From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:44906 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751726AbdDARdw (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 1 Apr 2017 13:33:52 -0400
Subject: Patch "xfs: filter out obviously bad btree pointers" has been added to the 4.9-stable tree
To: darrick.wong@oracle.com, gregkh@linuxfoundation.org,
        sandeen@redhat.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Sat, 01 Apr 2017 19:33:29 +0200
Message-ID: <1491068009117128@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    xfs: filter out obviously bad btree pointers

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfs-filter-out-obviously-bad-btree-pointers.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From d5a91baeb6033c3392121e4d5c011cdc08dfa9f7 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Thu, 2 Feb 2017 15:13:58 -0800
Subject: xfs: filter out obviously bad btree pointers

From: Darrick J. Wong <darrick.wong@oracle.com>

commit d5a91baeb6033c3392121e4d5c011cdc08dfa9f7 upstream.

Don't let anybody load an obviously bad btree pointer.  Since the values
come from disk, we must return an error, not just ASSERT.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/libxfs/xfs_bmap.c  |    5 +----
 fs/xfs/libxfs/xfs_btree.c |    3 ++-
 fs/xfs/libxfs/xfs_btree.h |    2 +-
 3 files changed, 4 insertions(+), 6 deletions(-)

--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -1278,7 +1278,6 @@ xfs_bmap_read_extents(
 	/* REFERENCED */
 	xfs_extnum_t		room;	/* number of entries there's room for */
 
-	bno = NULLFSBLOCK;
 	mp = ip->i_mount;
 	ifp = XFS_IFORK_PTR(ip, whichfork);
 	exntf = (whichfork != XFS_DATA_FORK) ? XFS_EXTFMT_NOSTATE :
@@ -1291,9 +1290,7 @@ xfs_bmap_read_extents(
 	ASSERT(level > 0);
 	pp = XFS_BMAP_BROOT_PTR_ADDR(mp, block, 1, ifp->if_broot_bytes);
 	bno = be64_to_cpu(*pp);
-	ASSERT(bno != NULLFSBLOCK);
-	ASSERT(XFS_FSB_TO_AGNO(mp, bno) < mp->m_sb.sb_agcount);
-	ASSERT(XFS_FSB_TO_AGBNO(mp, bno) < mp->m_sb.sb_agblocks);
+
 	/*
 	 * Go down the tree until leaf level is reached, following the first
 	 * pointer (leftmost) at each level.
--- a/fs/xfs/libxfs/xfs_btree.c
+++ b/fs/xfs/libxfs/xfs_btree.c
@@ -810,7 +810,8 @@ xfs_btree_read_bufl(
 	xfs_daddr_t		d;		/* real disk block address */
 	int			error;
 
-	ASSERT(fsbno != NULLFSBLOCK);
+	if (!XFS_FSB_SANITY_CHECK(mp, fsbno))
+		return -EFSCORRUPTED;
 	d = XFS_FSB_TO_DADDR(mp, fsbno);
 	error = xfs_trans_read_buf(mp, tp, mp->m_ddev_targp, d,
 				   mp->m_bsize, lock, &bp, ops);
--- a/fs/xfs/libxfs/xfs_btree.h
+++ b/fs/xfs/libxfs/xfs_btree.h
@@ -491,7 +491,7 @@ static inline int xfs_btree_get_level(st
 #define	XFS_FILBLKS_MAX(a,b)	max_t(xfs_filblks_t, (a), (b))
 
 #define	XFS_FSB_SANITY_CHECK(mp,fsb)	\
-	(XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \
+	(fsb && XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \
 		XFS_FSB_TO_AGBNO(mp, fsb) < mp->m_sb.sb_agblocks)
 
 /*


Patches currently in stable-queue which might be from darrick.wong@oracle.com are

queue-4.9/xfs-mark-speculative-prealloc-cow-fork-extents-unwritten.patch
queue-4.9/xfs-fix-toctou-race-when-locking-an-inode-to-access-the-data-map.patch
queue-4.9/xfs-use-iomap-new-flag-for-newly-allocated-delalloc-blocks.patch
queue-4.9/xfs-handle-indlen-shortage-on-delalloc-extent-merge.patch
queue-4.9/xfs-reject-all-unaligned-direct-writes-to-reflinked-files.patch
queue-4.9/xfs-allow-unwritten-extents-in-the-cow-fork.patch
queue-4.9/xfs-tune-down-agno-asserts-in-the-bmap-code.patch
queue-4.9/xfs-verify-free-block-header-fields.patch
queue-4.9/xfs-check-for-obviously-bad-level-values-in-the-bmbt-root.patch
queue-4.9/xfs-don-t-fail-xfs_extent_busy-allocation.patch
queue-4.9/xfs-sync-eofblocks-scans-under-iolock-are-livelock-prone.patch
queue-4.9/xfs-use-per-ag-reservations-for-the-finobt.patch
queue-4.9/xfs-pull-up-iolock-from-xfs_free_eofblocks.patch
queue-4.9/xfs-fail-_dir_open-when-readahead-fails.patch
queue-4.9/xfs-reset-b_first_retry_time-when-clear-the-retry-status-of-xfs_buf_t.patch
queue-4.9/xfs-update-ctime-and-mtime-on-clone-destinatation-inodes.patch
queue-4.9/xfs-only-update-mount-resv-fields-on-success-in-__xfs_ag_resv_init.patch
queue-4.9/xfs-split-indlen-reservations-fairly-when-under-reserved.patch
queue-4.9/xfs-filter-out-obviously-bad-btree-pointers.patch
queue-4.9/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-chunk-alignment.patch
queue-4.9/xfs-only-reclaim-unwritten-cow-extents-periodically.patch
queue-4.9/xfs-try-any-ag-when-allocating-the-first-btree-block-when-reflinking.patch
queue-4.9/xfs-fix-and-streamline-error-handling-in-xfs_end_io.patch
queue-4.9/xfs-fix-eofblocks-race-with-file-extending-async-dio-writes.patch
queue-4.9/xfs-fix-uninitialized-variable-in-_reflink_convert_cow.patch
queue-4.9/xfs-don-t-reserve-blocks-for-right-shift-transactions.patch
queue-4.9/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-alignment-mask.patch