l1M /tmp/test/tmp
fallocate -l10M /tmp/test/file
fallocate -i -o 1M -l16777203M /tmp/test/file
fsstress -d /tmp/test -l 0 -n 100000 -p 8 &
sleep 10 && killall -9 fsstress
rm -f /tmp/test/tmp
xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"
We simply refactor the logic for adjusting the best extent by adding
a temporary ext4_free_extent ex and use extent_logical_end() to avoid
overflow, which also simplifies the code.
Cc: stable@kernel.org # 6.4
Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20230724121059.11834-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 31 ++++++++++++++-----------------
1 file changed, 14 insertions(+), 17 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3680,8 +3680,11 @@ ext4_mb_new_inode_pa(struct ext4_allocat
return -ENOMEM;
if (ac->ac_b_ex.fe_len < ac->ac_g_ex.fe_len) {
- int new_bex_start;
- int new_bex_end;
+ struct ext4_free_extent ex = {
+ .fe_logical = ac->ac_g_ex.fe_logical,
+ .fe_len = ac->ac_g_ex.fe_len,
+ };
+ loff_t orig_goal_end = extent_logical_end(sbi, &ex);
/* we can't allocate as much as normalizer wants.
* so, found space must get proper lstart
@@ -3700,29 +3703,23 @@ ext4_mb_new_inode_pa(struct ext4_allocat
* still cover original start
* 3. Else, keep the best ex at start of original request.
*/
- new_bex_end = ac->ac_g_ex.fe_logical +
- EXT4_C2B(sbi, ac->ac_g_ex.fe_len);
- new_bex_start = new_bex_end - EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
- if (ac->ac_o_ex.fe_logical >= new_bex_start)
- goto adjust_bex;
+ ex.fe_len = ac->ac_b_ex.fe_len;
- new_bex_start = ac->ac_g_ex.fe_logical;
- new_bex_end =
- new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
- if (ac->ac_o_ex.fe_logical < new_bex_end)
+ ex.fe_logical = orig_goal_end - EXT4_C2B(sbi, ex.fe_len);
+ if (ac->ac_o_ex.fe_logical >= ex.fe_logical)
goto adjust_bex;
- new_bex_start = ac->ac_o_ex.fe_logical;
- new_bex_end =
- new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
+ ex.fe_logical = ac->ac_g_ex.fe_logical;
+ if (ac->ac_o_ex.fe_logical < extent_logical_end(sbi, &ex))
+ goto adjust_bex;
+ ex.fe_logical = ac->ac_o_ex.fe_logical;
adjust_bex:
- ac->ac_b_ex.fe_logical = new_bex_start;
+ ac->ac_b_ex.fe_logical = ex.fe_logical;
BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical);
BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len);
- BUG_ON(new_bex_end > (ac->ac_g_ex.fe_logical +
- EXT4_C2B(sbi, ac->ac_g_ex.fe_len)));
+ BUG_ON(extent_logical_end(sbi, &ex) > orig_goal_end);
}
/* preallocation can change ac_b_ex, thus we store actually
next prev parent reply other threads:[~2023-11-06 13:21 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-06 13:03 [PATCH 5.4 00/74] 5.4.260-rc1 review Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 01/74] mtd: rawnand: marvell: Ensure program page operations are successful Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 02/74] selftests/ftrace: Add new test case which checks non unique symbol Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 03/74] mcb: Return actual parsed size when reading chameleon table Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 04/74] mcb-lpc: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 05/74] virtio_balloon: Fix endless deflation and inflation on arm64 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 06/74] virtio-mmio: fix memory leak of vm_dev Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 07/74] r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 08/74] r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 09/74] treewide: Spelling fix in comment Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 10/74] igb: Fix potential memory leak in igb_add_ethtool_nfc_entry Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 11/74] neighbour: fix various data-races Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 12/74] igc: Fix ambiguity in the ethtool advertising Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 13/74] net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 14/74] r8152: Increase USB control msg timeout to 5000ms as per spec Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 15/74] r8152: Run the unload routine if we have errors during probe Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 16/74] r8152: Cancel hw_phy_work if we have an error in probe Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 17/74] tcp: fix wrong RTO timeout when received SACK reneging Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 18/74] gtp: uapi: fix GTPA_MAX Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 19/74] gtp: fix fragmentation needed check with gso Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 20/74] iio: exynos-adc: request second interupt only when touchscreen mode is used Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 21/74] i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 22/74] i2c: muxes: i2c-mux-gpmux: " Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 23/74] i2c: muxes: i2c-demux-pinctrl: " Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 24/74] i2c: stm32f7: Fix PEC handling in case of SMBUS transfers Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 25/74] i2c: aspeed: Fix i2c bus hang in slave read Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 26/74] nvmem: imx: correct nregs for i.MX6ULL Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 27/74] nvmem: imx: correct nregs for i.MX6SLL Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 28/74] nvmem: imx: correct nregs for i.MX6UL Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 29/74] perf/core: Fix potential NULL deref Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 30/74] clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 31/74] i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 32/74] x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 33/74] drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 34/74] arm64: fix a concurrency issue in emulation_proc_handler() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 35/74] kobject: Fix slab-out-of-bounds in fill_kobj_path() Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 36/74] smbdirect: missing rc checks while waiting for rdma events Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 37/74] f2fs: fix to do sanity check on inode type during garbage collection Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 38/74] nfsd: lock_rename() needs both directories to live on the same fs Greg Kroah-Hartman
2023-11-06 13:03 ` [PATCH 5.4 39/74] x86/mm: Simplify RESERVE_BRK() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 40/74] x86/mm: Fix RESERVE_BRK() for older binutils Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 41/74] ext4: add two helper functions extent_logical_end() and pa_logical_end() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 42/74] ext4: avoid overlapping preallocations due to overflow Greg Kroah-Hartman
2023-11-06 13:04 ` Greg Kroah-Hartman [this message]
2023-11-06 13:04 ` [PATCH 5.4 44/74] driver: platform: Add helper for safer setting of driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 45/74] rpmsg: Constify local variable in field store macro Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 46/74] rpmsg: Fix kfree() of static memory on setting driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 47/74] rpmsg: Fix calling device_lock() on non-initialized device Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 48/74] rpmsg: glink: Release driver_override Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 49/74] rpmsg: Fix possible refcount leak in rpmsg_register_device_override() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 50/74] x86: Fix .brk attribute in linker script Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 51/74] Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 52/74] irqchip/stm32-exti: add missing DT IRQ flag translation Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 53/74] dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 54/74] Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 55/74] fbdev: atyfb: only use ioremap_uc() on i386 and ia64 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 56/74] spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 57/74] netfilter: nfnetlink_log: silence bogus compiler warning Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 58/74] ASoC: rt5650: fix the wrong result of key button Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 59/74] fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 60/74] scsi: mpt3sas: Fix in error path Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 61/74] platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 62/74] platform/mellanox: mlxbf-tmfifo: Fix a warning message Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 63/74] net: chelsio: cxgb4: add an error code check in t4_load_phy_fw Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 64/74] ata: ahci: fix enum constants for gcc-13 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 65/74] remove the sx8 block driver Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 66/74] nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 67/74] nvmet-tcp: Fix a possible UAF in queue intialization setup Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 68/74] Revert "ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver" Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 69/74] PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 70/74] usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 71/74] tty: 8250: Remove UC-257 and UC-431 Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 72/74] tty: 8250: Add support for additional Brainboxes UC cards Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 73/74] tty: 8250: Add support for Brainboxes UP cards Greg Kroah-Hartman
2023-11-06 13:04 ` [PATCH 5.4 74/74] tty: 8250: Add support for Intashield IS-100 Greg Kroah-Hartman
2023-11-06 17:32 ` [PATCH 5.4 00/74] 5.4.260-rc1 review Florian Fainelli
2023-11-07 11:42 ` Jon Hunter
2023-11-07 15:31 ` Harshit Mogalapalli
2023-11-07 15:51 ` Shuah Khan
2023-11-07 18:26 ` Naresh Kamboju
2023-11-07 18:53 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231106130303.227585695@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=libaokun1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=ritesh.list@gmail.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox