Received: by 2002:a05:7412:8d06:b0:f9:332d:97f1 with SMTP id bj6csp7906rdb; Mon, 18 Dec 2023 07:33:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IEmSjjTxcxS27HJhiPTei1FgQ39EwydOy5vOlfV9PMlqJcFIz1SB7VsBg4UuDITKm1J5sww X-Received: by 2002:ae9:f70f:0:b0:77e:fba4:3a03 with SMTP id s15-20020ae9f70f000000b0077efba43a03mr19083686qkg.89.1702913596933; Mon, 18 Dec 2023 07:33:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702913596; cv=none; d=google.com; s=arc-20160816; b=SwtTF2qJMbWAQJvO0DJblBmOhwIpOpIg9x/a5o11gdCz/SzM/jZhvt5PMKbiM20ybp +hq/M6dcDOCio3AmCiBrD42k5XWGtYwnFjvo90PxebhkLSc/sw3rAKEDZ/oNY17redvA tyQnYnDKXTD5C8DaG2hnhR3iiWWANAdwh3LzAFHvjUvPNThHcnO8m6Kkee5T+9HFGqet cUO1uw1Ef1Kf5GXbYZ5S4797I+AmogvgZ8tWOMPKdxTOzcgu3whaAf5YkBTK75pJ6qu/ EhJW6KY5LPLVzYSvGdxpf7hncQZVSUjkDtxtljoz6sEuA3cUHdWIPjARc9aYaiGDvXpo kPIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature:dkim-signature :dkim-signature; bh=lDm4hg48PDFBg6xR++pjGHYcQnl+zm5vP7lgIIqjERU=; fh=5un1d8xtzyGoOLKz+kZ9DYZNSDsKNptG9uOLeK+5l+o=; b=RoyFg6tPMeb8+TwCPbvYfxb1OGjYZvHC1I9ml2pmOk45IUG3sXPmcVdLjLGMVC4di6 VaB5dNymxCDeKLxsZqrxFf9j0pzoTnjVvR852UA7/V5gCRNhWVyxXham4WT57YL00HNR 7Gp3owxzm+U+s1CGXXU+zxomy45o6sd1OYzE4HEq4q++wMrmTxtTXGGnZRVx4sPf2YUA +Hi9T9+fI0tZg4O0qI68T+xrJnxzgWcYPS8NraCAeKVlDpfu92FIXRnAyEz73UDj00L2 y3lpxY/Ph/MynY+xxiJ9V7ZXim3yfOe0SbrhamgtzqfPcMAeI+u8YWUrt+Xo7VjtZ4PQ YRsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=XIgEK3Jr; dkim=neutral (no key) header.i=@suse.cz header.b=vgGCrf2a; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=KUk7fX+i; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=7fD5+Bgy; spf=pass (google.com: domain of linux-kernel+bounces-3936-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-3936-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id c5-20020a05620a268500b0077f13249d4bsi25374380qkp.654.2023.12.18.07.33.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Dec 2023 07:33:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-3936-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=XIgEK3Jr; dkim=neutral (no key) header.i=@suse.cz header.b=vgGCrf2a; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=KUk7fX+i; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=7fD5+Bgy; spf=pass (google.com: domain of linux-kernel+bounces-3936-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-3936-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9EC471C24472 for ; Mon, 18 Dec 2023 15:33:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9F146498AA; Mon, 18 Dec 2023 15:32:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="XIgEK3Jr"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="vgGCrf2a"; dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz header.b="KUk7fX+i"; dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz header.b="7fD5+Bgy" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F128E42387; Mon, 18 Dec 2023 15:32:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.dmz-prg2.suse.org (imap2.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id D7FBD1FD49; Mon, 18 Dec 2023 15:32:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1702913548; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lDm4hg48PDFBg6xR++pjGHYcQnl+zm5vP7lgIIqjERU=; b=XIgEK3JrFDDqR8QAwqXnwaUTVADyWH/Kr7iuRdakeO18MAQx5mzKLwJA7+/PAiPQ4Ec4/0 NdZwewLHAYCTP5u33h3EVQ/vgRdJKSJVpTKIHJYVBUP+05wwlC3VilPxqmA5UqiLxhcStu QtTUBCMaDl7YcsRuGQoPLApPKCjVkGY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1702913548; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lDm4hg48PDFBg6xR++pjGHYcQnl+zm5vP7lgIIqjERU=; b=vgGCrf2a1l8GEw6DBR3FhOFD50FqRwVAJlYil3gMxTclWScu/ctFG4CYqg9giJppWqvYlp oW65Lnzx5PLsS0Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1702913547; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lDm4hg48PDFBg6xR++pjGHYcQnl+zm5vP7lgIIqjERU=; b=KUk7fX+izFMs4HurWN694iAICM8MvW/KNrBYqZUO+D5lEqTxralCp0+778c7OV1JnVHyg9 fgoiwMhL/GXWdmNrxU3hjw/8ETSUDZiBIl+ztI2H4SSTIgGCtVhw1RiU9xqgtpVJh8ahP3 TO4TSzRZfGdxMLmsfKUgnlHNICiOyt8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1702913547; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lDm4hg48PDFBg6xR++pjGHYcQnl+zm5vP7lgIIqjERU=; b=7fD5+BgyrJSace8PYz5yajZ5/wG9SnT27qNRQFp3I1pJKbn/ZJskdMYeapFFsos593ujRn TEdIzrevBo3WzzBw== Received: from imap2.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap2.dmz-prg2.suse.org (Postfix) with ESMTPS id C8CE313BC8; Mon, 18 Dec 2023 15:32:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([10.150.64.162]) by imap2.dmz-prg2.suse.org with ESMTPSA id MmwCMQtmgGWHfAAAn2gu4w (envelope-from ); Mon, 18 Dec 2023 15:32:27 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 5F147A07E0; Mon, 18 Dec 2023 16:32:27 +0100 (CET) Date: Mon, 18 Dec 2023 16:32:27 +0100 From: Jan Kara To: Baokun Li Cc: linux-ext4@vger.kernel.org, tytso@mit.edu, adilger.kernel@dilger.ca, jack@suse.cz, ritesh.list@gmail.com, linux-kernel@vger.kernel.org, yi.zhang@huawei.com, yangerkun@huawei.com, yukuai3@huawei.com, Wei Chen , xingwei lee , stable@vger.kernel.org Subject: Re: [PATCH 1/4] ext4: fix double-free of blocks due to wrong extents moved_len Message-ID: <20231218153227.x273h3c5t2dqgh76@quack3> References: <20231218141814.1477338-1-libaokun1@huawei.com> <20231218141814.1477338-2-libaokun1@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231218141814.1477338-2-libaokun1@huawei.com> X-Spam-Level: ** X-Spam-Level: X-Spamd-Bar: / Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=KUk7fX+i; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=7fD5+Bgy X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Spamd-Result: default: False [0.49 / 50.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:98:from]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[suse.cz:+]; MX_GOOD(-0.01)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; BAYES_HAM(-0.00)[10.49%]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; FROM_HAS_DN(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000]; DKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519]; RCPT_COUNT_TWELVE(0.00)[13]; DBL_BLOCKED_OPENRESOLVER(0.00)[huawei.com:email,suse.com:email]; FUZZY_BLOCKED(0.00)[rspamd.com]; MID_RHS_NOT_FQDN(0.50)[]; FREEMAIL_CC(0.00)[vger.kernel.org,mit.edu,dilger.ca,suse.cz,gmail.com,huawei.com]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[] X-Spam-Score: 0.49 X-Rspamd-Queue-Id: D7FBD1FD49 X-Spam-Flag: NO On Mon 18-12-23 22:18:11, Baokun Li wrote: > In ext4_move_extents(), moved_len is only updated when all moves are > successfully executed, and only discards orig_inode and donor_inode > preallocations when moved_len is not zero. When the loop fails to exit > after successfully moving some extents, moved_len is not updated and > remains at 0, so it does not discard the preallocations. > > If the moved extents overlap with the preallocated extents, the > overlapped extents are freed twice in ext4_mb_release_inode_pa() and > ext4_process_freed_data() (as described in commit 94d7c16cbbbd), and > bb_free is incremented twice. Hence when trim is executed, a zero-division > bug is triggered in mb_update_avg_fragment_size() because bb_free is not > zero and bb_fragments is zero. > > Therefore, update move_len after each extent move to avoid the issue. > > Reported-by: Wei Chen > Reported-by: xingwei lee > Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com > Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") > CC: stable@vger.kernel.org # 3.18 > Signed-off-by: Baokun Li > --- > fs/ext4/move_extent.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c > index 3aa57376d9c2..4b9b503c6346 100644 > --- a/fs/ext4/move_extent.c > +++ b/fs/ext4/move_extent.c > @@ -672,7 +672,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, > */ > ext4_double_up_write_data_sem(orig_inode, donor_inode); > /* Swap original branches with new branches */ > - move_extent_per_page(o_filp, donor_inode, > + *moved_len += move_extent_per_page(o_filp, donor_inode, > orig_page_index, donor_page_index, > offset_in_page, cur_len, > unwritten, &ret); Although this is currently fine, I think ext4_move_extents() should be careful and zero out *moved_len before it starts using it. > @@ -682,7 +682,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, > o_start += cur_len; > d_start += cur_len; > } > - *moved_len = o_start - orig_blk; > if (*moved_len > len) > *moved_len = len; So I'm not sure the *moved_len > len condition can ever trigger but if it does, we'd need to check it whenever we are returning moved_len. So either I'd delete the condition or move it to the out label. Honza -- Jan Kara SUSE Labs, CR