korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-19 00:54:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
1bba82fe1a
linux/fs/xfs
History
Darrick J. Wong 1bba82fe1a xfs: fix negative array access in xfs_getbmap 
In commit 8ee81ed581, Ye Bin complained about an ASSERT in the bmapx
code that trips if we encounter a delalloc extent after flushing the
pagecache to disk.  The ioctl code does not hold MMAPLOCK so it's
entirely possible that a racing write page fault can create a delalloc
extent after the file has been flushed.  The proposed solution was to
replace the assertion with an early return that avoids filling out the
bmap recordset with a delalloc entry if the caller didn't ask for it.

At the time, I recall thinking that the forward logic sounded ok, but
felt hesitant because I suspected that changing this code would cause
something /else/ to burst loose due to some other subtlety.

syzbot of course found that subtlety.  If all the extent mappings found
after the flush are delalloc mappings, we'll reach the end of the data
fork without ever incrementing bmv->bmv_entries.  This is new, since
before we'd have emitted the delalloc mappings even though the caller
didn't ask for them.  Once we reach the end, we'll try to set
BMV_OF_LAST on the -1st entry (because bmv_entries is zero) and go
corrupt something else in memory.  Yay.

I really dislike all these stupid patches that fiddle around with debug
code and break things that otherwise worked well enough.  Nobody was
complaining that calling XFS_IOC_BMAPX without BMV_IF_DELALLOC would
return BMV_OF_DELALLOC records, and now we've gone from "weird behavior
that nobody cared about" to "bad behavior that must be addressed
immediately".

Maybe I'll just ignore anything from Huawei from now on for my own sake.

Reported-by: syzbot+c103d3808a0de5faaf80@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-xfs/20230412024907.GP360889@frogsfrogsfrogs/
Fixes: 8ee81ed581 ("xfs: fix BUG_ON in xfs_getbmap()")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2023-05-02 09:15:01 +10:00
..
libxfs xfs: set bnobt/cntbt numrecs correctly when formatting new AGs 2023-05-02 09:14:36 +10:00
scrub xfs: flush dirty data and drain directios before scrubbing cow fork 2023-05-02 09:14:43 +10:00
Kconfig xfs: deprecate the ascii-ci feature 2023-04-11 19:05:19 -07:00
kmem.c mm: introduce memalloc_retry_wait() 2022-01-15 16:30:29 +02:00
kmem.h xfs: remove kmem_zone typedef 2021-10-22 16:00:31 -07:00
Makefile xfs: cross-reference rmap records with ag btrees 2023-04-11 19:00:38 -07:00
mrlock.h
xfs_acl.c fs: port acl to mnt_idmap 2023-01-19 09:24:28 +01:00
xfs_acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
xfs_aops.c xfs: fix off-by-one-block in xfs_discard_folio() 2023-03-05 15:13:23 -08:00
xfs_aops.h
xfs_attr_inactive.c xfs: don't leak memory when attr fork loading fails 2022-07-20 16:40:39 -07:00
xfs_attr_item.c xfs: dump corrupt recovered log intent items to dmesg consistently 2022-10-31 08:58:20 -07:00
xfs_attr_item.h xfs: share xattr name and value buffers when logging xattr updates 2022-05-23 08:43:46 +10:00
xfs_attr_list.c xfs: use XFS_IFORK_Q to determine the presence of an xattr fork 2022-07-09 15:17:21 -07:00
xfs_bio_io.c fs/xfs: Use the enum req_op and blk_opf_t types 2022-07-14 12:14:33 -06:00
xfs_bmap_item.c xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_bmap_item.h xfs: rename _zone variables to _cache 2021-10-22 16:04:20 -07:00
xfs_bmap_util.c xfs: fix negative array access in xfs_getbmap 2023-05-02 09:15:01 +10:00
xfs_bmap_util.h xfs: xfs_bmap_punch_delalloc_range() should take a byte range 2022-11-29 09:09:17 +11:00
xfs_buf_item_recover.c xfs: verify buffer contents when we skip log replay 2023-04-12 15:49:23 +10:00
xfs_buf_item.c xfs: fix super block buf log item UAF during force shutdown 2022-11-30 09:25:46 -08:00
xfs_buf_item.h xfs: convert buffer log item flags to unsigned. 2022-04-21 10:46:40 +10:00
xfs_buf.c xfs: invalidate block device page cache during unmount 2022-11-30 08:55:18 -08:00
xfs_buf.h xfs: xfs_buf cache destroy isn't RCU safe 2022-07-20 16:40:39 -07:00
xfs_dahash_test.c xfs: test the ascii case-insensitive hash 2023-04-11 19:05:05 -07:00
xfs_dahash_test.h xfs: test dir/attr hash when loading module 2023-03-19 09:55:49 -07:00
xfs_dir2_readdir.c xfs: rearrange the logic and remove the broken comment for xfs_dir2_isxx 2022-10-04 16:39:58 +11:00
xfs_discard.c xfs: convert trim to use for_each_perag_range 2023-02-13 09:14:54 +11:00
xfs_discard.h
xfs_dquot_item_recover.c xfs: replace xfs_sb_version checks with feature flag checks 2021-08-19 10:07:12 -07:00
xfs_dquot_item.c xfs: remove support for disabling quota accounting on a mounted file system 2021-08-06 11:05:36 -07:00
xfs_dquot_item.h xfs: remove support for disabling quota accounting on a mounted file system 2021-08-06 11:05:36 -07:00
xfs_dquot.c xfs: remove WARN when dquot cache insertion fails 2023-04-12 15:48:59 +10:00
xfs_dquot.h xfs: remove warning counters from struct xfs_dquot_res 2022-05-11 17:12:09 +10:00
xfs_drain.c xfs: minimize overhead of drain wakeups by using jump labels 2023-04-11 18:59:59 -07:00
xfs_drain.h xfs: minimize overhead of drain wakeups by using jump labels 2023-04-11 18:59:59 -07:00
xfs_error.c xfs: make kobj_type structures constant 2023-02-10 08:59:48 -08:00
xfs_error.h xfs: allow setting full range of panic tags 2023-02-09 18:36:17 -08:00
xfs_export.c xfs: convert remaining mount flags to state flags 2021-08-19 10:07:13 -07:00
xfs_export.h
xfs_extent_busy.c xfs: fix extent busy updating 2023-01-05 07:34:21 -08:00
xfs_extent_busy.h xfs: pass perags through to the busy extent code 2021-06-02 10:48:24 +10:00
xfs_extfree_item.c xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_extfree_item.h xfs: refactor all the EFI/EFD log item sizeof logic 2022-10-31 08:58:20 -07:00
xfs_file.c - Daniel Verkamp has contributed a memfd series ("mm/memfd: add 2023-02-23 17:09:35 -08:00
xfs_filestream.c xfs: refactor the filestreams allocator pick functions 2023-02-13 09:14:56 +11:00
xfs_filestream.h xfs: pass perag to filestreams tracing 2023-02-13 09:14:56 +11:00
xfs_fsmap.c xfs: fix uninitialized variable access 2023-02-14 17:51:35 -08:00
xfs_fsmap.h
xfs_fsops.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
xfs_fsops.h
xfs_globals.c xfs: allow setting full range of panic tags 2023-02-09 18:36:17 -08:00
xfs_health.c xfs: replace XFS_FORCED_SHUTDOWN with xfs_is_shutdown 2021-08-19 10:07:13 -07:00
xfs_icache.c xfs: fix an inode lookup race in xchk_get_inode 2023-04-11 19:00:21 -07:00
xfs_icache.h xfs: fix an inode lookup race in xchk_get_inode 2023-04-11 19:00:21 -07:00
xfs_icreate_item.c xfs: fix potential log item leak 2022-05-04 11:45:11 +10:00
xfs_icreate_item.h xfs: rename _zone variables to _cache 2021-10-22 16:04:20 -07:00
xfs_inode_item_recover.c xfs: clean up "%Ld/%Lu" which doesn't meet C standard 2022-09-19 06:47:14 +10:00
xfs_inode_item.c xfs: remove the redundant word in comment 2022-09-19 06:45:14 +10:00
xfs_inode_item.h xfs: aborting inodes on shutdown may need buffer lock 2022-03-29 18:21:59 -07:00
xfs_inode.c New code for 6.3-rc1, part 2: 2023-02-28 16:08:30 -08:00
xfs_inode.h fs: port inode_init_owner() to mnt_idmap 2023-01-19 09:24:28 +01:00
xfs_ioctl32.c fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap 2023-01-19 09:24:29 +01:00
xfs_ioctl32.h xfs: remove unused xfs_ioctl32.h declarations 2022-01-18 10:18:36 -08:00
xfs_ioctl.c fs.idmapped.v6.3 2023-02-20 11:53:11 -08:00
xfs_ioctl.h fs: port ->fileattr_set() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
xfs_iomap.c xfs: don't allocate into the data fork for an unshare request 2023-05-02 09:14:51 +10:00
xfs_iomap.h xfs: use iomap_valid method to detect stale cached iomaps 2022-11-29 09:09:17 +11:00
xfs_iops.c fs: port vfs{g,u}id helpers to mnt_idmap 2023-01-19 09:24:30 +01:00
xfs_iops.h fs: port ->setattr() to pass mnt_idmap 2023-01-19 09:24:02 +01:00
xfs_itable.c fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap 2023-01-19 09:24:29 +01:00
xfs_itable.h fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap 2023-01-19 09:24:29 +01:00
xfs_iunlink_item.c xfs: create traced helper to get extra perag references 2023-04-11 18:59:55 -07:00
xfs_iunlink_item.h xfs: add in-memory iunlink log item 2022-07-14 11:47:42 +10:00
xfs_iwalk.c xfs: create traced helper to get extra perag references 2023-04-11 18:59:55 -07:00
xfs_iwalk.h xfs: Decouple XFS_IBULK flags from XFS_IWALK flags 2022-04-13 07:02:44 +00:00
xfs_linux.h xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_log_cil.c xfs: xlog_sync() manually adjusts grant head space 2022-07-07 18:56:09 +10:00
xfs_log_priv.h xfs: xlog_sync() manually adjusts grant head space 2022-07-07 18:56:09 +10:00
xfs_log_recover.c xfs: avoid a UAF when log intent item recovery fails 2022-10-18 14:39:29 -07:00
xfs_log.c xfs: wait iclog complete before tearing down AIL 2022-11-30 09:25:46 -08:00
xfs_log.h xfs: move CIL ordering to the logvec chain 2022-07-07 18:56:08 +10:00
xfs_message.c Merge branch 'guilt/xfs-unsigned-flags-5.18' into xfs-5.19-for-next 2022-04-21 16:45:03 +10:00
xfs_message.h xfs: implement per-mount warnings for scrub and shrink usage 2022-05-27 10:31:34 +10:00
xfs_mount.c xfs: fix sb write verify for lazysbcount 2022-11-16 19:20:20 -08:00
xfs_mount.h xfs: convert xfs_ialloc_next_ag() to an atomic 2023-02-13 09:14:52 +11:00
xfs_mru_cache.c xfs: rename _zone variables to _cache 2021-10-22 16:04:20 -07:00
xfs_mru_cache.h
xfs_notify_failure.c xfs: changes for 6.1-rc1 2022-10-10 20:32:10 -07:00
xfs_ondisk.h xfs: fix memcpy fortify errors in EFI log format copying 2022-10-31 08:58:20 -07:00
xfs_pnfs.c fs: port ->setattr() to pass mnt_idmap 2023-01-19 09:24:02 +01:00
xfs_pnfs.h
xfs_pwork.c
xfs_pwork.h
xfs_qm_bhv.c xfs: replace xfs_sb_version checks with feature flag checks 2021-08-19 10:07:12 -07:00
xfs_qm_syscalls.c xfs: introduce xfs_inodegc_push() 2022-06-23 13:34:38 -07:00
xfs_qm.c xfs: quotacheck failure can race with background inode inactivation 2023-03-05 15:13:22 -08:00
xfs_qm.h xfs: remove quota warning limit from struct xfs_quota_limits 2022-05-11 17:12:09 +10:00
xfs_quota.h xfs: queue inactivation immediately when quota is nearing enforcement 2021-08-09 10:52:18 -07:00
xfs_quotaops.c xfs: don't set quota warning values 2022-05-11 17:12:09 +10:00
xfs_refcount_item.c xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_refcount_item.h xfs: rename _zone variables to _cache 2021-10-22 16:04:20 -07:00
xfs_reflink.c xfs: active perag reference counting 2023-02-13 09:14:42 +11:00
xfs_reflink.h xfs: pass perag to xfs_alloc_read_agf() 2022-07-07 19:07:40 +10:00
xfs_rmap_item.c xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_rmap_item.h xfs: rename _zone variables to _cache 2021-10-22 16:04:20 -07:00
xfs_rtalloc.c xfs: make rtbitmap ILOCKing consistent when scanning the rt bitmap file 2022-11-16 15:25:03 -08:00
xfs_rtalloc.h xfs: recalculate free rt extents after log recovery 2022-04-12 06:49:42 +10:00
xfs_stats.c xfs: replace unnecessary seq_printf with seq_puts 2022-09-19 06:48:14 +10:00
xfs_stats.h
xfs_super.c xfs: deprecate the ascii-ci feature 2023-04-11 19:05:19 -07:00
xfs_super.h xfs: implement ->notify_failure() for XFS 2022-07-17 17:14:30 -07:00
xfs_symlink.c fs: port fs{g,u}id helpers to mnt_idmap 2023-01-19 09:24:30 +01:00
xfs_symlink.h fs: port inode_init_owner() to mnt_idmap 2023-01-19 09:24:28 +01:00
xfs_sysctl.c
xfs_sysctl.h xfs: Add larp debug option 2022-05-11 17:01:22 +10:00
xfs_sysfs.c xfs: make kobj_type structures constant 2023-02-10 08:59:48 -08:00
xfs_sysfs.h xfs: make kobj_type structures constant 2023-02-10 08:59:48 -08:00
xfs_trace.c xfs: add debug knob to slow down writeback for fun 2022-11-28 17:24:35 -08:00
xfs_trace.h xfs: allow queued AG intents to drain before scrubbing 2023-04-11 18:59:58 -07:00
xfs_trans_ail.c xfs: shut up -Wuninitialized in xfsaild_push 2022-11-30 08:55:18 -08:00
xfs_trans_buf.c xfs: introduce xfs_buf_daddr() 2021-08-19 10:07:14 -07:00
xfs_trans_dquot.c xfs: remove quota warning limit from struct xfs_quota_limits 2022-05-11 17:12:09 +10:00
xfs_trans_priv.h xfs: convert log vector chain to use list heads 2022-07-07 18:55:59 +10:00
xfs_trans.c xfs: don't assert fail on transaction cancel with deferred ops 2023-02-11 04:12:06 +11:00
xfs_trans.h xfs: t_firstblock is tracking AGs not blocks 2023-02-11 04:11:06 +11:00
xfs_xattr.c xfs: revert commit 8954c44ff4 2023-02-10 09:06:06 -08:00
xfs_xattr.h xfs: move xfs_attr_use_log_assist usage out of libxfs 2022-05-27 10:34:04 +10:00
xfs.h