Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3743043pxk; Tue, 29 Sep 2020 05:18:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4pUgLGye6wZckJ+bSLjaLEpG1lySn2DRWglI5X/dQp6DBlzVeB6vMVLFtg8H3OfRYqHIb X-Received: by 2002:a05:6402:1451:: with SMTP id d17mr2890825edx.48.1601381890614; Tue, 29 Sep 2020 05:18:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601381890; cv=none; d=google.com; s=arc-20160816; b=xMuNvmWO3K/6NlNpPE0tj1oUpuE47eEStSzX0HT8iz9JC8usFhQZmk49b3syunO4eL neI/o35CZPF2Hj+wOZqPBgmo6Ce6BOjiaH5CSVF91HNAIx9BWfk6koIjHgMEOl28AtgZ 0uaOIjI512aBo+Mqet4eRFVPi7xd/LwVA/VRqCFdOnJdW8nYblww8gDiUepq+rpDJz+f p9cqaGuY+oaAYMrtuXZZJqF2G5IyuGs8UNx77vAknTmzYLPvE4CRdA0XoMaWX8Qqrwnu pO30aJ0Hp0EH69njMPo20SVQ5szNFvwn6Mk9VFif8Ex43CXj/AisXnh28253BtSJ9Zfl 1LHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/lXgG6R09Idk5NhsHXAjqxCMl7kCLxUCOQbxZQVM4lA=; b=HVF1M1T7ZTRYZ0YRcb77j4Gj8PyCjbr7CSlSqJAg7idivWRnNS2cXHiZxGEtx1p8TJ EOA1Uc0OTrMas8TNRWUfi1VGSwGpg4MW26yJFvQ8x6ZqTIauo99e0NXRTISC7JXOny5C ldUnK5E2TX0n1lUku663hAB3CCnDSvIRWyYNash/vt8UPNDReoN17Yigv5av3udaMa0N 7G3mgy754e7GzvPMoxi2DqynBEErkn8/Ubd7TI0o0VoYY+ZneKUJD7cQY5TpR8mNsAaf +X5CiHXt8kdyTiE2W0beVmAVIm77e0OD9EOnUX2+S+Wwt/+2VE0iaoPXUoVFbP7xPi7B 7new== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=V0wB2LX3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w16si2801494eds.210.2020.09.29.05.17.47; Tue, 29 Sep 2020 05:18:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=V0wB2LX3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732129AbgI2MPo (ORCPT + 99 others); Tue, 29 Sep 2020 08:15:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:58078 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729035AbgI2Lh2 (ORCPT ); Tue, 29 Sep 2020 07:37:28 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F104D23ECF; Tue, 29 Sep 2020 11:33:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601379183; bh=ZlIZwkrnI2Wcg+T1t7u0xAnqnuAGTDPtthG2NrA3wwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V0wB2LX3XNfOdgAXoC/oyRjLHWrvEv2JDmG03mHKZACpQ538ZbEZ7Ol0ZSH15vDbQ 518UPB95HThVzTOh6VACsGMib9kyTWb/Xj+tF4P+fC19X+OaLFER0X7Fq2/T1k2Idt Obgbob2YMpWlVzxuQqERVt8sRQnhBZq0FQBrSN+c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brian Foster , "Darrick J. Wong" , Sasha Levin Subject: [PATCH 5.4 049/388] xfs: fix attr leaf header freemap.size underflow Date: Tue, 29 Sep 2020 12:56:20 +0200 Message-Id: <20200929110012.867376233@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200929110010.467764689@linuxfoundation.org> References: <20200929110010.467764689@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Foster [ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ] The leaf format xattr addition helper xfs_attr3_leaf_add_work() adjusts the block freemap in a couple places. The first update drops the size of the freemap that the caller had already selected to place the xattr name/value data. Before the function returns, it also checks whether the entries array has encroached on a freemap range by virtue of the new entry addition. This is necessary because the entries array grows from the start of the block (but end of the block header) towards the end of the block while the name/value data grows from the end of the block in the opposite direction. If the associated freemap is already empty, however, size is zero and the subtraction underflows the field and causes corruption. This is reproduced rarely by generic/070. The observed behavior is that a smaller sized freemap is aligned to the end of the entries list, several subsequent xattr additions land in larger freemaps and the entries list expands into the smaller freemap until it is fully consumed and then underflows. Note that it is not otherwise a corruption for the entries array to consume an empty freemap because the nameval list (i.e. the firstused pointer in the xattr header) starts beyond the end of the corrupted freemap. Update the freemap size modification to account for the fact that the freemap entry can be empty and thus stale. Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin --- fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c index f943c77133dcd..de33efc9b4f94 100644 --- a/fs/xfs/libxfs/xfs_attr_leaf.c +++ b/fs/xfs/libxfs/xfs_attr_leaf.c @@ -1451,7 +1451,9 @@ xfs_attr3_leaf_add_work( for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { if (ichdr->freemap[i].base == tmp) { ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); - ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); + ichdr->freemap[i].size -= + min_t(uint16_t, ichdr->freemap[i].size, + sizeof(xfs_attr_leaf_entry_t)); } } ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); -- 2.25.1