From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B47A9EEB56E for ; Fri, 8 Sep 2023 20:02:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344405AbjIHUCU (ORCPT ); Fri, 8 Sep 2023 16:02:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235181AbjIHUCT (ORCPT ); Fri, 8 Sep 2023 16:02:19 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94D92B4; Fri, 8 Sep 2023 13:02:15 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9C427C433CA; Fri, 8 Sep 2023 19:36:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1694201815; bh=YYapb1OHBBNErDKXvjx0ajU9+gbVJbCE6tiNSdzw2uU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fhNu9hPpQGXOjuOvYqsN2HPgmeoT8oFYAN8kJ3Eft9g+hPYQA+V6MsJtPmFQJ5dgN CzbYHOa0Dcq/m1PmZxsHkCZKhv77gxiSyTyONWP8PYrY55RHQPoFyMHxWyG8CzLak/ +fhWJkMsjsjIbYQLg1X3Wh/PuojgHyqq1Oir9hhRx65vieIiG38J1xZLJjUXwkydBt eRhNWl+/SBdkHvLjEM13iJn3EdfBSJ49Xa7M856VmZLmcO+oMxURbyTNA3jFs7bNr5 x6n0naQ7zWwt18YcjtQaHqo2yE0KRRfrFSJeQGJQPTbHQa18VJ5XMQn7xeF87ssyZM eMjvFDJbVXXpg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Georg Ottinger , Jan Kara , Sasha Levin , jack@suse.com, linux-ext4@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 3/3] ext2: fix datatype of block number in ext2_xattr_set2() Date: Fri, 8 Sep 2023 15:36:48 -0400 Message-Id: <20230908193648.3464004-3-sashal@kernel.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230908193648.3464004-1-sashal@kernel.org> References: <20230908193648.3464004-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 4.19.294 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Georg Ottinger [ Upstream commit e88076348425b7d0491c8c98d8732a7df8de7aa3 ] I run a small server that uses external hard drives for backups. The backup software I use uses ext2 filesystems with 4KiB block size and the server is running SELinux and therefore relies on xattr. I recently upgraded the hard drives from 4TB to 12TB models. I noticed that after transferring some TBs I got a filesystem error "Freeing blocks not in datazone - block = 18446744071529317386, count = 1" and the backup process stopped. Trying to fix the fs with e2fsck resulted in a completely corrupted fs. The error probably came from ext2_free_blocks(), and because of the large number 18e19 this problem immediately looked like some kind of integer overflow. Whereas the 4TB fs was about 1e9 blocks, the new 12TB is about 3e9 blocks. So, searching the ext2 code, I came across the line in fs/ext2/xattr.c:745 where ext2_new_block() is called and the resulting block number is stored in the variable block as an int datatype. If a block with a block number greater than INT32_MAX is returned, this variable overflows and the call to sb_getblk() at line fs/ext2/xattr.c:750 fails, then the call to ext2_free_blocks() produces the error. Signed-off-by: Georg Ottinger Signed-off-by: Jan Kara Message-Id: <20230815100340.22121-1-g.ottinger@gmx.at> Signed-off-by: Sasha Levin --- fs/ext2/xattr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c index bd1d68ff3a9f8..437175bce22e8 100644 --- a/fs/ext2/xattr.c +++ b/fs/ext2/xattr.c @@ -664,10 +664,10 @@ ext2_xattr_set2(struct inode *inode, struct buffer_head *old_bh, /* We need to allocate a new block */ ext2_fsblk_t goal = ext2_group_first_block_no(sb, EXT2_I(inode)->i_block_group); - int block = ext2_new_block(inode, goal, &error); + ext2_fsblk_t block = ext2_new_block(inode, goal, &error); if (error) goto cleanup; - ea_idebug(inode, "creating block %d", block); + ea_idebug(inode, "creating block %lu", block); new_bh = sb_getblk(sb, block); if (unlikely(!new_bh)) { -- 2.40.1