* Request for inclusion on linux-4.14.y and linux-5.4.y
@ 2020-06-25 22:47 yishache
2020-06-25 22:47 ` [PATCH] xfs: add agf freeblocks verify in xfs_agf_verify yishache
0 siblings, 1 reply; 4+ messages in thread
From: yishache @ 2020-06-25 22:47 UTC (permalink / raw
To: gregkh; +Cc: stable
Hello Greg,
Can you please consider including the following patch in the stable linux-4.14.y branch?
This is to fix CVE-2020-12655
d0c7feaf87678371c2c09b3709400be416b2dc62(xfs: add agf freeblocks verify in xfs_agf_verify)
Thanks,
Yishan Chen
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] xfs: add agf freeblocks verify in xfs_agf_verify
2020-06-25 22:47 Request for inclusion on linux-4.14.y and linux-5.4.y yishache
@ 2020-06-25 22:47 ` yishache
0 siblings, 0 replies; 4+ messages in thread
From: yishache @ 2020-06-25 22:47 UTC (permalink / raw
To: gregkh; +Cc: stable, Zheng Bin, Ren Xudong, Darrick J . Wong
From: Zheng Bin <zhengbin13@huawei.com>
We recently used fuzz(hydra) to test XFS and automatically generate
tmp.img(XFS v5 format, but some metadata is wrong)
xfs_repair information(just one AG):
agf_freeblks 0, counted 3224 in ag 0
agf_longest 536874136, counted 3224 in ag 0
sb_fdblocks 613, counted 3228
Test as follows:
mount tmp.img tmpdir
cp file1M tmpdir
sync
In 4.19-stable, sync will stuck, the reason is:
xfs_mountfs
xfs_check_summary_counts
if ((!xfs_sb_version_haslazysbcount(&mp->m_sb) ||
XFS_LAST_UNMOUNT_WAS_CLEAN(mp)) &&
!xfs_fs_has_sickness(mp, XFS_SICK_FS_COUNTERS))
return 0; -->just return, incore sb_fdblocks still be 613
xfs_initialize_perag_data
cp file1M tmpdir -->ok(write file to pagecache)
sync -->stuck(write pagecache to disk)
xfs_map_blocks
xfs_iomap_write_allocate
while (count_fsb != 0) {
nimaps = 0;
while (nimaps == 0) { --> endless loop
nimaps = 1;
xfs_bmapi_write(..., &nimaps) --> nimaps becomes 0 again
xfs_bmapi_write
xfs_bmap_alloc
xfs_bmap_btalloc
xfs_alloc_vextent
xfs_alloc_fix_freelist
xfs_alloc_space_available -->fail(agf_freeblks is 0)
In linux-next, sync not stuck, cause commit c2b3164320b5 ("xfs:
use the latest extent at writeback delalloc conversion time") remove
the above while, dmesg is as follows:
[ 55.250114] XFS (loop0): page discard on page ffffea0008bc7380, inode 0x1b0c, offset 0.
Users do not know why this page is discard, the better soultion is:
1. Like xfs_repair, make sure sb_fdblocks is equal to counted
(xfs_initialize_perag_data did this, who is not called at this mount)
2. Add agf verify, if fail, will tell users to repair
This patch use the second soultion.
Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
Signed-off-by: Ren Xudong <renxudong1@huawei.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
(cherry picked from commit d0c7feaf87678371c2c09b3709400be416b2dc62)
---
fs/xfs/libxfs/xfs_alloc.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index 516e0c57cf9c..43c87cb5a747 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -2529,6 +2529,13 @@ xfs_agf_verify(
be32_to_cpu(agf->agf_flcount) <= xfs_agfl_size(mp)))
return false;
+ if (be32_to_cpu(agf->agf_length) > mp->m_sb.sb_dblocks)
+ return __this_address;
+
+ if (be32_to_cpu(agf->agf_freeblks) < be32_to_cpu(agf->agf_longest) ||
+ be32_to_cpu(agf->agf_freeblks) > be32_to_cpu(agf->agf_length))
+ return __this_address;
+
if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) < 1 ||
be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) < 1 ||
be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
@@ -2540,6 +2547,10 @@ xfs_agf_verify(
be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS))
return false;
+ if (xfs_sb_version_hasrmapbt(&mp->m_sb) &&
+ be32_to_cpu(agf->agf_rmap_blocks) > be32_to_cpu(agf->agf_length))
+ return __this_address;
+
/*
* during growfs operations, the perag is not fully initialised,
* so we can't use it for any useful checking. growfs ensures we can't
@@ -2553,6 +2564,11 @@ xfs_agf_verify(
be32_to_cpu(agf->agf_btreeblks) > be32_to_cpu(agf->agf_length))
return false;
+ if (xfs_sb_version_hasreflink(&mp->m_sb) &&
+ be32_to_cpu(agf->agf_refcount_blocks) >
+ be32_to_cpu(agf->agf_length))
+ return __this_address;
+
if (xfs_sb_version_hasreflink(&mp->m_sb) &&
(be32_to_cpu(agf->agf_refcount_level) < 1 ||
be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS))
--
2.16.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Request for inclusion on linux-4.14.y and linux-5.4.y
@ 2020-06-25 22:59 yishache
2020-06-29 14:15 ` Sasha Levin
0 siblings, 1 reply; 4+ messages in thread
From: yishache @ 2020-06-25 22:59 UTC (permalink / raw
To: gregkh; +Cc: stable
Hello Greg,
Can you please consider including the following patch in the stable linux-4.14.y and stable linux-5.4.y branch?
This is to fix CVE-2020-12655
d0c7feaf87678371c2c09b3709400be416b2dc62(xfs: add agf freeblocks verify in xfs_agf_verify)
Thanks,
Yishan Chen
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Request for inclusion on linux-4.14.y and linux-5.4.y
2020-06-25 22:59 Request for inclusion on linux-4.14.y and linux-5.4.y yishache
@ 2020-06-29 14:15 ` Sasha Levin
0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-06-29 14:15 UTC (permalink / raw
To: yishache; +Cc: gregkh, stable
On Thu, Jun 25, 2020 at 10:59:34PM +0000, yishache@amazon.com wrote:
>Hello Greg,
>
>Can you please consider including the following patch in the stable linux-4.14.y and stable linux-5.4.y branch?
>
>This is to fix CVE-2020-12655
>
>d0c7feaf87678371c2c09b3709400be416b2dc62(xfs: add agf freeblocks verify in xfs_agf_verify)
I've queued it for 5.4-4.9, thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-06-29 21:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-25 22:47 Request for inclusion on linux-4.14.y and linux-5.4.y yishache
2020-06-25 22:47 ` [PATCH] xfs: add agf freeblocks verify in xfs_agf_verify yishache
-- strict thread matches above, loose matches on Subject: below --
2020-06-25 22:59 Request for inclusion on linux-4.14.y and linux-5.4.y yishache
2020-06-29 14:15 ` Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.