Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp716256ybt; Wed, 17 Jun 2020 12:02:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZUGhfJ+UBaO9Lx5dZBqcrfGk4Gl/rdND4UEbHADJI8g6Z0iFXYEsPNwiuU42gWSHvyHKn X-Received: by 2002:a17:906:1513:: with SMTP id b19mr559743ejd.1.1592420540245; Wed, 17 Jun 2020 12:02:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592420540; cv=none; d=google.com; s=arc-20160816; b=ucr8KXrKEwqU4xH0ADwq+xGlBpI/D70MSqpamAzYMYdIwZCZqs1UGWe2Y1XQ2UEHmQ XUftERyoMHK+Q7+mvTQedRAI0fO2weWtY5FwEbuGwVTMu0OywajrE9j5ZMn0Pplq+fGv BEGocTuLgOE9EGAvTE/IvrgpPa92C8alczPzSgfjcm5Y+LCWxZ7HZeiOR98kDst05dGP 04I5SXZPOBQiPlakqdbaOE7qIlOPd48egiQVPDY4l9IW/o2D0KVNtw3oX9Yu1rURIDgk Quinjz4G6JQXO4XWil0DVpPQKr3bdX3cP+iS6dzotdiUsACII6GNJdUvo965yxMKlBtf VGFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:subject :from:to:dkim-signature; bh=jPhkwrTopMSFWHY/7yIdQhPMl7mJcTG6ZU5FGnkE1JY=; b=BTC4OslqNJEG2P1qTA8dKFNI25eRS5a7YwYG/0D8dkQ24AS3JlvLHwIGSf7/Bun0O9 AClG7r+InisqIrSMoMoO7XpUuutkL+YeKqsG/dnmz98/e6Q7S9K5g+4jStnRRKhbbBev BbrGwTeLOfBbEKzipsDu7ea16lr3KrjX6JHBpErmZvBilHJQBGZDDWhSK/Z7HDsaVlVc GN7zAviD4KQkOQ+frIOPJ2G4KdAwt1gXwfO2JzjPyJv7oV+n/FrnqIIk5OJIluz5qhxZ QbsJdJeiSLyAg6bynxA88SUytMB02IOYo7UNt/iQzD/GtieptgKJIyf6JllEKLynXXJW fgUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U2k7TTCG; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q8si535640edn.403.2020.06.17.12.01.45; Wed, 17 Jun 2020 12:02:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=U2k7TTCG; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726926AbgFQTBe (ORCPT + 99 others); Wed, 17 Jun 2020 15:01:34 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:38798 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726835AbgFQTBe (ORCPT ); Wed, 17 Jun 2020 15:01:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1592420492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jPhkwrTopMSFWHY/7yIdQhPMl7mJcTG6ZU5FGnkE1JY=; b=U2k7TTCGGlZaTsesZruGxjeVo+b/quTA7jKPivQkk5zIcBgjm2cY5ytQoGXs02oup85xaw yPeaRmMJyRzVsuHKbb54UOAQ2tYNfqr4xon6U+iv7+0rzZEV+kxlkwo0fit2kLrf4lo1tc /SCopy5kI2DJgVb6Xq2OQzNZQhem/D4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-216-ivip1b6TN5y3jAzIhkU_Cg-1; Wed, 17 Jun 2020 15:01:31 -0400 X-MC-Unique: ivip1b6TN5y3jAzIhkU_Cg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2D14D1800D42 for ; Wed, 17 Jun 2020 19:01:30 +0000 (UTC) Received: from [IPv6:::1] (ovpn04.gateway.prod.ext.phx2.redhat.com [10.5.9.4]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F0DFE5C1D6 for ; Wed, 17 Jun 2020 19:01:29 +0000 (UTC) To: "linux-ext4@vger.kernel.org" From: Eric Sandeen Subject: [PATCH 0/1] ext4: fix potential negative array index in do_split Message-ID: Date: Wed, 17 Jun 2020 14:01:29 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org We recently had a report of a panic in do_split; the filesystem in question panicked a distribution kernel when trying to add a new directory entry; the behavior/bug persists upstream. The directory block in question had lots of unused and un-coalesced entries, like this, printed from the loop in ext4_insert_dentry(): [32778.024654] reclen 44 for name len 36 [32778.028745] start: de ffff9f4cb5309800 top ffff9f4cb5309bd4 [32778.034971] offset 0 nlen 28 rlen 40, rlen-nlen 12, reclen 44 name [32778.042744] offset 40 nlen 28 rlen 28, rlen-nlen 0, reclen 44 name [32778.050521] offset 68 nlen 32 rlen 32, rlen-nlen 0, reclen 44 name [32778.058294] offset 100 nlen 28 rlen 28, rlen-nlen 0, reclen 44 name [32778.066166] offset 128 nlen 28 rlen 28, rlen-nlen 0, reclen 44 name [32778.074035] offset 156 nlen 28 rlen 28, rlen-nlen 0, reclen 44 name [32778.081907] offset 184 nlen 24 rlen 24, rlen-nlen 0, reclen 44 name [32778.089779] offset 208 nlen 36 rlen 36, rlen-nlen 0, reclen 44 name [32778.097648] offset 244 nlen 12 rlen 12, rlen-nlen 0, reclen 44 name REDACTED [32778.105227] offset 256 nlen 24 rlen 24, rlen-nlen 0, reclen 44 name [32778.113099] offset 280 nlen 24 rlen 24, rlen-nlen 0, reclen 44 name REDACTED [32778.122134] offset 304 nlen 20 rlen 20, rlen-nlen 0, reclen 44 name REDACTED [32778.130780] offset 324 nlen 16 rlen 16, rlen-nlen 0, reclen 44 name REDACTED [32778.138746] offset 340 nlen 24 rlen 24, rlen-nlen 0, reclen 44 name [32778.146616] offset 364 nlen 28 rlen 28, rlen-nlen 0, reclen 44 name [32778.154487] offset 392 nlen 24 rlen 24, rlen-nlen 0, reclen 44 name [32778.162362] offset 416 nlen 16 rlen 16, rlen-nlen 0, reclen 44 name ... the file we were trying to insert needed a record length of 44, and none of the non-coalesced slots were big enough, so we failed and told do_split to get to work. However, the sum of the non-empty entries didn't exceed half the block size, so the loop in do_split() iterated over all of the entries, ended at "count," and told us to split at (count - move) which is zero, and eventually: continued = hash2 == map[split - 1].hash; exploded on the negative index. It's an open question as to how this directory got into this format; I'm not sure if this should ever happen or not. But at a minimum, I think we should be defensive here, hence [PATCH 1/1] will do that as an expedient fix and backportable patch for this situation. There may be some other underlying probem which led to this directory structure if it's unexpected, and maybe that can come as another patch if anyone can investigate. Thanks, -Eric