From: Christoph Hellwig <hch@lst.de>
To: stable@vger.kernel.org
Cc: linux-xfs@vger.kernel.org,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Dave Chinner <david@fromorbit.com>
Subject: [PATCH 20/32] xfs: forbid AG btrees with level == 0
Date: Mon, 9 Jan 2017 16:38:51 +0100 [thread overview]
Message-ID: <1483976343-661-21-git-send-email-hch@lst.de> (raw)
In-Reply-To: <1483976343-661-1-git-send-email-hch@lst.de>
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit d2a047f31e86941fa896e0e3271536d50aba415e upstream.
There is no such thing as a zero-level AG btree since even a single-node
zero-records btree has one level. Btree cursor constructors read
cur_nlevels straight from disk and then access things like
cur_bufs[cur_nlevels - 1] which is /really/ bad if cur_nlevels is zero!
Therefore, strengthen the verifiers to prevent this possibility.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
---
fs/xfs/libxfs/xfs_alloc.c | 10 +++++++---
fs/xfs/libxfs/xfs_ialloc.c | 9 ++++++++-
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index effb64c..5050056 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -2455,12 +2455,15 @@ xfs_agf_verify(
be32_to_cpu(agf->agf_flcount) <= XFS_AGFL_SIZE(mp)))
return false;
- if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
+ if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) < 1 ||
+ be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) < 1 ||
+ be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) > XFS_BTREE_MAXLEVELS)
return false;
if (xfs_sb_version_hasrmapbt(&mp->m_sb) &&
- be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS)
+ (be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) < 1 ||
+ be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS))
return false;
/*
@@ -2477,7 +2480,8 @@ xfs_agf_verify(
return false;
if (xfs_sb_version_hasreflink(&mp->m_sb) &&
- be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS)
+ (be32_to_cpu(agf->agf_refcount_level) < 1 ||
+ be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS))
return false;
return true;;
diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index c482b97..d45c037 100644
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -2510,8 +2510,15 @@ xfs_agi_verify(
if (!XFS_AGI_GOOD_VERSION(be32_to_cpu(agi->agi_versionnum)))
return false;
- if (be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS)
+ if (be32_to_cpu(agi->agi_level) < 1 ||
+ be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS)
return false;
+
+ if (xfs_sb_version_hasfinobt(&mp->m_sb) &&
+ (be32_to_cpu(agi->agi_free_level) < 1 ||
+ be32_to_cpu(agi->agi_free_level) > XFS_BTREE_MAXLEVELS))
+ return false;
+
/*
* during growfs operations, the perag is not fully initialised,
* so we can't use it for any useful checking. growfs ensures we can't
--
2.1.4
next prev parent reply other threads:[~2017-01-09 15:40 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-09 15:38 4.9-stable updates for XFS Christoph Hellwig
2017-01-09 15:38 ` [PATCH 01/32] xfs: don't call xfs_sb_quota_from_disk twice Christoph Hellwig
2017-01-09 15:38 ` [PATCH 02/32] xfs: check return value of _trans_reserve_quota_nblks Christoph Hellwig
2017-01-09 15:38 ` [PATCH 03/32] xfs: don't skip cow forks w/ delalloc blocks in cowblocks scan Christoph Hellwig
2017-01-09 15:38 ` [PATCH 04/32] xfs: don't BUG() on mixed direct and mapped I/O Christoph Hellwig
2017-01-09 15:38 ` [PATCH 05/32] xfs: provide helper for counting extents from if_bytes Christoph Hellwig
2017-01-09 15:38 ` [PATCH 06/32] xfs: check minimum block size for CRC filesystems Christoph Hellwig
2017-01-09 15:38 ` [PATCH 07/32] xfs: fix unbalanced inode reclaim flush locking Christoph Hellwig
2017-01-09 15:38 ` [PATCH 08/32] xfs: new inode extent list lookup helpers Christoph Hellwig
2017-01-09 15:38 ` [PATCH 09/32] xfs: factor rmap btree size into the indlen calculations Christoph Hellwig
2017-01-09 15:38 ` [PATCH 10/32] xfs: always succeed when deduping zero bytes Christoph Hellwig
2017-01-09 15:38 ` [PATCH 11/32] xfs: remove prev argument to xfs_bmapi_reserve_delalloc Christoph Hellwig
2017-01-09 15:38 ` [PATCH 12/32] xfs: track preallocation separately in xfs_bmapi_reserve_delalloc() Christoph Hellwig
2017-01-09 15:38 ` [PATCH 13/32] xfs: use new extent lookup helpers in __xfs_reflink_reserve_cow Christoph Hellwig
2017-01-09 15:38 ` [PATCH 14/32] xfs: clean up cow fork reservation and tag inodes correctly Christoph Hellwig
2017-01-09 15:38 ` [PATCH 15/32] xfs: use new extent lookup helpers xfs_file_iomap_begin_delay Christoph Hellwig
2017-01-09 15:38 ` [PATCH 16/32] xfs: pass post-eof speculative prealloc blocks to bmapi Christoph Hellwig
2017-01-09 15:38 ` [PATCH 17/32] xfs: Move AGI buffer type setting to xfs_read_agi Christoph Hellwig
2017-01-09 15:38 ` [PATCH 18/32] xfs: pass state not whichfork to trace_xfs_extlist Christoph Hellwig
2017-01-09 15:38 ` [PATCH 19/32] xfs: handle cow fork in xfs_bmap_trace_exlist Christoph Hellwig
2017-01-09 15:38 ` Christoph Hellwig [this message]
2017-01-09 15:38 ` [PATCH 21/32] xfs: check for bogus values in btree block headers Christoph Hellwig
2017-01-09 15:38 ` [PATCH 22/32] xfs: complain if we don't get nextents bmap records Christoph Hellwig
2017-01-09 15:38 ` [PATCH 23/32] xfs: don't crash if reading a directory results in an unexpected hole Christoph Hellwig
2017-01-09 15:38 ` [PATCH 24/32] xfs: error out if trying to add attrs and anextents > 0 Christoph Hellwig
2017-01-09 15:38 ` [PATCH 25/32] xfs: don't allow di_size with high bit set Christoph Hellwig
2017-01-09 15:38 ` [PATCH 26/32] xfs: don't cap maximum dedupe request length Christoph Hellwig
2017-01-09 15:38 ` [PATCH 27/32] xfs: ignore leaf attr ichdr.count in verifier during log replay Christoph Hellwig
2017-01-09 15:38 ` [PATCH 28/32] xfs: use GPF_NOFS when allocating btree cursors Christoph Hellwig
2017-01-09 15:39 ` [PATCH 29/32] xfs: fix double-cleanup when CUI recovery fails Christoph Hellwig
2017-01-09 15:39 ` [PATCH 30/32] xfs: use the actual AG length when reserving blocks Christoph Hellwig
2017-01-09 15:39 ` [PATCH 31/32] xfs: fix crash and data corruption due to removal of busy COW extents Christoph Hellwig
2017-01-09 15:39 ` [PATCH 32/32] xfs: fix max_retries _show and _store functions Christoph Hellwig
2017-01-10 0:21 ` 4.9-stable updates for XFS Darrick J. Wong
2017-01-10 10:37 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483976343-661-21-git-send-email-hch@lst.de \
--to=hch@lst.de \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).