[PATCH 3.2 067/102] Fix nasty 32-bit overflow bug in buffer i/o code.

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
	"Linus Torvalds" <torvalds@linux-foundation.org>,
	"Anton Altaparmakov" <aia21@cantab.net>,
	"Anton Altaparmakov" <aia21@cam.ac.uk>
Subject: [PATCH 3.2 067/102] Fix nasty 32-bit overflow bug in buffer i/o code.
Date: Sat, 01 Nov 2014 22:28:03 +0000	[thread overview]
Message-ID: <lsq.1414880883.485153234@decadent.org.uk> (raw)
In-Reply-To: <lsq.1414880882.522510247@decadent.org.uk>

3.2.64-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anton Altaparmakov <aia21@cam.ac.uk>

commit f2d5a94436cc7cc0221b9a81bba2276a25187dd3 upstream.

On 32-bit architectures, the legacy buffer_head functions are not always
handling the sector number with the proper 64-bit types, and will thus
fail on 4TB+ disks.

Any code that uses __getblk() (and thus bread(), breadahead(),
sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
in __getblk_slow() with an infinite stream of errors logged to dmesg
like this:

  __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
  b_state=0x00000020, b_size=512
  device sda1 blocksize: 512

Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
top 32-bits are missing (in this case the 0x1 at the top).

This is because grow_dev_page() is broken and has a 32-bit overflow due
to shifting the page index value (a pgoff_t - which is just 32 bits on
32-bit architectures) left-shifted as the block number.  But the top
bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
before the shift.

This patch fixes this issue by type casting "index" to sector_t before
doing the left shift.

Note this is not a theoretical bug but has been seen in the field on a
4TiB hard drive with logical sector size 512 bytes.

This patch has been verified to fix the infinite loop problem on 3.17-rc5
kernel using a 4TB disk image mounted using "-o loop".  Without this patch
doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
100% reproducibly whilst with the patch it works fine as expected.

Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/buffer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -1021,7 +1021,8 @@ grow_dev_page(struct block_device *bdev,
 		bh = page_buffers(page);
 		if (bh->b_size == size) {
 			end_block = init_page_buffers(page, bdev,
-						index << sizebits, size);
+						(sector_t)index << sizebits,
+						size);
 			goto done;
 		}
 		if (!try_to_free_buffers(page))
@@ -1042,7 +1043,8 @@ grow_dev_page(struct block_device *bdev,
 	 */
 	spin_lock(&inode->i_mapping->private_lock);
 	link_dev_buffers(page, bh);
-	end_block = init_page_buffers(page, bdev, index << sizebits, size);
+	end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits,
+			size);
 	spin_unlock(&inode->i_mapping->private_lock);
 done:
 	ret = (block < end_block) ? 1 : -ENXIO;

next prev parent reply	other threads:[~2014-11-01 22:28 UTC|newest]

Thread overview: 120+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-01 22:28 [PATCH 3.2 000/102] 3.2.64-rc1 review Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 025/102] usb: dwc3: core: use pm_runtime_put_sync() on remove Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 009/102] regmap: if format_write is used, declare all registers as "unreadable" Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 046/102] jiffies: Fix timeval conversion to jiffies Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 016/102] USB: sierra: avoid CDC class functions on "68A3" devices Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 003/102] percpu: perform tlb flush after pcpu_map_pages() failure Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 069/102] sched: Fix unreleased llc_shared_mask bit during CPU hotplug Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 026/102] usb: dwc3: core: fix order of PM runtime calls Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 042/102] xhci: Fix null pointer dereference if xhci initialization fails Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 054/102] iscsi-target: avoid NULL pointer in iscsi_copy_param_list failure Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 037/102] libceph: add process_one_ticket() helper Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 061/102] can: flexcan: mark TX mailbox as TX_INACTIVE Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 024/102] ACPI / cpuidle: fix deadlock between cpuidle_lock and cpu_hotplug.lock Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 077/102] init/Kconfig: Hide printk log config if CONFIG_PRINTK=n Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 089/102] KVM: x86 emulator: Use opcode::execute for CALL Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 035/102] libceph: rename ceph_msg::front_max to front_alloc_len Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 015/102] USB: ftdi_sio: add support for NOVITUS Bono E thermal printer Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 050/102] don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 012/102] ahci: Add Device IDs for Intel 9 Series PCH Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 038/102] libceph: do not hard code max auth ticket len Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 078/102] MIPS: Fix forgotten preempt_enable() when CPU has inclusive pcaches Ben Hutchings
2014-11-01 22:28 ` Ben Hutchings [this message]
2014-11-01 22:28 ` [PATCH 3.2 005/102] cgroup: reject cgroup names with '\n' Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 086/102] KVM: x86: Improve thread safety in pit Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 070/102] ARM: 8165/1: alignment: don't break misaligned NEON load/store Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 036/102] libceph: gracefully handle large reply messages from the mon Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 083/102] ext4: fix BUG_ON in mb_free_blocks() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 008/102] MIPS: ZBOOT: add missing <linux/string.h> include Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 076/102] perf: fix perf bug in fork() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 095/102] net: sctp: fix panic on duplicate ASCONF chunks Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 088/102] kvm: vmx: handle invvpid vm exit gracefully Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 072/102] nilfs2: fix data loss with mmap() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 045/102] futex: Unlock hb->lock in futex_wait_requeue_pi() error path Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 022/102] aio: add missing smp_rmb() in read_events_ring Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 007/102] rtlwifi: rtl8192cu: Add new ID Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 100/102] nfsd: Fix ACL null pointer deref Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 049/102] alarmtimer: Lock k_itimer during timer callback Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 101/102] ipvs: avoid netns exit crash on ip_vs_conn_drop_conntrack Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 094/102] net: sctp: fix skb_over_panic when receiving malformed ASCONF chunks Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 004/102] percpu: free percpu allocation info for uniprocessor system Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 084/102] ipv6: reuse ip6_frag_id from ip6_ufo_append_data Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 063/102] can: flexcan: implement workaround for errata ERR005829 Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 040/102] usb: hub: take hub->hdev reference when processing from eventlist Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 058/102] USB: storage: Add quirk for Ariston Technologies iConnect USB to SCSI adapter Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 085/102] KVM: x86: Check non-canonical addresses upon WRMSR Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 051/102] vfs: Fold follow_mount_rcu() into follow_dotdot_rcu() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 013/102] ata_piix: Add Device IDs for Intel 9 Series PCH Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 099/102] ext2: Fix fs corruption in ext2_get_xip_mem() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 093/102] KVM: x86: Handle errors when RIP is set during far jumps Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 098/102] dm crypt: fix access beyond the end of allocated space Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 041/102] storage: Add single-LUN quirk for Jaz USB Adapter Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 048/102] alarmtimer: Do not signal SIGEV_NONE timers Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 071/102] MIPS: mcount: Adjust stack pointer for static trace in MIPS32 Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 006/102] KVM: s390: Fix user triggerable bug in dead code Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 002/102] percpu: fix pcpu_alloc_pages() failure path Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 011/102] drm/i915: Remove bogus __init annotation from DMI callbacks Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 001/102] regulatory: add NUL to alpha2 Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 079/102] ipv4: move route garbage collector to work queue Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 017/102] USB: sierra: add 1199:68AA device ID Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 043/102] Input: i8042 - add Fujitsu U574 to no_timeout dmi table Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 073/102] ocfs2/dlm: do not get resource spinlock if lockres is new Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 087/102] nEPT: Nested INVEPT Ben Hutchings
2014-11-02  9:03   ` Paolo Bonzini
2014-11-03 13:44     ` Ben Hutchings
2014-11-03 15:29       ` Paolo Bonzini
2014-11-05 20:21         ` Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 074/102] shmem: fix nlink for rename overwrite directory Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 096/102] net: sctp: fix remote memory pressure from excessive queueing Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 030/102] Input: elantech - fix detection of touchpad on ASUS s301l Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 047/102] alarmtimer: Return relative times in timer_gettime Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 052/102] be careful with nd->inode in path_init() and follow_dotdot_rcu() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 057/102] USB: storage: Add quirk for Adaptec USBConnect 2000 USB-to-SCSI Adapter Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 010/102] regmap: Fix handling of volatile registers for format_write() chips Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 023/102] block: Fix dev_t minor allocation lifetime Ben Hutchings
2014-11-01 23:18   ` Jens Axboe
2014-11-01 23:48     ` Ben Hutchings
2014-11-03  1:24       ` Jens Axboe
2014-11-01 22:28 ` [PATCH 3.2 033/102] perf: Fix a race condition in perf_remove_from_context() Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 075/102] mm: migrate: Close race between migration completion and mprotect Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 081/102] ipv4: disable bh while doing route gc Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 021/102] xen/manage: Always freeze/thaw processes when suspend/resuming Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 034/102] Input: synaptics - add support for ForcePads Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 060/102] nl80211: clear skb cb before passing to netlink Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 056/102] [SCSI] libiscsi: fix potential buffer overrun in __iscsi_conn_send_pdu Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 014/102] Revert "iwlwifi: dvm: don't enable CTS to self" Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 039/102] Input: serport - add compat handling for SPIOCSTYPE ioctl Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 055/102] NFSv4: Fix another bug in the close/open_downgrade code Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 044/102] Input: i8042 - add nomux quirk for Avatar AVIU-145A6 Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 029/102] usb: host: xhci: fix compliance mode workaround Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 064/102] can: flexcan: put TX mailbox into TX_INACTIVE mode after tx-complete Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 092/102] KVM: x86: use new CS.RPL as CPL during task switch Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 020/102] ALSA: hda - Fix COEF setups for ALC1150 codec Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 031/102] USB: ftdi_sio: Add support for GE Healthcare Nemo Tracker device Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 102/102] ring-buffer: Fix infinite spin in reading buffer Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 059/102] USB: storage: Add quirks for Entrega/Xircom USB to SCSI converters Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 053/102] iscsi-target: Fix memory corruption in iscsit_logout_post_handler_diffcid Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 082/102] ipv6: reallocate addrconf router for ipv6 address when lo device up Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 032/102] uwb: init beacon cache entry before registering uwb device Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 068/102] parisc: Only use -mfast-indirect-calls option for 32-bit kernel builds Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 062/102] can: flexcan: correctly initialize mailboxes Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 097/102] x86,kvm,vmx: Preserve CR4 across VM entry Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 018/102] drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 028/102] drm/radeon: add connector quirk for fujitsu board Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 091/102] KVM: x86: Emulator fixes for eip canonical checks on near branches Ben Hutchings
2014-11-02  8:44   ` Nadav Amit
2014-11-03 13:51     ` Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 090/102] KVM: x86: Fix wrong masking on relative jump/call Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 027/102] ahci: add pcid for Marvel 0x9182 controller Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 065/102] can: at91_can: add missing prepare and unprepare of the clock Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 019/102] xfs: don't dirty buffers beyond EOF Ben Hutchings
2014-11-04  7:09   ` Dave Chinner
2014-11-05 19:58     ` Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 080/102] ipv4: avoid parallel route cache gc executions Ben Hutchings
2014-11-01 22:28 ` [PATCH 3.2 066/102] ALSA: pcm: fix fifo_size frame calculation Ben Hutchings
2014-11-01 23:12 ` [PATCH 3.2 000/102] 3.2.64-rc1 review Ben Hutchings
2014-11-01 23:46   ` Ben Hutchings
2014-11-01 23:29 ` Guenter Roeck
2014-11-01 23:43   ` Ben Hutchings
2014-11-03 10:32 ` Guillaume Nault
2014-11-03 13:54   ` Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1414880883.485153234@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=aia21@cam.ac.uk \
    --cc=aia21@cantab.net \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).