From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>,
Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>,
linux-xfs@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 29/41] xfs: make sure the rt allocator doesn't run off the end
Date: Sun, 18 Oct 2020 15:26:23 -0400 [thread overview]
Message-ID: <20201018192635.4056198-29-sashal@kernel.org> (raw)
In-Reply-To: <20201018192635.4056198-1-sashal@kernel.org>
From: "Darrick J. Wong" <darrick.wong@oracle.com>
[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ]
There's an overflow bug in the realtime allocator. If the rt volume is
large enough to handle a single allocation request that is larger than
the maximum bmap extent length and the rt bitmap ends exactly on a
bitmap block boundary, it's possible that the near allocator will try to
check the freeness of a range that extends past the end of the bitmap.
This fails with a corruption error and shuts down the fs.
Therefore, constrain maxlen so that the range scan cannot run off the
end of the rt bitmap.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/xfs_rtalloc.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
index 0d93d3c10fcc4..d812f84252d5b 100644
--- a/fs/xfs/xfs_rtalloc.c
+++ b/fs/xfs/xfs_rtalloc.c
@@ -257,6 +257,9 @@ xfs_rtallocate_extent_block(
end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1;
i <= end;
i++) {
+ /* Make sure we don't scan off the end of the rt volume. */
+ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i;
+
/*
* See if there's a free extent of maxlen starting at i.
* If it's not so then next will contain the first non-free.
@@ -448,6 +451,14 @@ xfs_rtallocate_extent_near(
*/
if (bno >= mp->m_sb.sb_rextents)
bno = mp->m_sb.sb_rextents - 1;
+
+ /* Make sure we don't run off the end of the rt volume. */
+ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno;
+ if (maxlen < minlen) {
+ *rtblock = NULLRTBLOCK;
+ return 0;
+ }
+
/*
* Try the exact allocation first.
*/
--
2.25.1
next prev parent reply other threads:[~2020-10-18 19:31 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-18 19:25 [PATCH AUTOSEL 4.9 01/41] crypto: ccp - fix error handling Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 02/41] media: firewire: fix memory leak Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 03/41] media: ati_remote: sanity check for both endpoints Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 04/41] media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-10-18 19:25 ` [PATCH AUTOSEL 4.9 05/41] media: exynos4-is: Fix a reference count leak " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 06/41] media: exynos4-is: Fix a reference count leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 07/41] media: vsp1: Fix runtime PM imbalance on error Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 08/41] media: platform: s3c-camif: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 09/41] media: platform: sti: hva: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 10/41] media: bdisp: " Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 11/41] media: media/pci: prevent memory leak in bttv_probe Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 12/41] media: uvcvideo: Ensure all probed info is returned to v4l2 Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 13/41] mmc: sdio: Check for CISTPL_VERS_1 buffer size Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 14/41] media: saa7134: avoid a shift overflow Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 15/41] fs: dlm: fix configfs memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 16/41] ntfs: add check for mft record size in superblock Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 17/41] PM: hibernate: remove the bogus call to get_gendisk() in software_resume() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 18/41] scsi: mvumi: Fix error return in mvumi_io_attach() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 19/41] scsi: target: core: Add CONTROL field for trace events Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 20/41] mic: vop: copy data to kernel space then write to io memory Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 21/41] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 22/41] usb: gadget: function: printer: fix use-after-free in __lock_acquire Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 23/41] udf: Limit sparing table size Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 24/41] udf: Avoid accessing uninitialized data on failed inode read Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 25/41] USB: cdc-acm: handle broken union descriptors Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 26/41] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 27/41] misc: rtsx: Fix memory leak in rtsx_pci_probe Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 28/41] reiserfs: only call unlock_new_inode() if I_NEW Sasha Levin
2020-10-18 19:26 ` Sasha Levin [this message]
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 30/41] usb: ohci: Default to per-port over-current protection Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 31/41] Bluetooth: Only mark socket zapped after unlocking Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 32/41] scsi: ibmvfc: Fix error return in ibmvfc_probe() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 33/41] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 34/41] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 35/41] Fix use after free in get_capset_info callback Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 36/41] tty: ipwireless: fix error handling Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 37/41] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 38/41] reiserfs: Fix memory leak in reiserfs_parse_options() Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 39/41] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 40/41] usb: core: Solve race condition in anchor cleanup functions Sasha Levin
2020-10-18 19:26 ` [PATCH AUTOSEL 4.9 41/41] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201018192635.4056198-29-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=darrick.wong@oracle.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox