From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+c103d3808a0de5faaf80@syzkaller.appspotmail.com,
"Darrick J. Wong" <djwong@kernel.org>,
Dave Chinner <dchinner@redhat.com>,
Dave Chinner <david@fromorbit.com>,
Leah Rumancik <leah.rumancik@gmail.com>,
Chandan Babu R <chandanbabu@kernel.org>
Subject: [PATCH 6.1 50/73] xfs: fix negative array access in xfs_getbmap
Date: Fri, 27 Sep 2024 14:24:01 +0200 [thread overview]
Message-ID: <20240927121721.928983165@linuxfoundation.org> (raw)
In-Reply-To: <20240927121719.897851549@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <djwong@kernel.org>
[ Upstream commit 1bba82fe1afac69c85c1f5ea137c8e73de3c8032 ]
In commit 8ee81ed581ff, Ye Bin complained about an ASSERT in the bmapx
code that trips if we encounter a delalloc extent after flushing the
pagecache to disk. The ioctl code does not hold MMAPLOCK so it's
entirely possible that a racing write page fault can create a delalloc
extent after the file has been flushed. The proposed solution was to
replace the assertion with an early return that avoids filling out the
bmap recordset with a delalloc entry if the caller didn't ask for it.
At the time, I recall thinking that the forward logic sounded ok, but
felt hesitant because I suspected that changing this code would cause
something /else/ to burst loose due to some other subtlety.
syzbot of course found that subtlety. If all the extent mappings found
after the flush are delalloc mappings, we'll reach the end of the data
fork without ever incrementing bmv->bmv_entries. This is new, since
before we'd have emitted the delalloc mappings even though the caller
didn't ask for them. Once we reach the end, we'll try to set
BMV_OF_LAST on the -1st entry (because bmv_entries is zero) and go
corrupt something else in memory. Yay.
I really dislike all these stupid patches that fiddle around with debug
code and break things that otherwise worked well enough. Nobody was
complaining that calling XFS_IOC_BMAPX without BMV_IF_DELALLOC would
return BMV_OF_DELALLOC records, and now we've gone from "weird behavior
that nobody cared about" to "bad behavior that must be addressed
immediately".
Maybe I'll just ignore anything from Huawei from now on for my own sake.
Reported-by: syzbot+c103d3808a0de5faaf80@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-xfs/20230412024907.GP360889@frogsfrogsfrogs/
Fixes: 8ee81ed581ff ("xfs: fix BUG_ON in xfs_getbmap()")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_bmap_util.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -558,7 +558,9 @@ xfs_getbmap(
if (!xfs_iext_next_extent(ifp, &icur, &got)) {
xfs_fileoff_t end = XFS_B_TO_FSB(mp, XFS_ISIZE(ip));
- out[bmv->bmv_entries - 1].bmv_oflags |= BMV_OF_LAST;
+ if (bmv->bmv_entries > 0)
+ out[bmv->bmv_entries - 1].bmv_oflags |=
+ BMV_OF_LAST;
if (whichfork != XFS_ATTR_FORK && bno < end &&
!xfs_getbmap_full(bmv)) {
next prev parent reply other threads:[~2024-09-27 12:32 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-27 12:23 [PATCH 6.1 00/73] 6.1.112-rc1 review Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 01/73] ASoC: SOF: mediatek: Add missing board compatible Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 02/73] ASoC: allow module autoloading for table db1200_pids Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 03/73] ASoC: allow module autoloading for table board_ids Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 04/73] ALSA: hda/realtek - Fixed ALC256 headphone no sound Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 05/73] ALSA: hda/realtek - FIxed ALC285 " Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 06/73] scsi: lpfc: Fix overflow build issue Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 07/73] pinctrl: at91: make it work with current gpiolib Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 08/73] hwmon: (asus-ec-sensors) remove VRM temp X570-E GAMING Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 09/73] microblaze: dont treat zero reserved memory regions as error Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 10/73] net: ftgmac100: Ensure tx descriptor updates are visible Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 11/73] LoongArch: Define ARCH_IRQ_INIT_FLAGS as IRQ_NOPROBE Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 12/73] wifi: iwlwifi: lower message level for FW buffer destination Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 13/73] wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 14/73] wifi: iwlwifi: mvm: pause TCM when the firmware is stopped Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 15/73] wifi: iwlwifi: mvm: dont wait for tx queues if firmware is dead Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 16/73] wifi: mac80211: free skb on error path in ieee80211_beacon_get_ap() Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 17/73] wifi: iwlwifi: clear trans->state earlier upon error Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 18/73] can: mcp251xfd: mcp251xfd_ring_init(): check TX-coalescing configuration Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 19/73] ASoC: Intel: soc-acpi-cht: Make Lenovo Yoga Tab 3 X90F DMI match less strict Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 20/73] ASoC: intel: fix module autoloading Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 21/73] ASoC: tda7419: " Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 22/73] spi: spidev: Add an entry for elgin,jg10309-01 Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 23/73] drm: komeda: Fix an issue related to normalized zpos Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 24/73] spi: bcm63xx: Enable module autoloading Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 25/73] smb: client: fix hang in wait_for_response() for negproto Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 26/73] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 27/73] tools: hv: rm .*.cmd when make clean Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 28/73] block: Fix where bio IO priority gets set Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 29/73] spi: spidev: Add missing spi_device_id for jg10309-01 Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 30/73] ocfs2: add bounds checking to ocfs2_xattr_find_entry() Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 31/73] ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 32/73] xfs: dquot shrinker doesnt check for XFS_DQFLAG_FREEING Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 33/73] xfs: Fix deadlock on xfs_inodegc_worker Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 34/73] xfs: fix extent busy updating Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 35/73] xfs: dont use BMBT btree split workers for IO completion Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 36/73] xfs: fix low space alloc deadlock Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 37/73] xfs: prefer free inodes at ENOSPC over chunk allocation Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 38/73] xfs: block reservation too large for minleft allocation Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 39/73] xfs: fix uninitialized variable access Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 40/73] xfs: quotacheck failure can race with background inode inactivation Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 41/73] xfs: fix BUG_ON in xfs_getbmap() Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 42/73] xfs: buffer pins need to hold a buffer reference Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 43/73] xfs: defered work could create precommits Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 44/73] xfs: fix AGF vs inode cluster buffer deadlock Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 45/73] xfs: collect errors from inodegc for unlinked inode recovery Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 46/73] xfs: fix ag count overflow during growfs Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 47/73] xfs: remove WARN when dquot cache insertion fails Greg Kroah-Hartman
2024-09-27 12:23 ` [PATCH 6.1 48/73] xfs: fix the calculation for "end" and "length" Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 49/73] xfs: load uncached unlinked inodes into memory on demand Greg Kroah-Hartman
2024-09-27 12:24 ` Greg Kroah-Hartman [this message]
2024-09-27 12:24 ` [PATCH 6.1 51/73] xfs: fix unlink vs cluster buffer instantiation race Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 52/73] xfs: correct calculation for agend and blockcount Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 53/73] xfs: use i_prev_unlinked to distinguish inodes that are not on the unlinked list Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 54/73] xfs: reload entire unlinked bucket lists Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 55/73] xfs: make inode unlinked bucket recovery work with quotacheck Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 56/73] xfs: fix reloading entire unlinked bucket lists Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 57/73] xfs: set bnobt/cntbt numrecs correctly when formatting new AGs Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 58/73] xfs: journal geometry is not properly bounds checked Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 59/73] netfilter: nft_socket: make cgroupsv2 matching work with namespaces Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 60/73] netfilter: nft_socket: Fix a NULL vs IS_ERR() bug in nft_socket_cgroup_subtree_level() Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 61/73] netfilter: nft_set_pipapo: walk over current view on netlink dump Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 62/73] netfilter: nf_tables: missing iterator type in lookup walk Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 63/73] Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex" Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 64/73] gpiolib: cdev: Ignore reconfiguration without direction Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 65/73] gpio: prevent potential speculation leaks in gpio_device_get_desc() Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 66/73] can: mcp251xfd: properly indent labels Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 67/73] can: mcp251xfd: move mcp251xfd_timestamp_start()/stop() into mcp251xfd_chip_start/stop() Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 68/73] selftests: mptcp: join: restrict fullmesh endp on 1st sf Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 69/73] btrfs: calculate the right space for delayed refs when updating global reserve Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 70/73] powercap: RAPL: fix invalid initialization for pl4_supported field Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 71/73] x86/mm: Switch to new Intel CPU model defines Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 72/73] USB: serial: pl2303: add device id for Macrosilicon MS3020 Greg Kroah-Hartman
2024-09-27 12:24 ` [PATCH 6.1 73/73] USB: usbtmc: prevent kernel-usb-infoleak Greg Kroah-Hartman
2024-09-27 15:17 ` [PATCH 6.1 00/73] 6.1.112-rc1 review Peter Schneider
2024-09-27 15:52 ` Allen
2024-09-27 18:35 ` Jon Hunter
2024-09-27 18:40 ` Florian Fainelli
2024-09-28 12:39 ` Naresh Kamboju
2024-09-28 17:13 ` Shuah Khan
2024-09-29 8:43 ` Ron Economos
2024-09-29 11:19 ` Muhammad Usama Anjum
2024-09-30 8:41 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240927121721.928983165@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chandanbabu@kernel.org \
--cc=david@fromorbit.com \
--cc=dchinner@redhat.com \
--cc=djwong@kernel.org \
--cc=leah.rumancik@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+c103d3808a0de5faaf80@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox