[PATCH OLK-5.10 v3 17/44] xfs: validate block number being freed before adding to xefi

8 Oct 2023

From: Dave Chinner dchinner@redhat.com
mainline inclusion
from mainline-v6.4-rc5
commit 7dfee17b13e5024c5c0ab1911859ded4182de3e5
category: bugfix
bugzilla: 188883, https://gitee.com/openeuler/kernel/issues/I76JSK
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Bad things happen in defered extent freeing operations if it is
passed a bad block number in the xefi. This can come from a bogus
agno/agbno pair from deferred agfl freeing, or just a bad fsbno
being passed to __xfs_free_extent_later(). Either way, it's very
difficult to diagnose where a null perag oops in EFI creation
is coming from when the operation that queued the xefi has already
been completed and there's no longer any trace of it around....
Signed-off-by: Dave Chinner dchinner@redhat.com
Reviewed-by: Christoph Hellwig hch@lst.de
Reviewed-by: Darrick J. Wong djwong@kernel.org
Signed-off-by: Dave Chinner david@fromorbit.com
Conflicts: fs/xfs/libxfs/xfs_ag.c
      fs/xfs/libxfs/xfs_alloc.c
      fs/xfs/libxfs/xfs_bmap.c
      fs/xfs/libxfs/xfs_bmap_btree.c
      fs/xfs/libxfs/xfs_ialloc.c
Signed-off-by: Long Li leo.lilong@huawei.com
---
 fs/xfs/libxfs/xfs_alloc.c      | 18 ++++++++++++++----
 fs/xfs/libxfs/xfs_alloc.h      |  6 +++---
 fs/xfs/libxfs/xfs_bmap.c       | 10 ++++++++--
 fs/xfs/libxfs/xfs_bmap_btree.c |  5 ++++-
 fs/xfs/libxfs/xfs_ialloc.c     | 24 ++++++++++++++++--------
 fs/xfs/libxfs/xfs_refcount.c   | 13 ++++++++++---
 fs/xfs/libxfs/xfs_types.c      | 23 +++++++++++++++++++++++
 fs/xfs/libxfs/xfs_types.h      |  2 ++
 fs/xfs/xfs_reflink.c           |  4 +++-
 9 files changed, 83 insertions(+), 22 deletions(-)

diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index 7ffccfc1320c..ebfaf5f48010 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -2458,7 +2458,7 @@ xfs_agfl_reset(
  * the real allocation can proceed. Deferring the free disconnects freeing up
  * the AGFL slot from freeing the block.
  */
-STATIC void
+static int
 xfs_defer_agfl_block(
    struct xfs_trans		*tp,
    xfs_agnumber_t			agno,
@@ -2477,16 +2477,20 @@ xfs_defer_agfl_block(
    new->xefi_blockcount = 1;
    new->xefi_owner = oinfo->oi_owner;
+	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, new->xefi_startblock)))
+		return -EFSCORRUPTED;
+
    trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);
xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_AGFL_FREE, &new->xefi_list);
+	return 0;
 }
/*
  * Add the extent to the list of extents to be free at transaction end.
  * The list is maintained sorted (by block number).
  */
-void
+int
 __xfs_free_extent_later(
    struct xfs_trans		*tp,
    xfs_fsblock_t			bno,
@@ -2495,8 +2499,8 @@ __xfs_free_extent_later(
    bool				skip_discard)
 {
    struct xfs_extent_free_item	*new;		/* new element */
-#ifdef DEBUG
    struct xfs_mount		*mp = tp->t_mountp;
+#ifdef DEBUG
    xfs_agnumber_t			agno;
    xfs_agblock_t			agbno;
@@ -2513,6 +2517,9 @@ __xfs_free_extent_later(
 #endif
    ASSERT(xfs_extfree_item_cache != NULL);
+	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len)))
+		return -EFSCORRUPTED;
+
    new = kmem_cache_zalloc(xfs_extfree_item_cache,
    		       GFP_KERNEL | __GFP_NOFAIL);
    new->xefi_startblock = bno;
@@ -2534,6 +2541,7 @@ __xfs_free_extent_later(
    		XFS_FSB_TO_AGNO(tp->t_mountp, bno), 0,
    		XFS_FSB_TO_AGBNO(tp->t_mountp, bno), len);
    xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_FREE, &new->xefi_list);
+	return 0;
 }
/*
@@ -2648,7 +2656,9 @@ xfs_alloc_fix_freelist(
    		goto out_agbp_relse;
/* defer agfl frees */
-		xfs_defer_agfl_block(tp, args->agno, bno, &targs.oinfo);
+		error = xfs_defer_agfl_block(tp, args->agno, bno, &targs.oinfo);
+		if (error)
+			goto out_agbp_relse;
    }
targs.tp = tp;
diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h
index b65e933ebabe..0fd02e889216 100644
--- a/fs/xfs/libxfs/xfs_alloc.h
+++ b/fs/xfs/libxfs/xfs_alloc.h
@@ -246,7 +246,7 @@ xfs_buf_to_agfl_bno(
    return bp->b_addr;
 }
-void __xfs_free_extent_later(struct xfs_trans *tp, xfs_fsblock_t bno,
+int __xfs_free_extent_later(struct xfs_trans *tp, xfs_fsblock_t bno,
    	xfs_filblks_t len, const struct xfs_owner_info *oinfo,
    	bool skip_discard);
@@ -266,14 +266,14 @@ struct xfs_extent_free_item {
 #define XFS_EFI_ATTR_FORK	(1U << 1) /* freeing attr fork block */
 #define XFS_EFI_BMBT_BLOCK	(1U << 2) /* freeing bmap btree block */
-static inline void
+static inline int
 xfs_free_extent_later(
    struct xfs_trans		*tp,
    xfs_fsblock_t			bno,
    xfs_filblks_t			len,
    const struct xfs_owner_info	*oinfo)
 {
-	__xfs_free_extent_later(tp, bno, len, oinfo, false);
+	return __xfs_free_extent_later(tp, bno, len, oinfo, false);
 }
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
index 2387d6c3add6..3eb1d31df6e1 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -570,8 +570,12 @@ xfs_bmap_btree_to_extents(
    cblock = XFS_BUF_TO_BLOCK(cbp);
    if ((error = xfs_btree_check_block(cur, cblock, 0, cbp)))
    	return error;
+
    xfs_rmap_ino_bmbt_owner(&oinfo, ip->i_ino, whichfork);
-	xfs_free_extent_later(cur->bc_tp, cbno, 1, &oinfo);
+	error = xfs_free_extent_later(cur->bc_tp, cbno, 1, &oinfo);
+	if (error)
+		return error;
+
    ip->i_d.di_nblocks--;
    xfs_trans_mod_dquot_byino(tp, ip, XFS_TRANS_DQ_BCOUNT, -1L);
    xfs_trans_binval(tp, cbp);
@@ -5188,10 +5192,12 @@ xfs_bmap_del_extent_real(
    	if (xfs_is_reflink_inode(ip) && whichfork == XFS_DATA_FORK) {
    		xfs_refcount_decrease_extent(tp, del);
    	} else {
-			__xfs_free_extent_later(tp, del->br_startblock,
+			error = __xfs_free_extent_later(tp, del->br_startblock,
    				del->br_blockcount, NULL,
    				(bflags & XFS_BMAPI_NODISCARD) ||
    				del->br_state == XFS_EXT_UNWRITTEN);
+			if (error)
+				goto done;
    	}
    }
diff --git a/fs/xfs/libxfs/xfs_bmap_btree.c b/fs/xfs/libxfs/xfs_bmap_btree.c
index 945a9c2f751a..021afb43c56b 100644
--- a/fs/xfs/libxfs/xfs_bmap_btree.c
+++ b/fs/xfs/libxfs/xfs_bmap_btree.c
@@ -284,9 +284,12 @@ xfs_bmbt_free_block(
    struct xfs_trans	*tp = cur->bc_tp;
    xfs_fsblock_t		fsbno = XFS_DADDR_TO_FSB(mp, xfs_buf_daddr(bp));
    struct xfs_owner_info	oinfo;
+	int			error;
xfs_rmap_ino_bmbt_owner(&oinfo, ip->i_ino, cur->bc_ino.whichfork);
-	xfs_free_extent_later(cur->bc_tp, fsbno, 1, &oinfo);
+	error = xfs_free_extent_later(cur->bc_tp, fsbno, 1, &oinfo);
+	if (error)
+		return error;
    ip->i_d.di_nblocks--;
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index 7b3a86fe5db5..d26f966b0901 100644
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -1851,7 +1851,7 @@ xfs_dialloc(
  * might be sparse and only free the regions that are allocated as part of the
  * chunk.
  */
-STATIC void
+static int
 xfs_difree_inode_chunk(
    struct xfs_trans		*tp,
    xfs_agnumber_t			agno,
@@ -1868,10 +1868,10 @@ xfs_difree_inode_chunk(
if (!xfs_inobt_issparse(rec->ir_holemask)) {
    	/* not sparse, calculate extent info directly */
-		xfs_free_extent_later(tp, XFS_AGB_TO_FSB(mp, agno, sagbno),
-				  M_IGEO(mp)->ialloc_blks,
-				  &XFS_RMAP_OINFO_INODES);
-		return;
+		return xfs_free_extent_later(tp,
+				XFS_AGB_TO_FSB(mp, agno, sagbno),
+				M_IGEO(mp)->ialloc_blks,
+				&XFS_RMAP_OINFO_INODES);
    }
/* holemask is only 16-bits (fits in an unsigned long) */
@@ -1888,6 +1888,8 @@ xfs_difree_inode_chunk(
    					XFS_INOBT_HOLEMASK_BITS);
    nextbit = startidx + 1;
    while (startidx < XFS_INOBT_HOLEMASK_BITS) {
+		int error;
+
    	nextbit = find_next_zero_bit(holemask, XFS_INOBT_HOLEMASK_BITS,
    				     nextbit);
    	/*
@@ -1913,8 +1915,11 @@ xfs_difree_inode_chunk(
ASSERT(agbno % mp->m_sb.sb_spino_align == 0);
    	ASSERT(contigblk % mp->m_sb.sb_spino_align == 0);
-		xfs_free_extent_later(tp, XFS_AGB_TO_FSB(mp, agno, agbno),
-				  contigblk, &XFS_RMAP_OINFO_INODES);
+		error = xfs_free_extent_later(tp,
+				XFS_AGB_TO_FSB(mp, agno, agbno),
+				contigblk, &XFS_RMAP_OINFO_INODES);
+		if (error)
+			return error;
/* reset range to current bit and carry on... */
    	startidx = endidx = nextbit;
@@ -1922,6 +1927,7 @@ xfs_difree_inode_chunk(
 next:
    	nextbit++;
    }
+	return 0;
 }
STATIC int
@@ -2021,7 +2027,9 @@ xfs_difree_inobt(
    		goto error0;
    	}
-		xfs_difree_inode_chunk(tp, agno, &rec);
+		error = xfs_difree_inode_chunk(tp, agno, &rec);
+		if (error)
+			goto error0;
    } else {
    	xic->deleted = false;
diff --git a/fs/xfs/libxfs/xfs_refcount.c b/fs/xfs/libxfs/xfs_refcount.c
index 5b39759af829..0e1a9f047b12 100644
--- a/fs/xfs/libxfs/xfs_refcount.c
+++ b/fs/xfs/libxfs/xfs_refcount.c
@@ -974,8 +974,10 @@ xfs_refcount_adjust_extents(
    			fsbno = XFS_AGB_TO_FSB(cur->bc_mp,
    					cur->bc_ag.agno,
    					tmp.rc_startblock);
-				xfs_free_extent_later(cur->bc_tp, fsbno,
+				error = xfs_free_extent_later(cur->bc_tp, fsbno,
    					  tmp.rc_blockcount, NULL);
+				if (error)
+					goto out_error;
    		}
(*agbno) += tmp.rc_blockcount;
@@ -1019,8 +1021,10 @@ xfs_refcount_adjust_extents(
    		fsbno = XFS_AGB_TO_FSB(cur->bc_mp,
    				cur->bc_ag.agno,
    				ext.rc_startblock);
-			xfs_free_extent_later(cur->bc_tp, fsbno,
+			error = xfs_free_extent_later(cur->bc_tp, fsbno,
    				ext.rc_blockcount, NULL);
+			if (error)
+				goto out_error;
    	}
skip:
@@ -1746,7 +1750,10 @@ xfs_refcount_recover_cow_leftovers(
    			rr->rr_rrec.rc_blockcount);
/* Free the block. */
-		xfs_free_extent_later(tp, fsb, rr->rr_rrec.rc_blockcount, NULL);
+		error = xfs_free_extent_later(tp, fsb,
+				rr->rr_rrec.rc_blockcount, NULL);
+		if (error)
+			goto out_trans;
error = xfs_trans_commit(tp);
    	if (error)
diff --git a/fs/xfs/libxfs/xfs_types.c b/fs/xfs/libxfs/xfs_types.c
index 86cb4b764897..19eabad06f92 100644
--- a/fs/xfs/libxfs/xfs_types.c
+++ b/fs/xfs/libxfs/xfs_types.c
@@ -61,6 +61,29 @@ xfs_verify_fsbno(
    return xfs_verify_agbno(mp, agno, XFS_FSB_TO_AGBNO(mp, fsbno));
 }
+/*
+ * Verify that a data device extent is fully contained inside the filesystem,
+ * does not cross an AG boundary, and does not point at static metadata.
+ */
+bool
+xfs_verify_fsbext(
+	struct xfs_mount	*mp,
+	xfs_fsblock_t		fsbno,
+	xfs_fsblock_t		len)
+{
+	if (fsbno + len <= fsbno)
+		return false;
+
+	if (!xfs_verify_fsbno(mp, fsbno))
+		return false;
+
+	if (!xfs_verify_fsbno(mp, fsbno + len - 1))
+		return false;
+
+	return  XFS_FSB_TO_AGNO(mp, fsbno) ==
+		XFS_FSB_TO_AGNO(mp, fsbno + len - 1);
+}
+
 /* Calculate the first and last possible inode number in an AG. */
 void
 xfs_agino_range(
diff --git a/fs/xfs/libxfs/xfs_types.h b/fs/xfs/libxfs/xfs_types.h
index 1ce06173c2f5..f76fa8498749 100644
--- a/fs/xfs/libxfs/xfs_types.h
+++ b/fs/xfs/libxfs/xfs_types.h
@@ -186,6 +186,8 @@ bool xfs_verify_agbno(struct xfs_mount *mp, xfs_agnumber_t agno,
    	xfs_agblock_t agbno);
 bool xfs_verify_fsbno(struct xfs_mount *mp, xfs_fsblock_t fsbno);
+bool xfs_verify_fsbext(struct xfs_mount *mp, xfs_fsblock_t fsbno,
+		xfs_fsblock_t len);
 void xfs_agino_range(struct xfs_mount *mp, xfs_agnumber_t agno,
    	xfs_agino_t *first, xfs_agino_t *last);
 bool xfs_verify_agino(struct xfs_mount *mp, xfs_agnumber_t agno,
diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c
index e9aaf730f784..e20aa87fed21 100644
--- a/fs/xfs/xfs_reflink.c
+++ b/fs/xfs/xfs_reflink.c
@@ -484,8 +484,10 @@ xfs_reflink_cancel_cow_blocks(
    		xfs_refcount_free_cow_extent(*tpp, del.br_startblock,
    				del.br_blockcount);
-			xfs_free_extent_later(*tpp, del.br_startblock,
+			error = xfs_free_extent_later(*tpp, del.br_startblock,
    				  del.br_blockcount, NULL);
+			if (error)
+				break;
/* Roll the transaction */
    		error = xfs_defer_finish(tpp);
-- 
2.31.1


    

2024

2023

2022

2021

2020

2019

[PATCH OLK-5.10 v3 17/44] xfs: validate block number being freed before adding to xefi