Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp882214pxk; Thu, 17 Sep 2020 20:14:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydTDW2pFSq1v8R4QPAo1RhurYlZl6JWhaJM/nqVrMiwdKahWg2lkXDC3zS7883MDXwfVgn X-Received: by 2002:a17:906:3553:: with SMTP id s19mr32823586eja.178.1600398848474; Thu, 17 Sep 2020 20:14:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600398848; cv=none; d=google.com; s=arc-20160816; b=rpvxX4PtvJNT7YTnyQO6/MTbEo+CCPTGf6IiWnBkWQqsB1oqzFpRBJpxHHyOeDke8Q Hjx53FvhUjrTGcIS5iKTezvUCp/Bx/5Q6f0NTqczA2xejzTwNCUx5yjCeArPJ+Gye+WP PqRxZDNo+dTHGpGNvMjev6o0ZwaeCB+fcPz4MZSulys5CDi12xUrGg7k024l/EoL6dXb Dd7mfv/W7YjjZIjc7TT6H0qHAVB/EeX5BW0n/zkal+LQ0bobO21Q6JccPZptP9xie6yf l1DPc3v492+c6B0x2TZJ0YRsPqht2v7sSieDnWQMubPZuZb7GJcLpvdhp+W8KhkvpxLh r1Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=GCPDKHMCGxXJbqcGaMDJS42gHa8oLcRVnH0gWU/FlVQ=; b=gDio12PC9fI4AisnaVnFJlVmaFFSJQ23A0swWl0HM9F9HX4m/n+lgOUZ9uZ51j3miO CNs2YzUzB0hzQWpkCeiz35iB8urpHlqaKLt7GT6Fsi+kY5xAcTcnvv/7ZvJm5cx9JyGR RSrfom6p3zd1c74SJ9Dc2z61whMl+G4zRpWW3GbLDyb26DWoliLFXZWoPGfmnXvNcuF1 avYTtyx3g2MAA2XLdYVmfO/i/95urQZuCoVH/PVBw2FSAUVtLFx5eiV6ItU2GHG8W1dn kJC1OJMqkh7nJgtF8UCQIbPLU1qBJPAZcdQozeCV7hToiLlOdEd03tz/9aPB9UDbc+Of t95w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=axnt6TKX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c24si1162535edw.144.2020.09.17.20.13.45; Thu, 17 Sep 2020 20:14:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=axnt6TKX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729758AbgIRDMO (ORCPT + 99 others); Thu, 17 Sep 2020 23:12:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:47218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726688AbgIRCCN (ORCPT ); Thu, 17 Sep 2020 22:02:13 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8AA4E2311E; Fri, 18 Sep 2020 02:02:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394533; bh=ZbJmDR5nRoVHH7vyIdEvobEcimEqebI5gQ0T6pW2TY8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=axnt6TKXS6CHJF7gKjgGZqc00rh9N3Ut3aRycJjRv9YGSHZkRFqjfyrVtsm0I5bk9 fa8MgoBkrbmQRxpwpCgxtVHzadSay5QwzoJTxgI6LtoXHlyFgHd+mm1gcfVOD1bdpw pbql/IDzXUGjg8wLWMkTcNQ0a6vNuxy1mVhGkyxA= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Brian Foster , "Darrick J . Wong" , Sasha Levin , xfs@oss.sgi.com Subject: [PATCH AUTOSEL 5.4 052/330] xfs: fix attr leaf header freemap.size underflow Date: Thu, 17 Sep 2020 21:56:32 -0400 Message-Id: <20200918020110.2063155-52-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Foster [ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ] The leaf format xattr addition helper xfs_attr3_leaf_add_work() adjusts the block freemap in a couple places. The first update drops the size of the freemap that the caller had already selected to place the xattr name/value data. Before the function returns, it also checks whether the entries array has encroached on a freemap range by virtue of the new entry addition. This is necessary because the entries array grows from the start of the block (but end of the block header) towards the end of the block while the name/value data grows from the end of the block in the opposite direction. If the associated freemap is already empty, however, size is zero and the subtraction underflows the field and causes corruption. This is reproduced rarely by generic/070. The observed behavior is that a smaller sized freemap is aligned to the end of the entries list, several subsequent xattr additions land in larger freemaps and the entries list expands into the smaller freemap until it is fully consumed and then underflows. Note that it is not otherwise a corruption for the entries array to consume an empty freemap because the nameval list (i.e. the firstused pointer in the xattr header) starts beyond the end of the corrupted freemap. Update the freemap size modification to account for the fact that the freemap entry can be empty and thus stale. Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin --- fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c index b133209f3aa6a..f1535549d1ced 100644 --- a/fs/xfs/libxfs/xfs_attr_leaf.c +++ b/fs/xfs/libxfs/xfs_attr_leaf.c @@ -1451,7 +1451,9 @@ xfs_attr3_leaf_add_work( for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { if (ichdr->freemap[i].base == tmp) { ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); - ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); + ichdr->freemap[i].size -= + min_t(uint16_t, ichdr->freemap[i].size, + sizeof(xfs_attr_leaf_entry_t)); } } ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); -- 2.25.1