From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:46876 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S935015AbdAJKcr (ORCPT
        <rfc822;stable@vger.kernel.org>); Tue, 10 Jan 2017 05:32:47 -0500
Subject: Patch "xfs: don't allow di_size with high bit set" has been added to the 4.9-stable tree
To: hch@lst.de, darrick.wong@oracle.com, david@fromorbit.com,
        dchinner@redhat.com, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Tue, 10 Jan 2017 11:32:56 +0100
In-Reply-To: <1483976343-661-26-git-send-email-hch@lst.de>
Message-ID: <14840443761922@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    xfs: don't allow di_size with high bit set

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfs-don-t-allow-di_size-with-high-bit-set.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From hch@lst.de  Tue Jan 10 11:30:18 2017
From: Christoph Hellwig <hch@lst.de>
Date: Mon,  9 Jan 2017 16:38:56 +0100
Subject: xfs: don't allow di_size with high bit set
To: stable@vger.kernel.org
Cc: linux-xfs@vger.kernel.org, "Darrick J. Wong" <darrick.wong@oracle.com>, Dave Chinner <david@fromorbit.com>
Message-ID: <1483976343-661-26-git-send-email-hch@lst.de>


From: "Darrick J. Wong" <darrick.wong@oracle.com>

commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream.

The on-disk field di_size is used to set i_size, which is a signed
integer of loff_t.  If the high bit of di_size is set, we'll end up with
a negative i_size, which will cause all sorts of problems.  Since the
VFS won't let us create a file with such length, we should catch them
here in the verifier too.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/libxfs/xfs_inode_buf.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/xfs/libxfs/xfs_inode_buf.c
+++ b/fs/xfs/libxfs/xfs_inode_buf.c
@@ -392,6 +392,14 @@ xfs_dinode_verify(
 	if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))
 		return false;
 
+	/* don't allow invalid i_size */
+	if (be64_to_cpu(dip->di_size) & (1ULL << 63))
+		return false;
+
+	/* No zero-length symlinks. */
+	if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0)
+		return false;
+
 	/* only version 3 or greater inodes are extensively verified here */
 	if (dip->di_version < 3)
 		return true;


Patches currently in stable-queue which might be from hch@lst.de are

queue-4.9/xfs-always-succeed-when-deduping-zero-bytes.patch
queue-4.9/xfs-fix-crash-and-data-corruption-due-to-removal-of-busy-cow-extents.patch
queue-4.9/xfs-don-t-allow-di_size-with-high-bit-set.patch
queue-4.9/xfs-new-inode-extent-list-lookup-helpers.patch
queue-4.9/xfs-don-t-call-xfs_sb_quota_from_disk-twice.patch
queue-4.9/xfs-factor-rmap-btree-size-into-the-indlen-calculations.patch
queue-4.9/xfs-check-return-value-of-_trans_reserve_quota_nblks.patch
queue-4.9/xfs-complain-if-we-don-t-get-nextents-bmap-records.patch
queue-4.9/xfs-check-for-bogus-values-in-btree-block-headers.patch
queue-4.9/xfs-use-gpf_nofs-when-allocating-btree-cursors.patch
queue-4.9/xfs-fix-max_retries-_show-and-_store-functions.patch
queue-4.9/xfs-fix-double-cleanup-when-cui-recovery-fails.patch
queue-4.9/xfs-don-t-skip-cow-forks-w-delalloc-blocks-in-cowblocks-scan.patch
queue-4.9/xfs-track-preallocation-separately-in-xfs_bmapi_reserve_delalloc.patch
queue-4.9/xfs-use-the-actual-ag-length-when-reserving-blocks.patch
queue-4.9/xfs-ignore-leaf-attr-ichdr.count-in-verifier-during-log-replay.patch
queue-4.9/xfs-pass-post-eof-speculative-prealloc-blocks-to-bmapi.patch
queue-4.9/xfs-don-t-cap-maximum-dedupe-request-length.patch
queue-4.9/xfs-pass-state-not-whichfork-to-trace_xfs_extlist.patch
queue-4.9/xfs-move-agi-buffer-type-setting-to-xfs_read_agi.patch
queue-4.9/xfs-check-minimum-block-size-for-crc-filesystems.patch
queue-4.9/xfs-handle-cow-fork-in-xfs_bmap_trace_exlist.patch
queue-4.9/pci-msi-check-for-null-affinity-mask-in-pci_irq_get_affinity.patch
queue-4.9/xfs-error-out-if-trying-to-add-attrs-and-anextents-0.patch
queue-4.9/xfs-don-t-bug-on-mixed-direct-and-mapped-i-o.patch
queue-4.9/xfs-use-new-extent-lookup-helpers-xfs_file_iomap_begin_delay.patch
queue-4.9/xfs-fix-unbalanced-inode-reclaim-flush-locking.patch
queue-4.9/genirq-affinity-fix-node-generation-from-cpumask.patch
queue-4.9/xfs-use-new-extent-lookup-helpers-in-__xfs_reflink_reserve_cow.patch
queue-4.9/xfs-don-t-crash-if-reading-a-directory-results-in-an-unexpected-hole.patch
queue-4.9/xfs-remove-prev-argument-to-xfs_bmapi_reserve_delalloc.patch
queue-4.9/xfs-clean-up-cow-fork-reservation-and-tag-inodes-correctly.patch
queue-4.9/xfs-forbid-ag-btrees-with-level-0.patch
queue-4.9/xfs-provide-helper-for-counting-extents-from-if_bytes.patch