[PATCH] xfs: fix an agbno overflow in __xfs_getfsmap_datadev

[PATCH] xfs: fix an agbno overflow in __xfs_getfsmap_datadev

[Darrick J. Wong]

From: Darrick J. Wong <djwong@kernel.org>

Dave Chinner reported that xfs/273 fails if the AG size happens to be an
exact power of two.  I traced this to an agbno integer overflow when the
current GETFSMAP call is a continuation of a previous GETFSMAP call, and
the last record returned was non-shareable space at the end of an AG.

__xfs_getfsmap_datadev sets up a data device query by converting the
incoming fmr_physical into an xfs_fsblock_t and cracking it into an agno
and agbno pair.  In the (failing) case of where fmr_blockcount of the
low key is nonzero and the record was for a non-shareable extent, it
will add fmr_blockcount to start_fsb and info->low.rm_startblock.

If the low key was actually the last record for that AG, then this
addition causes info->low.rm_startblock to point beyond EOAG.  When the
rmapbt range query starts, it'll return an empty set, and fsmap moves on
to the next AG.

Or so I thought.  Remember how we added to start_fsb?

If agsize < 1<<agblklog, start_fsb points to the same AG as the original
fmr_physical from the low key.  We run the rmapbt query, which returns
nothing, so getfsmap zeroes info->low and moves on to the next AG.

If agsize == 1<<agblklog, start_fsb now points to the next AG.  We run
the rmapbt query on the next AG with the excessively large
rm_startblock.  If this next AG is actually the last AG, we'll set
info->high to EOFS (which is now has a lower rm_startblock than
info->low), and the ranged btree query code will return -EINVAL.  If
it's not the last AG, we ignore all records for the intermediate AGs.

Oops.

Fix this by decoding start_fsb into agno and agbno only after making
adjustments to start_fsb.  This means that info->low.rm_startblock will
always be set to a valid agbno, and we always start the rmapbt iteration
in the correct AG.

While we're at it, fix the predicate for determining if an fsmap record
represents non-shareable space to include file data on pre-reflink
filesystems.

Reported-by: Dave Chinner <david@fromorbit.com>
Fixes: 63ef7a35912dd ("xfs: fix interval filtering in multi-step fsmap queries")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
---
 fs/xfs/xfs_fsmap.c |   25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 10403ba9b58f..736e5545f584 100644
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -565,6 +565,19 @@ xfs_getfsmap_rtdev_rtbitmap(
 }
 #endif /* CONFIG_XFS_RT */
 
+static inline bool
+rmap_not_shareable(struct xfs_mount *mp, const struct xfs_rmap_irec *r)
+{
+	if (!xfs_has_reflink(mp))
+		return true;
+	if (XFS_RMAP_NON_INODE_OWNER(r->rm_owner))
+		return true;
+	if (r->rm_flags & (XFS_RMAP_ATTR_FORK | XFS_RMAP_BMBT_BLOCK |
+			   XFS_RMAP_UNWRITTEN))
+		return true;
+	return false;
+}
+
 /* Execute a getfsmap query against the regular data device. */
 STATIC int
 __xfs_getfsmap_datadev(
@@ -598,7 +611,6 @@ __xfs_getfsmap_datadev(
 	 * low to the fsmap low key and max out the high key to the end
 	 * of the AG.
 	 */
-	info->low.rm_startblock = XFS_FSB_TO_AGBNO(mp, start_fsb);
 	info->low.rm_offset = XFS_BB_TO_FSBT(mp, keys[0].fmr_offset);
 	error = xfs_fsmap_owner_to_rmap(&info->low, &keys[0]);
 	if (error)
@@ -608,12 +620,9 @@ __xfs_getfsmap_datadev(
 
 	/* Adjust the low key if we are continuing from where we left off. */
 	if (info->low.rm_blockcount == 0) {
-		/* empty */
-	} else if (XFS_RMAP_NON_INODE_OWNER(info->low.rm_owner) ||
-		   (info->low.rm_flags & (XFS_RMAP_ATTR_FORK |
-					  XFS_RMAP_BMBT_BLOCK |
-					  XFS_RMAP_UNWRITTEN))) {
-		info->low.rm_startblock += info->low.rm_blockcount;
+		/* No previous record from which to continue */
+	} else if (rmap_not_shareable(mp, &info->low)) {
+		/* Last record seen was an unshareable extent */
 		info->low.rm_owner = 0;
 		info->low.rm_offset = 0;
 
@@ -621,8 +630,10 @@ __xfs_getfsmap_datadev(
 		if (XFS_FSB_TO_DADDR(mp, start_fsb) >= eofs)
 			return 0;
 	} else {
+		/* Last record seen was a shareable file data extent */
 		info->low.rm_offset += info->low.rm_blockcount;
 	}
+	info->low.rm_startblock = XFS_FSB_TO_AGBNO(mp, start_fsb);
 
 	info->high.rm_startblock = -1U;
 	info->high.rm_owner = ULLONG_MAX;

[RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Darrick J. Wong]

From: Darrick J. Wong <djwong@kernel.org>

Dave Chinner reported that xfs/273 fails if the AG size happens to be an
exact power of two.  I traced this to an agbno integer overflow when the
current GETFSMAP call is a continuation of a previous GETFSMAP call, and
the last record returned was non-shareable space at the end of an AG.

This is the regression test for that bug.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
---
 tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/xfs/935.out |    2 ++
 2 files changed, 57 insertions(+)
 create mode 100755 tests/xfs/935
 create mode 100644 tests/xfs/935.out

diff --git a/tests/xfs/935 b/tests/xfs/935
new file mode 100755
index 0000000000..a06f2fc8dc
--- /dev/null
+++ b/tests/xfs/935
@@ -0,0 +1,55 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2023 Oracle.  All Rights Reserved.
+#
+# FS QA Test 935
+#
+# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
+# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
+# a continuation of a previous call by setting the "low" key to the last record
+# returned by the previous call.
+#
+# If the last record returned by GETFSMAP is a non-shareable extent at the end
+# of an AG and the AG size is exactly a power of two, the startblock in the low
+# key of the rmapbt query can be set to a value larger than EOAG.  When this
+# happens, GETFSMAP will return EINVAL instead of returning records for the
+# next AG.
+#
+. ./common/preamble
+_begin_fstest auto quick fsmap
+
+. ./common/filter
+
+_fixed_by_git_commit kernel XXXXXXXXXXXXX \
+	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
+
+# Modify as appropriate.
+_supported_fs generic
+_require_xfs_io_command fsmap
+_require_xfs_scratch_rmapbt
+
+_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
+source $tmp.mkfs
+
+# Find the next power of two agsize smaller than whatever the default is.
+for ((p = 31; p > 0; p--)); do
+	desired_agsize=$((2 ** p))
+	test "$desired_agsize" -lt "$agsize" && break
+done
+
+echo "desired asize=$desired_agsize" >> $seqres.full
+_scratch_mkfs -d "agsize=${desired_agsize}b" | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
+source $tmp.mkfs
+
+test "$desired_agsize" -eq "$agsize" || _notrun "wanted agsize=$desired_agsize, got $agsize"
+
+_scratch_mount
+$XFS_IO_PROG -c 'fsmap -n 1024 -v' $SCRATCH_MNT >> $tmp.big
+$XFS_IO_PROG -c 'fsmap -n 1 -v' $SCRATCH_MNT >> $tmp.small
+
+diff -Naurpw $tmp.big $tmp.small
+
+# success, all done
+echo Silence is golden
+status=0
+exit
diff --git a/tests/xfs/935.out b/tests/xfs/935.out
new file mode 100644
index 0000000000..1b5422d1e3
--- /dev/null
+++ b/tests/xfs/935.out
@@ -0,0 +1,2 @@
+QA output created by 935
+Silence is golden

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Dave Chinner]

On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
> 
> Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> exact power of two.  I traced this to an agbno integer overflow when the
> current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> the last record returned was non-shareable space at the end of an AG.
> 
> This is the regression test for that bug.
> 
> Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> ---
>  tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/935.out |    2 ++
>  2 files changed, 57 insertions(+)
>  create mode 100755 tests/xfs/935
>  create mode 100644 tests/xfs/935.out
> 
> diff --git a/tests/xfs/935 b/tests/xfs/935
> new file mode 100755
> index 0000000000..a06f2fc8dc
> --- /dev/null
> +++ b/tests/xfs/935
> @@ -0,0 +1,55 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2023 Oracle.  All Rights Reserved.
> +#
> +# FS QA Test 935
> +#
> +# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
> +# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
> +# a continuation of a previous call by setting the "low" key to the last record
> +# returned by the previous call.
> +#
> +# If the last record returned by GETFSMAP is a non-shareable extent at the end
> +# of an AG and the AG size is exactly a power of two, the startblock in the low
> +# key of the rmapbt query can be set to a value larger than EOAG.  When this
> +# happens, GETFSMAP will return EINVAL instead of returning records for the
> +# next AG.
> +#
> +. ./common/preamble
> +_begin_fstest auto quick fsmap
> +
> +. ./common/filter
> +
> +_fixed_by_git_commit kernel XXXXXXXXXXXXX \
> +	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
> +
> +# Modify as appropriate.
> +_supported_fs generic
> +_require_xfs_io_command fsmap
> +_require_xfs_scratch_rmapbt
> +
> +_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> +source $tmp.mkfs
> +
> +# Find the next power of two agsize smaller than whatever the default is.
> +for ((p = 31; p > 0; p--)); do
> +	desired_agsize=$((2 ** p))
> +	test "$desired_agsize" -lt "$agsize" && break
> +done
> +
> +echo "desired asize=$desired_agsize" >> $seqres.full
                 agsize

Otherwise looks fine.

Reviewed-by: Dave Chinner <dchinner@redhat.com>
-- 
Dave Chinner
david@fromorbit.com

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Darrick J. Wong]

On Thu, Aug 24, 2023 at 12:36:11PM +1000, Dave Chinner wrote:
> On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <djwong@kernel.org>
> > 
> > Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> > exact power of two.  I traced this to an agbno integer overflow when the
> > current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> > the last record returned was non-shareable space at the end of an AG.
> > 
> > This is the regression test for that bug.
> > 
> > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > ---
> >  tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  tests/xfs/935.out |    2 ++
> >  2 files changed, 57 insertions(+)
> >  create mode 100755 tests/xfs/935
> >  create mode 100644 tests/xfs/935.out
> > 
> > diff --git a/tests/xfs/935 b/tests/xfs/935
> > new file mode 100755
> > index 0000000000..a06f2fc8dc
> > --- /dev/null
> > +++ b/tests/xfs/935
> > @@ -0,0 +1,55 @@
> > +#! /bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +# Copyright (c) 2023 Oracle.  All Rights Reserved.
> > +#
> > +# FS QA Test 935
> > +#
> > +# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
> > +# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
> > +# a continuation of a previous call by setting the "low" key to the last record
> > +# returned by the previous call.
> > +#
> > +# If the last record returned by GETFSMAP is a non-shareable extent at the end
> > +# of an AG and the AG size is exactly a power of two, the startblock in the low
> > +# key of the rmapbt query can be set to a value larger than EOAG.  When this
> > +# happens, GETFSMAP will return EINVAL instead of returning records for the
> > +# next AG.
> > +#
> > +. ./common/preamble
> > +_begin_fstest auto quick fsmap
> > +
> > +. ./common/filter
> > +
> > +_fixed_by_git_commit kernel XXXXXXXXXXXXX \
> > +	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
> > +
> > +# Modify as appropriate.
> > +_supported_fs generic
> > +_require_xfs_io_command fsmap
> > +_require_xfs_scratch_rmapbt
> > +
> > +_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > +source $tmp.mkfs
> > +
> > +# Find the next power of two agsize smaller than whatever the default is.
> > +for ((p = 31; p > 0; p--)); do
> > +	desired_agsize=$((2 ** p))
> > +	test "$desired_agsize" -lt "$agsize" && break
> > +done
> > +
> > +echo "desired asize=$desired_agsize" >> $seqres.full
>                  agsize

Fixed.

> Otherwise looks fine.
> 
> Reviewed-by: Dave Chinner <dchinner@redhat.com>

Does the kernel patch fix the bug on your end too?

--D

> -- 
> Dave Chinner
> david@fromorbit.com

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Dave Chinner]

On Wed, Aug 23, 2023 at 08:19:39PM -0700, Darrick J. Wong wrote:
> On Thu, Aug 24, 2023 at 12:36:11PM +1000, Dave Chinner wrote:
> > On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> > > From: Darrick J. Wong <djwong@kernel.org>
> > > 
> > > Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> > > exact power of two.  I traced this to an agbno integer overflow when the
> > > current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> > > the last record returned was non-shareable space at the end of an AG.
> > > 
> > > This is the regression test for that bug.
> > > 
> > > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > > ---
> > >  tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > >  tests/xfs/935.out |    2 ++
> > >  2 files changed, 57 insertions(+)
> > >  create mode 100755 tests/xfs/935
> > >  create mode 100644 tests/xfs/935.out
> > > 
> > > diff --git a/tests/xfs/935 b/tests/xfs/935
> > > new file mode 100755
> > > index 0000000000..a06f2fc8dc
> > > --- /dev/null
> > > +++ b/tests/xfs/935
> > > @@ -0,0 +1,55 @@
> > > +#! /bin/bash
> > > +# SPDX-License-Identifier: GPL-2.0
> > > +# Copyright (c) 2023 Oracle.  All Rights Reserved.
> > > +#
> > > +# FS QA Test 935
> > > +#
> > > +# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
> > > +# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
> > > +# a continuation of a previous call by setting the "low" key to the last record
> > > +# returned by the previous call.
> > > +#
> > > +# If the last record returned by GETFSMAP is a non-shareable extent at the end
> > > +# of an AG and the AG size is exactly a power of two, the startblock in the low
> > > +# key of the rmapbt query can be set to a value larger than EOAG.  When this
> > > +# happens, GETFSMAP will return EINVAL instead of returning records for the
> > > +# next AG.
> > > +#
> > > +. ./common/preamble
> > > +_begin_fstest auto quick fsmap
> > > +
> > > +. ./common/filter
> > > +
> > > +_fixed_by_git_commit kernel XXXXXXXXXXXXX \
> > > +	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
> > > +
> > > +# Modify as appropriate.
> > > +_supported_fs generic
> > > +_require_xfs_io_command fsmap
> > > +_require_xfs_scratch_rmapbt
> > > +
> > > +_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > > +source $tmp.mkfs
> > > +
> > > +# Find the next power of two agsize smaller than whatever the default is.
> > > +for ((p = 31; p > 0; p--)); do
> > > +	desired_agsize=$((2 ** p))
> > > +	test "$desired_agsize" -lt "$agsize" && break
> > > +done
> > > +
> > > +echo "desired asize=$desired_agsize" >> $seqres.full
> >                  agsize
> 
> Fixed.
> 
> > Otherwise looks fine.
> > 
> > Reviewed-by: Dave Chinner <dchinner@redhat.com>
> 
> Does the kernel patch fix the bug on your end too?

Haven't had a chance to test it yet. I'll let you know when I do.

-Dave.
-- 
Dave Chinner
david@fromorbit.com

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Zorro Lang]

On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
> 
> Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> exact power of two.  I traced this to an agbno integer overflow when the
> current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> the last record returned was non-shareable space at the end of an AG.
> 
> This is the regression test for that bug.
> 
> Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> ---
>  tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/935.out |    2 ++
>  2 files changed, 57 insertions(+)
>  create mode 100755 tests/xfs/935
>  create mode 100644 tests/xfs/935.out
> 
> diff --git a/tests/xfs/935 b/tests/xfs/935
> new file mode 100755
> index 0000000000..a06f2fc8dc
> --- /dev/null
> +++ b/tests/xfs/935
> @@ -0,0 +1,55 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2023 Oracle.  All Rights Reserved.
> +#
> +# FS QA Test 935
> +#
> +# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
> +# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
> +# a continuation of a previous call by setting the "low" key to the last record
> +# returned by the previous call.
> +#
> +# If the last record returned by GETFSMAP is a non-shareable extent at the end
> +# of an AG and the AG size is exactly a power of two, the startblock in the low
> +# key of the rmapbt query can be set to a value larger than EOAG.  When this
> +# happens, GETFSMAP will return EINVAL instead of returning records for the
> +# next AG.
> +#
> +. ./common/preamble
> +_begin_fstest auto quick fsmap
> +
> +. ./common/filter
> +
> +_fixed_by_git_commit kernel XXXXXXXXXXXXX \
> +	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
> +
> +# Modify as appropriate.
> +_supported_fs generic
> +_require_xfs_io_command fsmap
> +_require_xfs_scratch_rmapbt
> +
> +_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> +source $tmp.mkfs
> +
> +# Find the next power of two agsize smaller than whatever the default is.
> +for ((p = 31; p > 0; p--)); do
> +	desired_agsize=$((2 ** p))
> +	test "$desired_agsize" -lt "$agsize" && break
> +done
> +
> +echo "desired asize=$desired_agsize" >> $seqres.full
> +_scratch_mkfs -d "agsize=${desired_agsize}b" | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> +source $tmp.mkfs
> +
> +test "$desired_agsize" -eq "$agsize" || _notrun "wanted agsize=$desired_agsize, got $agsize"
> +
> +_scratch_mount
> +$XFS_IO_PROG -c 'fsmap -n 1024 -v' $SCRATCH_MNT >> $tmp.big
> +$XFS_IO_PROG -c 'fsmap -n 1 -v' $SCRATCH_MNT >> $tmp.small

This line reports:

  xfs_io: xfsctl(XFS_IOC_GETFSMAP) iflags=0x0 ["/mnt/xfstests/scratch"]: Invalid argument

when the test case fails. Is that normal?

> +
> +diff -Naurpw $tmp.big $tmp.small
> +
> +# success, all done
> +echo Silence is golden
> +status=0
> +exit
> diff --git a/tests/xfs/935.out b/tests/xfs/935.out
> new file mode 100644
> index 0000000000..1b5422d1e3
> --- /dev/null
> +++ b/tests/xfs/935.out
> @@ -0,0 +1,2 @@
> +QA output created by 935
> +Silence is golden
> 

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Darrick J. Wong]

On Sun, Aug 27, 2023 at 09:06:44PM +0800, Zorro Lang wrote:
> On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <djwong@kernel.org>
> > 
> > Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> > exact power of two.  I traced this to an agbno integer overflow when the
> > current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> > the last record returned was non-shareable space at the end of an AG.
> > 
> > This is the regression test for that bug.
> > 
> > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > ---
> >  tests/xfs/935     |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  tests/xfs/935.out |    2 ++
> >  2 files changed, 57 insertions(+)
> >  create mode 100755 tests/xfs/935
> >  create mode 100644 tests/xfs/935.out
> > 
> > diff --git a/tests/xfs/935 b/tests/xfs/935
> > new file mode 100755
> > index 0000000000..a06f2fc8dc
> > --- /dev/null
> > +++ b/tests/xfs/935
> > @@ -0,0 +1,55 @@
> > +#! /bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +# Copyright (c) 2023 Oracle.  All Rights Reserved.
> > +#
> > +# FS QA Test 935
> > +#
> > +# Regression test for an agbno overflow bug in XFS GETFSMAP involving an
> > +# fsmap_advance call.  Userspace can indicate that a GETFSMAP call is actually
> > +# a continuation of a previous call by setting the "low" key to the last record
> > +# returned by the previous call.
> > +#
> > +# If the last record returned by GETFSMAP is a non-shareable extent at the end
> > +# of an AG and the AG size is exactly a power of two, the startblock in the low
> > +# key of the rmapbt query can be set to a value larger than EOAG.  When this
> > +# happens, GETFSMAP will return EINVAL instead of returning records for the
> > +# next AG.
> > +#
> > +. ./common/preamble
> > +_begin_fstest auto quick fsmap
> > +
> > +. ./common/filter
> > +
> > +_fixed_by_git_commit kernel XXXXXXXXXXXXX \
> > +	"xfs: fix an agbno overflow in __xfs_getfsmap_datadev"
> > +
> > +# Modify as appropriate.
> > +_supported_fs generic
> > +_require_xfs_io_command fsmap
> > +_require_xfs_scratch_rmapbt
> > +
> > +_scratch_mkfs | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > +source $tmp.mkfs
> > +
> > +# Find the next power of two agsize smaller than whatever the default is.
> > +for ((p = 31; p > 0; p--)); do
> > +	desired_agsize=$((2 ** p))
> > +	test "$desired_agsize" -lt "$agsize" && break
> > +done
> > +
> > +echo "desired asize=$desired_agsize" >> $seqres.full
> > +_scratch_mkfs -d "agsize=${desired_agsize}b" | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > +source $tmp.mkfs
> > +
> > +test "$desired_agsize" -eq "$agsize" || _notrun "wanted agsize=$desired_agsize, got $agsize"
> > +
> > +_scratch_mount
> > +$XFS_IO_PROG -c 'fsmap -n 1024 -v' $SCRATCH_MNT >> $tmp.big
> > +$XFS_IO_PROG -c 'fsmap -n 1 -v' $SCRATCH_MNT >> $tmp.small
> 
> This line reports:
> 
>   xfs_io: xfsctl(XFS_IOC_GETFSMAP) iflags=0x0 ["/mnt/xfstests/scratch"]: Invalid argument
> 
> when the test case fails. Is that normal?

Yes.  The attached bugfix should make that go away.

--D

> > +
> > +diff -Naurpw $tmp.big $tmp.small
> > +
> > +# success, all done
> > +echo Silence is golden
> > +status=0
> > +exit
> > diff --git a/tests/xfs/935.out b/tests/xfs/935.out
> > new file mode 100644
> > index 0000000000..1b5422d1e3
> > --- /dev/null
> > +++ b/tests/xfs/935.out
> > @@ -0,0 +1,2 @@
> > +QA output created by 935
> > +Silence is golden
> > 
> 

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Dave Chinner]

On Sun, Aug 27, 2023 at 08:56:46AM -0700, Darrick J. Wong wrote:
> On Sun, Aug 27, 2023 at 09:06:44PM +0800, Zorro Lang wrote:
> > On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> > > From: Darrick J. Wong <djwong@kernel.org>
> > > 
> > > Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> > > exact power of two.  I traced this to an agbno integer overflow when the
> > > current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> > > the last record returned was non-shareable space at the end of an AG.
> > > 
> > > This is the regression test for that bug.
> > > 
> > > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
.....
> > > +echo "desired asize=$desired_agsize" >> $seqres.full
> > > +_scratch_mkfs -d "agsize=${desired_agsize}b" | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > > +source $tmp.mkfs
> > > +
> > > +test "$desired_agsize" -eq "$agsize" || _notrun "wanted agsize=$desired_agsize, got $agsize"
> > > +
> > > +_scratch_mount
> > > +$XFS_IO_PROG -c 'fsmap -n 1024 -v' $SCRATCH_MNT >> $tmp.big
> > > +$XFS_IO_PROG -c 'fsmap -n 1 -v' $SCRATCH_MNT >> $tmp.small
> > 
> > This line reports:
> > 
> >   xfs_io: xfsctl(XFS_IOC_GETFSMAP) iflags=0x0 ["/mnt/xfstests/scratch"]: Invalid argument
> > 
> > when the test case fails. Is that normal?
> 
> Yes.  The attached bugfix should make that go away.

The kernel bug fix fixes the same problem with xfs/273; I haven't
tested this specific new regression test.

-Dave.
-- 
Dave Chinner
david@fromorbit.com

Re: [PATCH] xfs: fix an agbno overflow in __xfs_getfsmap_datadev

[Dave Chinner]

On Tue, Aug 22, 2023 at 06:00:46PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
> 
> Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> exact power of two.  I traced this to an agbno integer overflow when the
> current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> the last record returned was non-shareable space at the end of an AG.
> 
> __xfs_getfsmap_datadev sets up a data device query by converting the
> incoming fmr_physical into an xfs_fsblock_t and cracking it into an agno
> and agbno pair.  In the (failing) case of where fmr_blockcount of the
> low key is nonzero and the record was for a non-shareable extent, it
> will add fmr_blockcount to start_fsb and info->low.rm_startblock.
> 
> If the low key was actually the last record for that AG, then this
> addition causes info->low.rm_startblock to point beyond EOAG.  When the
> rmapbt range query starts, it'll return an empty set, and fsmap moves on
> to the next AG.
> 
> Or so I thought.  Remember how we added to start_fsb?
> 
> If agsize < 1<<agblklog, start_fsb points to the same AG as the original
> fmr_physical from the low key.  We run the rmapbt query, which returns
> nothing, so getfsmap zeroes info->low and moves on to the next AG.
> 
> If agsize == 1<<agblklog, start_fsb now points to the next AG.  We run
> the rmapbt query on the next AG with the excessively large
> rm_startblock.  If this next AG is actually the last AG, we'll set
> info->high to EOFS (which is now has a lower rm_startblock than
> info->low), and the ranged btree query code will return -EINVAL.  If
> it's not the last AG, we ignore all records for the intermediate AGs.
> 
> Oops.
> 
> Fix this by decoding start_fsb into agno and agbno only after making
> adjustments to start_fsb.  This means that info->low.rm_startblock will
> always be set to a valid agbno, and we always start the rmapbt iteration
> in the correct AG.
> 
> While we're at it, fix the predicate for determining if an fsmap record
> represents non-shareable space to include file data on pre-reflink
> filesystems.
> 
> Reported-by: Dave Chinner <david@fromorbit.com>
> Fixes: 63ef7a35912dd ("xfs: fix interval filtering in multi-step fsmap queries")
> Signed-off-by: Darrick J. Wong <djwong@kernel.org>

Fixes the regression, code looks fine.

Reviewed-by: Dave Chinner <dchinner@redhat.com>

-- 
Dave Chinner
david@fromorbit.com

Re: [RFC PATCH] fstests: test fix for an agbno overflow in __xfs_getfsmap_datadev

[Zorro Lang]

On Mon, Aug 28, 2023 at 12:00:59PM +1000, Dave Chinner wrote:
> On Sun, Aug 27, 2023 at 08:56:46AM -0700, Darrick J. Wong wrote:
> > On Sun, Aug 27, 2023 at 09:06:44PM +0800, Zorro Lang wrote:
> > > On Tue, Aug 22, 2023 at 06:02:39PM -0700, Darrick J. Wong wrote:
> > > > From: Darrick J. Wong <djwong@kernel.org>
> > > > 
> > > > Dave Chinner reported that xfs/273 fails if the AG size happens to be an
> > > > exact power of two.  I traced this to an agbno integer overflow when the
> > > > current GETFSMAP call is a continuation of a previous GETFSMAP call, and
> > > > the last record returned was non-shareable space at the end of an AG.
> > > > 
> > > > This is the regression test for that bug.
> > > > 
> > > > Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> .....
> > > > +echo "desired asize=$desired_agsize" >> $seqres.full
> > > > +_scratch_mkfs -d "agsize=${desired_agsize}b" | _filter_mkfs 2> $tmp.mkfs >> $seqres.full
> > > > +source $tmp.mkfs
> > > > +
> > > > +test "$desired_agsize" -eq "$agsize" || _notrun "wanted agsize=$desired_agsize, got $agsize"
> > > > +
> > > > +_scratch_mount
> > > > +$XFS_IO_PROG -c 'fsmap -n 1024 -v' $SCRATCH_MNT >> $tmp.big
> > > > +$XFS_IO_PROG -c 'fsmap -n 1 -v' $SCRATCH_MNT >> $tmp.small
> > > 
> > > This line reports:
> > > 
> > >   xfs_io: xfsctl(XFS_IOC_GETFSMAP) iflags=0x0 ["/mnt/xfstests/scratch"]: Invalid argument
> > > 
> > > when the test case fails. Is that normal?
> > 
> > Yes.  The attached bugfix should make that go away.
> 
> The kernel bug fix fixes the same problem with xfs/273; I haven't
> tested this specific new regression test.

Thanks for the details from both of you, I'll merge this patch in next fstests
release if there's not more updates.

Thanks,
Zorro

> 
> -Dave.
> -- 
> Dave Chinner
> david@fromorbit.com
>