From patchwork Mon Mar 27 07:31:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nikolay Borisov X-Patchwork-Id: 9645443 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 18448602C8 for ; Mon, 27 Mar 2017 07:32:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 08BCF203B9 for ; Mon, 27 Mar 2017 07:32:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F1BBE2041F; Mon, 27 Mar 2017 07:32:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 51F7520499 for ; Mon, 27 Mar 2017 07:32:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751978AbdC0HcP (ORCPT ); Mon, 27 Mar 2017 03:32:15 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:34824 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751796AbdC0HcN (ORCPT ); Mon, 27 Mar 2017 03:32:13 -0400 Received: by mail-wr0-f195.google.com with SMTP id p52so7336732wrc.2; Mon, 27 Mar 2017 00:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version; bh=wL7/o242YtPfbqcsQ5NlMi7lpN6nbcVLYwnSSi7LiJs=; b=GF4gvR2KC3kNBhhaV8DaAMGOlK9zBpBxbt/8VPk/ksDbNjRgPW/EfgFsRRCefl1god ELNEAqJL2CiAA/oXuDf4unuA3v4MBqK41Vf/OdI+5iWTlekh3wQRI4wmTZJOONLJEcEu l6jjvbgUxA219FdjGNPoO2ErQQsjNQE9cyZgh7Y9GhfIZM5i3v1jkHnE2Yaym0USrFwI DfQDjzLdWw4pWFAdzq3BhoWjxgWjWDVXxhLIf5tsZBfbKa0PRx+es0rrYg+yMqZMZklM 6UmtBn0KEz7Pqo2RQ60J2n53u1SmPnK9V7J5tkBklWkivKapKyWI/hI7sXK9BUIEXrz1 XlRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=wL7/o242YtPfbqcsQ5NlMi7lpN6nbcVLYwnSSi7LiJs=; b=tUdoM9QHji0ttxZq3qDmofRirD7xHagmPPCm2EGWs2WWnlUGApww3kqrFGU8q6Jn48 nHmWlwrTWaH1E19uGcXpob/CucT41smPK84Aww2a4oRL1DiuTv8TXel8882YC34qDxNn JieMY/4jlkdbadc/b97Q2zoLfati4v+2Hm2SaPMQlaybbErKHCJiTcZdVTabSwXJYorO D4x5kpv+VLaw5y27mP+bA+gTA+djJOj/UuqTB2SHwFS7taXJaE4BRL3jkAqKiuK3D+eL 83BYe529sbfzxWr4dZO8g4kBaUknaearm+32kEttQ344pY/az5LJRu/CiaTBpTxiXKJp Xqdw== X-Gm-Message-State: AFeK/H1SzaRCFBoYW0ZFdeq2BEX/nnDHezPCQ1wwQJd3iCRobzDlvxmiYSZwT8gYnAHtSw== X-Received: by 10.223.130.214 with SMTP id 80mr19306216wrc.43.1490599917539; Mon, 27 Mar 2017 00:31:57 -0700 (PDT) Received: from [10.20.1.207] (ivokamhome.ddns.nbis.net. [87.120.136.31]) by smtp.gmail.com with ESMTPSA id 10sm13670597wrz.44.2017.03.27.00.31.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Mar 2017 00:31:56 -0700 (PDT) To: stable@vger.kernel.org, linux-xfs@vger.kernel.org, bfoster@redhat.com, darrick.wong@oracle.com From: Nikolay Borisov Subject: Request for inclusion of 4dfce57db635 ("xfs: fix up xfs_swap_extent_forks inline extent handling") in stable Message-ID: <473e7987-03d9-4118-d7e1-11465928f021@gmail.com> Date: Mon, 27 Mar 2017 10:31:55 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 Sender: linux-xfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Hello, The commit in the subject was tagged as stable but I guess it got missed being included into stable. Without these stable kernels crash on xfs/118. I've attached backports for both 3.12 and 4.4 and also ran a regtest with xfstest with no regressions showing up. Regards, Nikolay From: Eric Sandeen Date: Tue, 8 Nov 2016 12:55:18 +1100 Subject: xfs: fix up xfs_swap_extent_forks inline extent handling There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] #10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] #11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] #12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] #13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] #14 [ffff8800a57bbe00] evict at ffffffff811e1b67 #15 [ffff8800a57bbe28] iput at ffffffff811e23a5 #16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 #17 [ffff8800a57bbe88] dput at ffffffff811dd06c #18 [ffff8800a57bbea8] __fput at ffffffff811c823b #19 [ffff8800a57bbef0] ____fput at ffffffff811c846e #20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 #21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c #22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: Backported to 3.12] Cc: stable@vger.kernel.org Signed-off-by: Eric Sandeen Reviewed-by: Brian Foster Signed-off-by: Dave Chinner Signed-off-by: Nikolay Borisov --- fs/xfs/xfs_bmap_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c index d756da515b15..8336701a281c 100644 --- a/fs/xfs/xfs_bmap_util.c +++ b/fs/xfs/xfs_bmap_util.c @@ -1788,6 +1788,7 @@ xfs_swap_extents( xfs_trans_t *tp; xfs_bstat_t *sbp = &sxp->sx_stat; xfs_ifork_t *tempifp, *ifp, *tifp; + xfs_extnum_t nextents; int src_log_flags, target_log_flags; int error = 0; int aforkblks = 0; @@ -1974,7 +1975,8 @@ xfs_swap_extents( * pointer. Otherwise it's already NULL or * pointing to the extent. */ - if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) { + nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); + if (nextents <= XFS_INLINE_EXTS) { ifp->if_u1.if_extents = ifp->if_u2.if_inline_ext; } @@ -1993,7 +1995,8 @@ xfs_swap_extents( * pointer. Otherwise it's already NULL or * pointing to the extent. */ - if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) { + nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t); + if (nextents <= XFS_INLINE_EXTS) { tifp->if_u1.if_extents = tifp->if_u2.if_inline_ext; }