Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp473249rwl; Wed, 4 Jan 2023 23:20:29 -0800 (PST) X-Google-Smtp-Source: AMrXdXtoIYbzEs1MEBUiS2puI4ez80LkD7b0wYrDeXr2N5m+kddVpvP9PaM0QqSHX78WTsUYzoQo X-Received: by 2002:a17:906:2801:b0:7c1:639:6b46 with SMTP id r1-20020a170906280100b007c106396b46mr39566844ejc.9.1672903228818; Wed, 04 Jan 2023 23:20:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672903228; cv=none; d=google.com; s=arc-20160816; b=lnFam31t1LTUc8+sDBzdE7RsAHvkdsdeXRUp//VwnUFrpMxdc4yyRvhaRRTkIPr1ts yW1bwQYHiY4pUS7LuikWMTOR9JWNmvqKQsM03Ta2y5FRwFA62vwlXH/by7eFDzC+7tmF 3LoyYDlrjS8/WC75gtmmQJq5SToZ1XSnv4w9slEpjHVwG7OP6J1fZVsj4+vGck/IU9lR j9EtPWkj/3hkyJfNBH++lUfS3HJRUaHG4gCOASB4kwn1f37a5vaGFdWOR6Z3nUQteA2y MtCjEaxks8ogiglSm8lZb8Pso1c7zv7Vx863tGE3ESZthKIxvY1AAkdNysnHokmgMYtU kXOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=DQsAU4YhHbaK7N4z4J1tV8dOMlRmNJwu0n4hd1DhZBE=; b=TPBUDKt70umCbvQ66PAoLtZXjWAZ3KAKSv5QRZWcgvVdSfXbZdLmh5N3qURz5jVBQK uheESnRA9mrTC1tznqpBTzlaDClSG0LGeibmdekj+x48THoLRthtYpuIepVfeY5okl8x bUcl/xOUpwI8O9zcPmQPoCN5RFcrGM1mu412uHQj9FRjzMrMQpQ1Rs7iyBP7rMFwAjHn pQUMz7y+EyqlGoH4jLtYSqyrlNNuXQGJczXXYnYDptaEGUDZInIW9UP+MpPwnB/CgjQH 9IMCzfijrEfrIbNLVhIthIT/9AvLMgL5VrCuHmrLe4xcDNbDuIFeBarIZEHqmaZbywip gZbQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UPqqxdw1; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp30-20020a1709071b1e00b007c10d4cc297si31079668ejc.85.2023.01.04.23.20.05; Wed, 04 Jan 2023 23:20:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=UPqqxdw1; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231215AbjAEHRW (ORCPT + 99 others); Thu, 5 Jan 2023 02:17:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231147AbjAEHRO (ORCPT ); Thu, 5 Jan 2023 02:17:14 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D5DF2003; Wed, 4 Jan 2023 23:17:13 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BEC99B818D6; Thu, 5 Jan 2023 07:17:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F086C433EF; Thu, 5 Jan 2023 07:17:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1672903030; bh=Gsq+HPQbcfwTbsd3fDRPNmo/U5mF5EWXY+nBBo5qWbM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UPqqxdw17plGSThbXtZYO7NhajJpHjhFSIJNmDToCxQLxYD7iJ2B/c5Hec6OIRKPf MGecpBLKVxSqP9oOLNHA6kArwWqN/6Vif51XsQokWM0rq0y+d7ABWfaSfRFEcNfKTP eZXH2UOoZT2kqI3dUsk8xA8i3PkamTP8Inqq0p548NXXQ8MYkgx5+m2niklfr1m4U1 Ohi/5UZPMv3d9dRvWZk4oLC1Y3EO7zM0VAVWROG1L0qwXDlma5+vlfR58UpQa5K5DE dX4Aex+nsfxUfIJHZJy48qN+f337G5HKND/qjzNilmJFcVvuno2Ax8yY34VLd61bNg GYqnfwAUS3PXw== From: Eric Biggers To: stable@vger.kernel.org Cc: linux-ext4@vger.kernel.org, Theodore Ts'o Subject: [PATCH 5.15 10/10] ext4: fix off-by-one errors in fast-commit block filling Date: Wed, 4 Jan 2023 23:13:59 -0800 Message-Id: <20230105071359.257952-11-ebiggers@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230105071359.257952-1-ebiggers@kernel.org> References: <20230105071359.257952-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Eric Biggers commit 48a6a66db82b8043d298a630f22c62d43550cae5 upstream. Due to several different off-by-one errors, or perhaps due to a late change in design that wasn't fully reflected in the code that was actually merged, there are several very strange constraints on how fast-commit blocks are filled with tlv entries: - tlvs must start at least 10 bytes before the end of the block, even though the minimum tlv length is 8. Otherwise, the replay code will ignore them. (BUG: ext4_fc_reserve_space() could violate this requirement if called with a len of blocksize - 9 or blocksize - 8. Fortunately, this doesn't seem to happen currently.) - tlvs must end at least 1 byte before the end of the block. Otherwise the replay code will consider them to be invalid. This quirk contributed to a bug (fixed by an earlier commit) where uninitialized memory was being leaked to disk in the last byte of blocks. Also, strangely these constraints don't apply to the replay code in e2fsprogs, which will accept any tlvs in the blocks (with no bounds checks at all, but that is a separate issue...). Given that this all seems to be a bug, let's fix it by just filling blocks with tlv entries in the natural way. Note that old kernels will be unable to replay fast-commit journals created by kernels that have this commit. Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") Cc: # v5.10+ Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20221106224841.279231-7-ebiggers@kernel.org Signed-off-by: Theodore Ts'o --- fs/ext4/fast_commit.c | 66 +++++++++++++++++++++---------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c index fe65df2d41dd4..a8d0a8081a1da 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c @@ -643,43 +643,43 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) struct buffer_head *bh; int bsize = sbi->s_journal->j_blocksize; int ret, off = sbi->s_fc_bytes % bsize; - int pad_len; + int remaining; u8 *dst; /* - * After allocating len, we should have space at least for a 0 byte - * padding. + * If 'len' is too long to fit in any block alongside a PAD tlv, then we + * cannot fulfill the request. */ - if (len + EXT4_FC_TAG_BASE_LEN > bsize) + if (len > bsize - EXT4_FC_TAG_BASE_LEN) return NULL; - if (bsize - off - 1 > len + EXT4_FC_TAG_BASE_LEN) { - /* - * Only allocate from current buffer if we have enough space for - * this request AND we have space to add a zero byte padding. - */ - if (!sbi->s_fc_bh) { - ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh); - if (ret) - return NULL; - sbi->s_fc_bh = bh; - } - sbi->s_fc_bytes += len; - return sbi->s_fc_bh->b_data + off; + if (!sbi->s_fc_bh) { + ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh); + if (ret) + return NULL; + sbi->s_fc_bh = bh; } - /* Need to add PAD tag */ dst = sbi->s_fc_bh->b_data + off; + + /* + * Allocate the bytes in the current block if we can do so while still + * leaving enough space for a PAD tlv. + */ + remaining = bsize - EXT4_FC_TAG_BASE_LEN - off; + if (len <= remaining) { + sbi->s_fc_bytes += len; + return dst; + } + + /* + * Else, terminate the current block with a PAD tlv, then allocate a new + * block and allocate the bytes at the start of that new block. + */ + tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD); - pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN; - tl.fc_len = cpu_to_le16(pad_len); + tl.fc_len = cpu_to_le16(remaining); ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc); - dst += EXT4_FC_TAG_BASE_LEN; - if (pad_len > 0) { - ext4_fc_memzero(sb, dst, pad_len, crc); - dst += pad_len; - } - /* Don't leak uninitialized memory in the unused last byte. */ - *dst = 0; + ext4_fc_memzero(sb, dst + EXT4_FC_TAG_BASE_LEN, remaining, crc); ext4_fc_submit_bh(sb, false); @@ -687,7 +687,7 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc) if (ret) return NULL; sbi->s_fc_bh = bh; - sbi->s_fc_bytes = (sbi->s_fc_bytes / bsize + 1) * bsize + len; + sbi->s_fc_bytes += bsize - off + len; return sbi->s_fc_bh->b_data; } @@ -718,7 +718,7 @@ static int ext4_fc_write_tail(struct super_block *sb, u32 crc) off = sbi->s_fc_bytes % bsize; tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_TAIL); - tl.fc_len = cpu_to_le16(bsize - off - 1 + sizeof(struct ext4_fc_tail)); + tl.fc_len = cpu_to_le16(bsize - off + sizeof(struct ext4_fc_tail)); sbi->s_fc_bytes = round_up(sbi->s_fc_bytes, bsize); ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, &crc); @@ -1981,7 +1981,7 @@ static int ext4_fc_replay_scan(journal_t *journal, state = &sbi->s_fc_replay_state; start = (u8 *)bh->b_data; - end = (__u8 *)bh->b_data + journal->j_blocksize - 1; + end = start + journal->j_blocksize; if (state->fc_replay_expected_off == 0) { state->fc_cur_tag = 0; @@ -2002,7 +2002,7 @@ static int ext4_fc_replay_scan(journal_t *journal, } state->fc_replay_expected_off++; - for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; + for (cur = start; cur <= end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; @@ -2120,9 +2120,9 @@ static int ext4_fc_replay(journal_t *journal, struct buffer_head *bh, #endif start = (u8 *)bh->b_data; - end = (__u8 *)bh->b_data + journal->j_blocksize - 1; + end = start + journal->j_blocksize; - for (cur = start; cur < end - EXT4_FC_TAG_BASE_LEN; + for (cur = start; cur <= end - EXT4_FC_TAG_BASE_LEN; cur = cur + EXT4_FC_TAG_BASE_LEN + tl.fc_len) { ext4_fc_get_tl(&tl, cur); val = cur + EXT4_FC_TAG_BASE_LEN; -- 2.39.0