mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 06:10:56 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Darrick J. Wong 0a72d7764e xfs: don't crash on null attr fork xfs_bmapi_read 
[ Upstream commit 8612de3f7b ]

Zorro Lang reported a crash in generic/475 if we try to inactivate a
corrupt inode with a NULL attr fork (stack trace shortened somewhat):

RIP: 0010:xfs_bmapi_read+0x311/0xb00 [xfs]
RSP: 0018:ffff888047f9ed68 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888047f9f038 RCX: 1ffffffff5f99f51
RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000012
RBP: ffff888002a41f00 R08: ffffed10005483f0 R09: ffffed10005483ef
R10: ffffed10005483ef R11: ffff888002a41f7f R12: 0000000000000004
R13: ffffe8fff53b5768 R14: 0000000000000005 R15: 0000000000000001
FS:  00007f11d44b5b80(0000) GS:ffff888114200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000ef6000 CR3: 000000002e176003 CR4: 00000000001606e0
Call Trace:
 xfs_dabuf_map.constprop.18+0x696/0xe50 [xfs]
 xfs_da_read_buf+0xf5/0x2c0 [xfs]
 xfs_da3_node_read+0x1d/0x230 [xfs]
 xfs_attr_inactive+0x3cc/0x5e0 [xfs]
 xfs_inactive+0x4c8/0x5b0 [xfs]
 xfs_fs_destroy_inode+0x31b/0x8e0 [xfs]
 destroy_inode+0xbc/0x190
 xfs_bulkstat_one_int+0xa8c/0x1200 [xfs]
 xfs_bulkstat_one+0x16/0x20 [xfs]
 xfs_bulkstat+0x6fa/0xf20 [xfs]
 xfs_ioc_bulkstat+0x182/0x2b0 [xfs]
 xfs_file_ioctl+0xee0/0x12a0 [xfs]
 do_vfs_ioctl+0x193/0x1000
 ksys_ioctl+0x60/0x90
 __x64_sys_ioctl+0x6f/0xb0
 do_syscall_64+0x9f/0x4d0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f11d39a3e5b

The "obvious" cause is that the attr ifork is null despite the inode
claiming an attr fork having at least one extent, but it's not so
obvious why we ended up with an inode in that state.

Reported-by: Zorro Lang <zlang@redhat.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204031
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Bill O'Donnell <billodo@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-10-05 12:30:11 +02:00
..
9p 9p: pass the correct prototype to read_cache_page 2019-08-04 09:33:42 +02:00
adfs fs/adfs: super: fix use-after-free bug 2019-08-06 18:29:35 +02:00
affs affs_lookup(): close a race with affs_remove_link() 2018-05-30 07:50:16 +02:00
afs afs: Fix abort on signal while waiting for call completion 2017-12-20 10:07:25 +01:00
autofs4 autofs: fix error return in autofs_fill_super() 2019-03-13 14:04:58 -07:00
befs
bfs bfs: add sanity check at bfs_fill_super() 2018-12-01 09:44:19 +01:00
btrfs Btrfs: fix assertion failure during fsync and use of stale transaction 2019-09-21 07:14:04 +02:00
cachefiles fscache, cachefiles: remove redundant variable 'cache' 2018-12-17 09:38:34 +01:00
ceph ceph: fix buffer free while holding i_ceph_lock in fill_inode() 2019-09-10 10:31:02 +01:00
cifs cifs: Use kzfree() to zero out the password 2019-09-21 07:14:17 +02:00
coda coda: add error handling for fget 2019-08-06 18:29:38 +02:00
configfs configfs: Fix use-after-free when accessing sd->s_dentry 2019-06-22 08:17:23 +02:00
cramfs Cramfs: fix abad comparison when wrap-arounds occur 2018-11-13 11:17:03 -08:00
crypto fscrypt: don't set policy for a dead directory 2019-07-21 09:05:59 +02:00
debugfs debugfs: fix use-after-free on symlink traversal 2019-05-08 07:19:10 +02:00
devpts fs/devpts: always delete dcache dentry-s in dput() 2019-03-23 13:19:47 +01:00
dlm dlm: Don't swamp the CPU with callbacks queued during recovery 2019-02-12 19:44:51 +01:00
ecryptfs eCryptfs: fix a couple type promotion bugs 2019-08-04 09:33:31 +02:00
efivarfs
efs
exofs fs/exofs: fix potential memory leak in mount option parsing 2018-11-27 16:09:38 +01:00
exportfs exportfs: do not read dentry after free 2018-12-17 09:38:33 +01:00
ext2 ext2: Fix underflow in ext2_max_size() 2019-03-23 13:19:48 +01:00
ext4 ext4: allow directory holes 2019-08-04 09:33:32 +02:00
f2fs f2fs: fix to do sanity check on segment bitmap of LFS curseg 2019-10-05 12:30:11 +02:00
fat fs/fat/file.c: issue flush after the writeback of FAT 2019-06-22 08:17:11 +02:00
freevxfs
fscache fscache: fix race between enablement and dropping of object 2018-12-17 09:38:34 +01:00
fuse fuse: retrieve: cap requested size to negotiated max_write 2019-06-22 08:17:15 +02:00
gfs2 gfs2: Fix lru_count going negative 2019-05-31 06:48:13 -07:00
hfs hfs: do not free node before using 2018-12-17 09:38:35 +01:00
hfsplus hfsplus: do not free node before using 2018-12-17 09:38:35 +01:00
hostfs
hpfs
hugetlbfs hugetlb: use same fault hash key for shared and private mappings 2019-05-31 06:48:12 -07:00
isofs isofs: fix timestamps beyond 2027 2017-11-30 08:39:04 +00:00
jbd2 jbd2: check superblock mapped prior to committing 2019-05-21 18:48:59 +02:00
jffs2 jffs2: fix use-after-free on symlink traversal 2019-05-08 07:19:09 +02:00
jfs jfs: Fix inconsistency between memory allocation and ea_buf->max_size 2018-08-09 12:18:00 +02:00
kernfs kernfs: Replace strncpy with memcpy 2018-12-08 13:05:05 +01:00
lockd lockd: fix access beyond unterminated strings in prints 2018-11-13 11:17:02 -08:00
logfs
minix
ncpfs ncpfs: fix build warning of strncpy 2019-03-13 14:04:52 -07:00
nfs NFSv2: Fix write regression 2019-09-21 07:14:16 +02:00
nfs_common lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:05:38 +01:00
nfsd nfsd: Fix overflow causing non-working mounts on 1 TB machines 2019-08-04 09:33:36 +02:00
nilfs2 do d_instantiate/unlock_new_inode combinations safely 2018-05-30 07:50:16 +02:00
nls
notify fanotify: fix handling of events on child sub-directory 2019-02-06 17:33:30 +01:00
ntfs
ocfs2 ocfs2: remove set but not used variable 'last_hash' 2019-08-25 10:51:48 +02:00
omfs
openpromfs
orangefs orangefs: off by ones in xattr size checks 2018-11-10 07:42:46 -08:00
overlayfs ovl: filter trusted xattr for non-admin 2018-04-13 19:48:12 +02:00
proc coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping 2019-08-06 18:29:41 +02:00
pstore pstore/ram: Do not treat empty buffers as valid 2019-01-26 09:38:33 +01:00
qnx4
qnx6
quota fs/quota: Fix spectre gadget in do_quotactl 2018-09-09 20:01:26 +02:00
ramfs
reiserfs reiserfs: propagate errors from fill_with_dentries() properly 2018-11-27 16:09:38 +01:00
romfs romfs: use different way to generate fsid for BLOCK or MTD 2017-06-17 06:41:56 +02:00
squashfs Squashfs: Compute expected length from inode size rather than block length 2018-09-05 09:20:03 +02:00
sysfs scsi: sysfs: Introduce sysfs_{un,}break_active_protection() 2018-09-05 09:20:10 +02:00
sysv sysv: return 'err' instead of 0 in __sysv_write_inode 2018-12-17 09:38:32 +01:00
tracefs
ubifs ubifs: Handle re-linking of inodes correctly while recovery 2018-12-29 13:40:16 +01:00
udf udf: Fix incorrect final NOT_ALLOCATED (hole) extent length 2019-07-21 09:05:57 +02:00
ufs ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour 2019-05-25 18:26:56 +02:00
xfs xfs: don't crash on null attr fork xfs_bmapi_read 2019-10-05 12:30:11 +02:00
aio.c aio: fix spectre gadget in lookup_ioctx 2018-12-21 14:11:31 +01:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c binfmt_elf: Respect error return from `regset->active' 2018-09-26 08:36:37 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c fs/binfmt_flat.c: make load_flat_shared_library() work 2019-07-10 09:55:38 +02:00
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2018-06-26 08:08:09 +08:00
binfmt_script.c Revert "exec: load_script: don't blindly truncate shebang string" 2019-02-15 09:07:33 +01:00
block_dev.c blockdev: Fix livelocks on loop device 2019-01-23 08:10:56 +01:00
buffer.c fs: fix guard_bio_eod to check for real EOD errors 2019-04-05 22:29:08 +02:00
char_dev.c chardev: add additional check for minor range overlap 2019-05-31 06:48:29 -07:00
compat.c
compat_binfmt_elf.c binfmt_elf: compat: avoid unused function warning 2018-02-25 11:05:55 +01:00
compat_ioctl.c compat_ioctl: pppoe: fix PPPOEIOCSFWD handling 2019-08-11 12:22:17 +02:00
coredump.c coredump: Ensure proper size of sparse core files 2017-07-05 14:40:26 +02:00
dax.c fs/dax.c: fix inefficiency in dax_writeback_mapping_range() 2018-02-28 10:18:33 +01:00
dcache.c Hang/soft lockup in d_invalidate with simultaneous calls 2019-03-27 14:13:04 +09:00
dcookies.c
direct-io.c direct-io: allow direct writes to empty inodes 2019-03-05 17:57:05 +01:00
drop_caches.c fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() 2019-03-13 14:04:58 -07:00
eventfd.c
eventpoll.c fs/epoll: drop ovflist branch prediction 2019-02-12 19:44:59 +01:00
exec.c sched/fair: Don't free p->numa_faults with concurrent readers 2019-08-04 09:33:45 +02:00
fcntl.c fs/fcntl: f_setown, avoid undefined behaviour 2018-01-31 12:55:52 +01:00
fhandle.c
file.c fs/file.c: initialize init_files.resize_wait 2019-04-05 22:29:07 +02:00
file_table.c
filesystems.c
fs-writeback.c blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration 2019-08-04 09:33:20 +02:00
fs_pin.c
fs_struct.c
inode.c Abort file_remove_privs() for non-reg. files 2019-06-22 08:17:24 +02:00
internal.h xfs: evict all inodes involved with log redo item 2017-09-20 08:20:01 +02:00
ioctl.c
iomap.c iomap: fix integer truncation issues in the zeroing and dirtying helpers 2017-09-20 08:19:59 +02:00
Kconfig
Kconfig.binfmt
libfs.c libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount 2017-12-09 22:01:51 +01:00
locks.c
Makefile
mbcache.c mbcache: initialize entry->e_referenced in mb_cache_entry_create() 2018-02-22 15:43:48 +01:00
mount.h mnt: In propgate_umount handle visiting mounts in any order 2017-07-21 07:42:22 +02:00
mpage.c fs/mpage.c: fix mpage_writepage() for pages with buffers 2017-10-18 09:35:39 +02:00
namei.c namei: allow restricted O_CREAT of FIFOs and regular files 2018-12-01 09:44:25 +01:00
namespace.c mount: Prevent MNT_DETACH from disconnecting locked mounts 2018-11-21 09:26:02 +01:00
no-block.c
nsfs.c nsfs: mark dentry with DCACHE_RCUACCESS 2018-02-17 13:21:15 +01:00
open.c access: avoid the RCU grace period for the temporary subjective credentials 2019-08-04 09:33:43 +02:00
pipe.c fs: prevent page refcount overflow in pipe_buf_get 2019-06-11 12:22:45 +02:00
pnode.c mnt: Make propagate_umount less slow for overlapping mount propagation trees 2017-07-21 07:42:22 +02:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock 2019-06-11 12:22:49 +02:00
readdir.c
select.c
seq_file.c
signalfd.c
splice.c fs: prevent page refcount overflow in pipe_buf_get 2019-06-11 12:22:45 +02:00
stack.c
stat.c ufs: restore maintaining ->i_blocks 2017-06-14 15:06:01 +02:00
statfs.c
super.c fs: don't scan the inode cache before SB_BORN is set 2019-02-06 17:33:29 +01:00
sync.c
timerfd.c
userfaultfd.c userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx 2019-09-06 10:19:37 +02:00
utimes.c
xattr.c sysfs: Do not return POSIX ACL xattrs via listxattr 2018-10-10 08:53:22 +02:00