Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp1236406lqo; Thu, 9 May 2024 08:16:56 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVfn4FCnrO3bFvjKMS/rnX3mHwa9hAnEW88W7bCPN2p5YyxTsw52ltnuFL8NU65v8wXN4QyVS8+tQqlw0U1kubyaKggGvszgXbtz6ZxPA== X-Google-Smtp-Source: AGHT+IEF4Wta1ky5MG5xiJtLKhmbULYDUw4F9ZQAW1JgQ9UDKZtS754blxrV2WLQlhfQRErxsK+q X-Received: by 2002:a05:6a20:d42a:b0:1af:dd99:e03f with SMTP id adf61e73a8af0-1afde19794cmr536637.43.1715267815679; Thu, 09 May 2024 08:16:55 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715267815; cv=pass; d=google.com; s=arc-20160816; b=BQ/uzM8cP7cC+ozYWv8pCMm7Cqd6Sguc6QvUN4yFa3K9gHJqHezKwgcfdcsT7F3JXz gTxOc1RV5aCF2OVHefoc5cOiB2NP+ttB1oGsQgk6PYXnSMP/H5vYDvzEcLxtYhe5Dgfz YDg0+TKnJxVxaTcmqrL2oIH3A+4CvDTPlbsfP1aQnYBoXXuTRn+G0XSO4RcaEZZMZTY5 FpEUUT3f3tGfobM7K9e+oMceOvM22XGp3RheDB2WHbF30107x7oIp6urDnMxJbfhRzgm 3H9JNH85bf0IFJ4WFTtNjrfIcbcp/G/5G9QyZaeEUcPuZ3WVNu19WM6+/7WX/VgoCLDP mfSA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:references:in-reply-to:subject:cc:to:from :dkim-signature; bh=WuV7M9mHf7zLGoXyvtH3Is1VnuTrzUZ1N2ISvLJru+k=; fh=mBs9kb7XCtu331ta8V6pwCfkF4+R7ekSRPCHEDwp8XM=; b=A3PuTKab8wkupdMWTEmRy6ziiKl62Mr6U3CO2Ond28qhmy8ihkUeWHWc/h6+FiEgmX QNNn9nAE0XA9OyHbIJ/39rUb55QHMhpTHv9Bx16dfQaFD9VKPJiKcLZqsfiI18XzMJTj OxNp453RRcHShVPrj0AWR4zraMtrytdu2PDLoicCBKawZ1t1L1KyAbiNhaH9UDQYn6oj 3/IJooaTEPaGocCpvLIm+CkyIQyTCOd3x9blTotU0jgmbHSUi6Wfuy9asM7yjqHHcaUe +HFYKmxhD8+E8QBIAV8EhY6CMV7+sOxmK8T+sVXzMGeCkvj5lDIs0b/Bjlb3LPkeSV8R TSBg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=tKoN2z+0; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-ext4+bounces-2425-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-ext4+bounces-2425-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d2e1a72fcca58-6f4d2a7257fsi1712910b3a.3.2024.05.09.08.16.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 May 2024 08:16:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4+bounces-2425-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=tKoN2z+0; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-ext4+bounces-2425-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-ext4+bounces-2425-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0043D282110 for ; Thu, 9 May 2024 15:16:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 53B6915ECC1; Thu, 9 May 2024 15:16:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="tKoN2z+0" X-Original-To: linux-ext4@vger.kernel.org Received: from out-183.mta1.migadu.com (out-183.mta1.migadu.com [95.215.58.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7161A131750 for ; Thu, 9 May 2024 15:16:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.183 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715267804; cv=none; b=jCftDY943xyfNj/aDbWTvdQA8zIYSftLm2rmIHw1xiUmgn7xG2SIIWZHlK7savVHAge3PlRd7Z/+iSEUJHmif/7YlK6QWtgZXy5xqQj49y8gPLF3Jwhm7q7iNCGQ8ga3HdXAeMrcyLwPMG7aX2A5PWsJibDG2ejf5UQdKLOCBUo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715267804; c=relaxed/simple; bh=rENpYzuzYep+kKpc+ClGh2Jqy7GxYlD0JOeoKeVYATU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=WIOfhgSEPIjsQiivtkWJ9Xu31FGH8x8/4R0KJDQctdsnJ7EpmGtXIBqCaZBg6YO16wkB7L1PY5jnjx/5nvfzg47Z0Omvxc8uvUBN5YiV5rKTTRGt1EoEC+hqwI+XJED9JBwaxhYgVR89qJrvXfLVj1LZryb6RzxqOM9vzkTaZuM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=tKoN2z+0; arc=none smtp.client-ip=95.215.58.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1715267799; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WuV7M9mHf7zLGoXyvtH3Is1VnuTrzUZ1N2ISvLJru+k=; b=tKoN2z+02HEGPxaMBMX19ZneYgaEWjlQx1yjDRa+5EtNM+Tk4h+QyONWXsiZlzBqwIkM0v y02jbP0F9WK/J4dQxTDaCsJa9HxkYxUlN07D+ppV/DoxZeEABmqSngg/D+YBoNgF7iuP38 uWCX/WykcZyS911GVQsXeGumCrHpsR8= From: Luis Henriques To: Zhang Yi Cc: linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, tytso@mit.edu, adilger.kernel@dilger.ca, jack@suse.cz, ritesh.list@gmail.com, hch@infradead.org, djwong@kernel.org, willy@infradead.org, zokeefe@google.com, yi.zhang@huawei.com, chengzhihao1@huawei.com, yukuai3@huawei.com, wangkefeng.wang@huawei.com Subject: Re: [PATCH v3 03/26] ext4: correct the hole length returned by ext4_map_blocks() In-Reply-To: <20240127015825.1608160-4-yi.zhang@huaweicloud.com> (Zhang Yi's message of "Sat, 27 Jan 2024 09:58:02 +0800") References: <20240127015825.1608160-1-yi.zhang@huaweicloud.com> <20240127015825.1608160-4-yi.zhang@huaweicloud.com> Date: Thu, 09 May 2024 16:16:34 +0100 Message-ID: <87zfszuib1.fsf@brahms.olymp> Precedence: bulk X-Mailing-List: linux-ext4@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-Migadu-Flow: FLOW_OUT On Sat 27 Jan 2024 09:58:02 AM +08, Zhang Yi wrote; <...> > +static ext4_lblk_t ext4_ext_determine_insert_hole(struct inode *inode, > + struct ext4_ext_path *path, > + ext4_lblk_t lblk) > +{ > + ext4_lblk_t hole_start, len; > + struct extent_status es; > + > + hole_start = lblk; > + len = ext4_ext_find_hole(inode, path, &hole_start); > +again: > + ext4_es_find_extent_range(inode, &ext4_es_is_delayed, hole_start, > + hole_start + len - 1, &es); > + if (!es.es_len) > + goto insert_hole; > + > + /* > + * There's a delalloc extent in the hole, handle it if the delalloc > + * extent is in front of, behind and straddle the queried range. > + */ > + if (lblk >= es.es_lblk + es.es_len) { > + /* > + * The delalloc extent is in front of the queried range, > + * find again from the queried start block. > + */ > + len -= lblk - hole_start; > + hole_start = lblk; > + goto again; It's looks like it's easy to trigger an infinite loop here using fstest generic/039. If I understand it correctly (which doesn't happen as often as I'd like), this is due to an integer overflow in the 'if' condition, and should be fixed with the patch below. From 3117af2f8dacad37a2722850421f31075ae9e88d Mon Sep 17 00:00:00 2001 From: "Luis Henriques (SUSE)" Date: Thu, 9 May 2024 15:53:01 +0100 Subject: [PATCH] ext4: fix infinite loop caused by integer overflow An integer overflow will happen if the extent_status len is set to EXT_MAX_BLOCKS (0xffffffff). This may cause an infinite loop in function ext4_ext_determine_insert_hole(), easily reproducible using fstest generic/039. Fixes: 6430dea07e85 ("ext4: correct the hole length returned by ext4_map_blocks()") Signed-off-by: Luis Henriques (SUSE) --- fs/ext4/extents.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index e57054bdc5fd..193121b394f9 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -4064,7 +4064,7 @@ static ext4_lblk_t ext4_ext_determine_insert_hole(struct inode *inode, * There's a delalloc extent in the hole, handle it if the delalloc * extent is in front of, behind and straddle the queried range. */ - if (lblk >= es.es_lblk + es.es_len) { + if (lblk >= ((__u64) es.es_lblk) + es.es_len) { /* * The delalloc extent is in front of the queried range, * find again from the queried start block.