From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:47028 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935354AbdAJKdY (ORCPT ); Tue, 10 Jan 2017 05:33:24 -0500 Subject: Patch "xfs: forbid AG btrees with level == 0" has been added to the 4.9-stable tree To: hch@lst.de, darrick.wong@oracle.com, david@fromorbit.com, dchinner@redhat.com, gregkh@linuxfoundation.org Cc: , From: Date: Tue, 10 Jan 2017 11:33:06 +0100 In-Reply-To: <1483976343-661-21-git-send-email-hch@lst.de> Message-ID: <148404438669174@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled xfs: forbid AG btrees with level == 0 to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xfs-forbid-ag-btrees-with-level-0.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From hch@lst.de Tue Jan 10 11:29:15 2017 From: Christoph Hellwig Date: Mon, 9 Jan 2017 16:38:51 +0100 Subject: xfs: forbid AG btrees with level == 0 To: stable@vger.kernel.org Cc: linux-xfs@vger.kernel.org, "Darrick J. Wong" , Dave Chinner Message-ID: <1483976343-661-21-git-send-email-hch@lst.de> From: "Darrick J. Wong" commit d2a047f31e86941fa896e0e3271536d50aba415e upstream. There is no such thing as a zero-level AG btree since even a single-node zero-records btree has one level. Btree cursor constructors read cur_nlevels straight from disk and then access things like cur_bufs[cur_nlevels - 1] which is /really/ bad if cur_nlevels is zero! Therefore, strengthen the verifiers to prevent this possibility. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman --- fs/xfs/libxfs/xfs_alloc.c | 10 +++++++--- fs/xfs/libxfs/xfs_ialloc.c | 9 ++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) --- a/fs/xfs/libxfs/xfs_alloc.c +++ b/fs/xfs/libxfs/xfs_alloc.c @@ -2455,12 +2455,15 @@ xfs_agf_verify( be32_to_cpu(agf->agf_flcount) <= XFS_AGFL_SIZE(mp))) return false; - if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS || + if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) < 1 || + be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) < 1 || + be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS || be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) > XFS_BTREE_MAXLEVELS) return false; if (xfs_sb_version_hasrmapbt(&mp->m_sb) && - be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS) + (be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) < 1 || + be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS)) return false; /* @@ -2477,7 +2480,8 @@ xfs_agf_verify( return false; if (xfs_sb_version_hasreflink(&mp->m_sb) && - be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS) + (be32_to_cpu(agf->agf_refcount_level) < 1 || + be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS)) return false; return true;; --- a/fs/xfs/libxfs/xfs_ialloc.c +++ b/fs/xfs/libxfs/xfs_ialloc.c @@ -2510,8 +2510,15 @@ xfs_agi_verify( if (!XFS_AGI_GOOD_VERSION(be32_to_cpu(agi->agi_versionnum))) return false; - if (be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS) + if (be32_to_cpu(agi->agi_level) < 1 || + be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS) return false; + + if (xfs_sb_version_hasfinobt(&mp->m_sb) && + (be32_to_cpu(agi->agi_free_level) < 1 || + be32_to_cpu(agi->agi_free_level) > XFS_BTREE_MAXLEVELS)) + return false; + /* * during growfs operations, the perag is not fully initialised, * so we can't use it for any useful checking. growfs ensures we can't Patches currently in stable-queue which might be from hch@lst.de are queue-4.9/xfs-always-succeed-when-deduping-zero-bytes.patch queue-4.9/xfs-fix-crash-and-data-corruption-due-to-removal-of-busy-cow-extents.patch queue-4.9/xfs-don-t-allow-di_size-with-high-bit-set.patch queue-4.9/xfs-new-inode-extent-list-lookup-helpers.patch queue-4.9/xfs-don-t-call-xfs_sb_quota_from_disk-twice.patch queue-4.9/xfs-factor-rmap-btree-size-into-the-indlen-calculations.patch queue-4.9/xfs-check-return-value-of-_trans_reserve_quota_nblks.patch queue-4.9/xfs-complain-if-we-don-t-get-nextents-bmap-records.patch queue-4.9/xfs-check-for-bogus-values-in-btree-block-headers.patch queue-4.9/xfs-use-gpf_nofs-when-allocating-btree-cursors.patch queue-4.9/xfs-fix-max_retries-_show-and-_store-functions.patch queue-4.9/xfs-fix-double-cleanup-when-cui-recovery-fails.patch queue-4.9/xfs-don-t-skip-cow-forks-w-delalloc-blocks-in-cowblocks-scan.patch queue-4.9/xfs-track-preallocation-separately-in-xfs_bmapi_reserve_delalloc.patch queue-4.9/xfs-use-the-actual-ag-length-when-reserving-blocks.patch queue-4.9/xfs-ignore-leaf-attr-ichdr.count-in-verifier-during-log-replay.patch queue-4.9/xfs-pass-post-eof-speculative-prealloc-blocks-to-bmapi.patch queue-4.9/xfs-don-t-cap-maximum-dedupe-request-length.patch queue-4.9/xfs-pass-state-not-whichfork-to-trace_xfs_extlist.patch queue-4.9/xfs-move-agi-buffer-type-setting-to-xfs_read_agi.patch queue-4.9/xfs-check-minimum-block-size-for-crc-filesystems.patch queue-4.9/xfs-handle-cow-fork-in-xfs_bmap_trace_exlist.patch queue-4.9/pci-msi-check-for-null-affinity-mask-in-pci_irq_get_affinity.patch queue-4.9/xfs-error-out-if-trying-to-add-attrs-and-anextents-0.patch queue-4.9/xfs-don-t-bug-on-mixed-direct-and-mapped-i-o.patch queue-4.9/xfs-use-new-extent-lookup-helpers-xfs_file_iomap_begin_delay.patch queue-4.9/xfs-fix-unbalanced-inode-reclaim-flush-locking.patch queue-4.9/genirq-affinity-fix-node-generation-from-cpumask.patch queue-4.9/xfs-use-new-extent-lookup-helpers-in-__xfs_reflink_reserve_cow.patch queue-4.9/xfs-don-t-crash-if-reading-a-directory-results-in-an-unexpected-hole.patch queue-4.9/xfs-remove-prev-argument-to-xfs_bmapi_reserve_delalloc.patch queue-4.9/xfs-clean-up-cow-fork-reservation-and-tag-inodes-correctly.patch queue-4.9/xfs-forbid-ag-btrees-with-level-0.patch queue-4.9/xfs-provide-helper-for-counting-extents-from-if_bytes.patch