Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4337393ybv;
        Tue, 25 Feb 2020 18:07:04 -0800 (PST)
X-Google-Smtp-Source: APXvYqwdPKxDQLqt70NA9sqKpoERKVhLF6sleo1B2dTkzEPkqMIMnD6JbN2yVJj5lieKHG9WXKUM
X-Received: by 2002:aca:90f:: with SMTP id 15mr1409485oij.18.1582682824570;
        Tue, 25 Feb 2020 18:07:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582682824; cv=none;
        d=google.com; s=arc-20160816;
        b=yunsOTvpCV4ynusrZOGQkh8gld22YhnpnPjwUYq9+OiKg3z99Q/bE+U17Ahvple/X8
         Up8LrbVpS6CdC/Zhlfhww8OIBkcnb2Jm60yOCBSrv56leuIy1FgdwJkKXIyCbUX9ZVKS
         dyIutyaRDvyiaTzeVuEUqxsUBYDOtzBk6gGCyyCQ6aj8fXalxjY3i00hrQ7lgbMe3wlH
         Err4OhPJzOKcqrpn3ZRR+Kp6KnX1Odx9SR1QMP7v72lxeM4EEGJ4D47BQpuzF0ywtEb4
         dv6wiTtxXHL155FzBq1KDPlqThSqpZ56Cgsh1DW3i3Fq7TWoYM/sKZZlLW9AiXhOd0mU
         fhcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=NSkwZNOAHW8c739fmLnrfEAtdBwdaCvTO8Gg7YKI1a8=;
        b=DOiFn4Uzk4Vmm7tR3TynI3c2kM3SaR5kTB4rcYn5TjYzCXDxavaI4zBzR0T/oU+wsy
         zfqc5oXWcICEZ+r1421k9NsKKDdTNxE/n9EmGA/C6M/ZsGD/YBcBFY8U6H3JrDd2a3m4
         3Phv0owtjgmdijlXuCUrJagvsU/bLyEZF0GT9eVp8tZcVYkIOfsNmQx/gajlXGPZZ7ec
         JJWWHMqaVgE1XEDHHtR9bSgZxZwZ9vy1bcvE62shdukL/UxD/BuGoeddpkyjvdRWHCYh
         /6ljCDVdDWAYYNGIN22mv8u/g3RCEQ9vzlKLGocQ0xX0h5cPbfMRv4VIuFJ5IW5PDESt
         4cxw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=Rf+CVbYi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a13si409565otq.201.2020.02.25.18.06.50;
        Tue, 25 Feb 2020 18:07:04 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=Rf+CVbYi;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729504AbgBZCGo (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Tue, 25 Feb 2020 21:06:44 -0500
Received: from mail-qv1-f65.google.com ([209.85.219.65]:39931 "EHLO
        mail-qv1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729395AbgBZCGo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Feb 2020 21:06:44 -0500
Received: by mail-qv1-f65.google.com with SMTP id y8so628386qvk.6
        for <linux-kernel@vger.kernel.org>; Tue, 25 Feb 2020 18:06:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=NSkwZNOAHW8c739fmLnrfEAtdBwdaCvTO8Gg7YKI1a8=;
        b=Rf+CVbYi5z8LNsUAgPb/YJeUfXPNLe4/iRX+Up3V3VHLLY2KxPkKFlCuqEh2zLwqrO
         t2q7IVxnBeyRpDj3yJPm9d71aydf+FXdCkDWtpj1bUMeAg6RIQFjOhqC5rjkmY7izdjd
         T3ds6ct/gdClzPmaG89AFYoNON9+rAw2qDdAkqTVa0ojnxIt567IODMwok7wbnQZnvu4
         bhXurR4+z7IbsAM+t79v9VZDRekZfaj7AMdBDO7Uh195IFUW0vLkZyCWp1kUMc3qDNlC
         IaX8OgE/34tU49jIOCiYqgLEREDNQOPusIXErXKBIGfokntQSqQG+OedlJJyfGLlWHxV
         NHxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=NSkwZNOAHW8c739fmLnrfEAtdBwdaCvTO8Gg7YKI1a8=;
        b=tKLsrGdEqHRXj4yVoubR2dezIv8G/nknHGt8r0Llgj5cysEftQArLhPLl06CRBLVyf
         XJm0xW7yS+52bdPmi6lmu0DWcHfmi+hNwLJz+I6G0zaNx9+zEdyCBDvaOcYaR7PhnJzW
         EawfbWgeYr6XYbqwJMQC3U6tOGXSsQ93QnMcrvNqfawDvZbWEpfFx0iI80//X8zOtNXb
         SnUoH3Tl0t9uEDXl592otZewpTDYioQrj2td3n5UhIwxCvXDdiFsdYupiLg9v+HDFP8m
         M0OQCfXDJe01KDsBF8FcnqL4cnoZ9aIPYvR2pzRX2TchST5/0ihQ52pVsq1IXZuD9kcg
         sj3w==
X-Gm-Message-State: APjAAAWR0D4bpQIqWo3XxdbMjy8jJDvJZDjdnONJESmb0Frg0TaYpB2H
        gmRLDKpVsf9Xr7MeaInMaHR+cg==
X-Received: by 2002:ad4:4e50:: with SMTP id eb16mr2386360qvb.34.1582682803407;
        Tue, 25 Feb 2020 18:06:43 -0800 (PST)
Received: from ovpn-121-122.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id h12sm265718qtn.56.2020.02.25.18.06.42
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 25 Feb 2020 18:06:42 -0800 (PST)
From:   Qian Cai <cai@lca.pw>
To:     darrick.wong@oracle.com
Cc:     hch@infradead.org, linux-xfs@vger.kernel.org,
        linux-kernel@vger.kernel.org, Qian Cai <cai@lca.pw>
Subject: [PATCH v3] xfs: fix an undefined behaviour in _da3_path_shift
Date:   Tue, 25 Feb 2020 21:06:37 -0500
Message-Id: <20200226020637.1065-1-cai@lca.pw>
X-Mailer: git-send-email 2.21.0 (Apple Git-122.2)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In xfs_da3_path_shift() "blk" can be assigned to state->path.blk[-1] if
state->path.active is 1 (which is a valid state) when it tries to add an
entry to a single dir leaf block and then to shift forward to see if
there's a sibling block that would be a better place to put the new
entry. This causes a UBSAN warning given negative array indices are
undefined behavior in C. In practice the warning is entirely harmless
given that "blk" is never dereferenced in this case, but it is still
better to fix up the warning and slightly improve the code.

 UBSAN: Undefined behaviour in fs/xfs/libxfs/xfs_da_btree.c:1989:14
 index -1 is out of range for type 'xfs_da_state_blk_t [5]'
 Call trace:
  dump_backtrace+0x0/0x2c8
  show_stack+0x20/0x2c
  dump_stack+0xe8/0x150
  __ubsan_handle_out_of_bounds+0xe4/0xfc
  xfs_da3_path_shift+0x860/0x86c [xfs]
  xfs_da3_node_lookup_int+0x7c8/0x934 [xfs]
  xfs_dir2_node_addname+0x2c8/0xcd0 [xfs]
  xfs_dir_createname+0x348/0x38c [xfs]
  xfs_create+0x6b0/0x8b4 [xfs]
  xfs_generic_create+0x12c/0x1f8 [xfs]
  xfs_vn_mknod+0x3c/0x4c [xfs]
  xfs_vn_create+0x34/0x44 [xfs]
  do_last+0xd4c/0x10c8
  path_openat+0xbc/0x2f4
  do_filp_open+0x74/0xf4
  do_sys_openat2+0x98/0x180
  __arm64_sys_openat+0xf8/0x170
  do_el0_svc+0x170/0x240
  el0_sync_handler+0x150/0x250
  el0_sync+0x164/0x180

Suggested-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Qian Cai <cai@lca.pw>
---

 v3: Borrow the commit log from Christoph.
 v2: Update the commit log thanks to Darrick.
     Simplify the code.

 fs/xfs/libxfs/xfs_da_btree.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/libxfs/xfs_da_btree.c b/fs/xfs/libxfs/xfs_da_btree.c
index 875e04f82541..e864c3d47f60 100644
--- a/fs/xfs/libxfs/xfs_da_btree.c
+++ b/fs/xfs/libxfs/xfs_da_btree.c
@@ -1986,7 +1986,8 @@ xfs_da3_path_shift(
 	ASSERT(path != NULL);
 	ASSERT((path->active > 0) && (path->active < XFS_DA_NODE_MAXDEPTH));
 	level = (path->active-1) - 1;	/* skip bottom layer in path */
-	for (blk = &path->blk[level]; level >= 0; blk--, level--) {
+	for (; level >= 0; level--) {
+		blk = &path->blk[level];
 		xfs_da3_node_hdr_from_disk(dp->i_mount, &nodehdr,
 					   blk->bp->b_addr);
 
-- 
2.21.0 (Apple Git-122.2)