diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2016-08-29 15:37:11 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2016-08-29 15:37:11 -0400 |
| commit | b8927721ae9d5ac0582d29d7b8c267d465ad5f00 (patch) | |
| tree | 88fce8d62310a0d82b953b1dc5b1307577d9ade5 /fs/ext4 | |
| parent | 1f6a563ee0cd577a9292940eee389482db306765 (diff) | |
| parent | 2e81a4eeedcaa66e35f58b81e0755b87057ce392 (diff) | |
Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"Fix bugs that could cause kernel deadlocks or file system corruption
while moving xattrs to expand the extended inode.
Also add some sanity checks to the block group descriptors to make
sure we don't end up overwriting the superblock"
* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: avoid deadlock when expanding inode size
ext4: properly align shifted xattrs when expanding inodes
ext4: fix xattr shifting when expanding inodes part 2
ext4: fix xattr shifting when expanding inodes
ext4: validate that metadata blocks do not overlap superblock
ext4: reserve xattr index for the Hurd
Diffstat (limited to 'fs/ext4')
| -rw-r--r-- | fs/ext4/inode.c | 2 | ||||
| -rw-r--r-- | fs/ext4/super.c | 18 | ||||
| -rw-r--r-- | fs/ext4/xattr.c | 53 | ||||
| -rw-r--r-- | fs/ext4/xattr.h | 1 |
4 files changed, 49 insertions, 25 deletions
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 3131747199e1..c6ea25a190f8 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c | |||
| @@ -5466,8 +5466,6 @@ int ext4_mark_inode_dirty(handle_t *handle, struct inode *inode) | |||
| 5466 | sbi->s_want_extra_isize, | 5466 | sbi->s_want_extra_isize, |
| 5467 | iloc, handle); | 5467 | iloc, handle); |
| 5468 | if (ret) { | 5468 | if (ret) { |
| 5469 | ext4_set_inode_state(inode, | ||
| 5470 | EXT4_STATE_NO_EXPAND); | ||
| 5471 | if (mnt_count != | 5469 | if (mnt_count != |
| 5472 | le16_to_cpu(sbi->s_es->s_mnt_count)) { | 5470 | le16_to_cpu(sbi->s_es->s_mnt_count)) { |
| 5473 | ext4_warning(inode->i_sb, | 5471 | ext4_warning(inode->i_sb, |
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 1c593aa0218e..3ec8708989ca 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c | |||
| @@ -2211,6 +2211,7 @@ void ext4_group_desc_csum_set(struct super_block *sb, __u32 block_group, | |||
| 2211 | 2211 | ||
| 2212 | /* Called at mount-time, super-block is locked */ | 2212 | /* Called at mount-time, super-block is locked */ |
| 2213 | static int ext4_check_descriptors(struct super_block *sb, | 2213 | static int ext4_check_descriptors(struct super_block *sb, |
| 2214 | ext4_fsblk_t sb_block, | ||
| 2214 | ext4_group_t *first_not_zeroed) | 2215 | ext4_group_t *first_not_zeroed) |
| 2215 | { | 2216 | { |
| 2216 | struct ext4_sb_info *sbi = EXT4_SB(sb); | 2217 | struct ext4_sb_info *sbi = EXT4_SB(sb); |
| @@ -2241,6 +2242,11 @@ static int ext4_check_descriptors(struct super_block *sb, | |||
| 2241 | grp = i; | 2242 | grp = i; |
| 2242 | 2243 | ||
| 2243 | block_bitmap = ext4_block_bitmap(sb, gdp); | 2244 | block_bitmap = ext4_block_bitmap(sb, gdp); |
| 2245 | if (block_bitmap == sb_block) { | ||
| 2246 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | ||
| 2247 | "Block bitmap for group %u overlaps " | ||
| 2248 | "superblock", i); | ||
| 2249 | } | ||
| 2244 | if (block_bitmap < first_block || block_bitmap > last_block) { | 2250 | if (block_bitmap < first_block || block_bitmap > last_block) { |
| 2245 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | 2251 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " |
| 2246 | "Block bitmap for group %u not in group " | 2252 | "Block bitmap for group %u not in group " |
| @@ -2248,6 +2254,11 @@ static int ext4_check_descriptors(struct super_block *sb, | |||
| 2248 | return 0; | 2254 | return 0; |
| 2249 | } | 2255 | } |
| 2250 | inode_bitmap = ext4_inode_bitmap(sb, gdp); | 2256 | inode_bitmap = ext4_inode_bitmap(sb, gdp); |
| 2257 | if (inode_bitmap == sb_block) { | ||
| 2258 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | ||
| 2259 | "Inode bitmap for group %u overlaps " | ||
| 2260 | "superblock", i); | ||
| 2261 | } | ||
| 2251 | if (inode_bitmap < first_block || inode_bitmap > last_block) { | 2262 | if (inode_bitmap < first_block || inode_bitmap > last_block) { |
| 2252 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | 2263 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " |
| 2253 | "Inode bitmap for group %u not in group " | 2264 | "Inode bitmap for group %u not in group " |
| @@ -2255,6 +2266,11 @@ static int ext4_check_descriptors(struct super_block *sb, | |||
| 2255 | return 0; | 2266 | return 0; |
| 2256 | } | 2267 | } |
| 2257 | inode_table = ext4_inode_table(sb, gdp); | 2268 | inode_table = ext4_inode_table(sb, gdp); |
| 2269 | if (inode_table == sb_block) { | ||
| 2270 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | ||
| 2271 | "Inode table for group %u overlaps " | ||
| 2272 | "superblock", i); | ||
| 2273 | } | ||
| 2258 | if (inode_table < first_block || | 2274 | if (inode_table < first_block || |
| 2259 | inode_table + sbi->s_itb_per_group - 1 > last_block) { | 2275 | inode_table + sbi->s_itb_per_group - 1 > last_block) { |
| 2260 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " | 2276 | ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " |
| @@ -3757,7 +3773,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) | |||
| 3757 | goto failed_mount2; | 3773 | goto failed_mount2; |
| 3758 | } | 3774 | } |
| 3759 | } | 3775 | } |
| 3760 | if (!ext4_check_descriptors(sb, &first_not_zeroed)) { | 3776 | if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) { |
| 3761 | ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); | 3777 | ext4_msg(sb, KERN_ERR, "group descriptors corrupted!"); |
| 3762 | ret = -EFSCORRUPTED; | 3778 | ret = -EFSCORRUPTED; |
| 3763 | goto failed_mount2; | 3779 | goto failed_mount2; |
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 39e9cfb1b371..2eb935ca5d9e 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c | |||
| @@ -1353,15 +1353,19 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize, | |||
| 1353 | size_t min_offs, free; | 1353 | size_t min_offs, free; |
| 1354 | int total_ino; | 1354 | int total_ino; |
| 1355 | void *base, *start, *end; | 1355 | void *base, *start, *end; |
| 1356 | int extra_isize = 0, error = 0, tried_min_extra_isize = 0; | 1356 | int error = 0, tried_min_extra_isize = 0; |
| 1357 | int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize); | 1357 | int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize); |
| 1358 | int isize_diff; /* How much do we need to grow i_extra_isize */ | ||
| 1358 | 1359 | ||
| 1359 | down_write(&EXT4_I(inode)->xattr_sem); | 1360 | down_write(&EXT4_I(inode)->xattr_sem); |
| 1361 | /* | ||
| 1362 | * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty | ||
| 1363 | */ | ||
| 1364 | ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND); | ||
| 1360 | retry: | 1365 | retry: |
| 1361 | if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) { | 1366 | isize_diff = new_extra_isize - EXT4_I(inode)->i_extra_isize; |
| 1362 | up_write(&EXT4_I(inode)->xattr_sem); | 1367 | if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) |
| 1363 | return 0; | 1368 | goto out; |
| 1364 | } | ||
| 1365 | 1369 | ||
| 1366 | header = IHDR(inode, raw_inode); | 1370 | header = IHDR(inode, raw_inode); |
| 1367 | entry = IFIRST(header); | 1371 | entry = IFIRST(header); |
| @@ -1382,7 +1386,7 @@ retry: | |||
| 1382 | goto cleanup; | 1386 | goto cleanup; |
| 1383 | 1387 | ||
| 1384 | free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); | 1388 | free = ext4_xattr_free_space(last, &min_offs, base, &total_ino); |
| 1385 | if (free >= new_extra_isize) { | 1389 | if (free >= isize_diff) { |
| 1386 | entry = IFIRST(header); | 1390 | entry = IFIRST(header); |
| 1387 | ext4_xattr_shift_entries(entry, EXT4_I(inode)->i_extra_isize | 1391 | ext4_xattr_shift_entries(entry, EXT4_I(inode)->i_extra_isize |
| 1388 | - new_extra_isize, (void *)raw_inode + | 1392 | - new_extra_isize, (void *)raw_inode + |
| @@ -1390,8 +1394,7 @@ retry: | |||
| 1390 | (void *)header, total_ino, | 1394 | (void *)header, total_ino, |
| 1391 | inode->i_sb->s_blocksize); | 1395 | inode->i_sb->s_blocksize); |
| 1392 | EXT4_I(inode)->i_extra_isize = new_extra_isize; | 1396 | EXT4_I(inode)->i_extra_isize = new_extra_isize; |
| 1393 | error = 0; | 1397 | goto out; |
| 1394 | goto cleanup; | ||
| 1395 | } | 1398 | } |
| 1396 | 1399 | ||
| 1397 | /* | 1400 | /* |
| @@ -1414,7 +1417,7 @@ retry: | |||
| 1414 | end = bh->b_data + bh->b_size; | 1417 | end = bh->b_data + bh->b_size; |
| 1415 | min_offs = end - base; | 1418 | min_offs = end - base; |
| 1416 | free = ext4_xattr_free_space(first, &min_offs, base, NULL); | 1419 | free = ext4_xattr_free_space(first, &min_offs, base, NULL); |
| 1417 | if (free < new_extra_isize) { | 1420 | if (free < isize_diff) { |
| 1418 | if (!tried_min_extra_isize && s_min_extra_isize) { | 1421 | if (!tried_min_extra_isize && s_min_extra_isize) { |
| 1419 | tried_min_extra_isize++; | 1422 | tried_min_extra_isize++; |
| 1420 | new_extra_isize = s_min_extra_isize; | 1423 | new_extra_isize = s_min_extra_isize; |
| @@ -1428,7 +1431,7 @@ retry: | |||
| 1428 | free = inode->i_sb->s_blocksize; | 1431 | free = inode->i_sb->s_blocksize; |
| 1429 | } | 1432 | } |
| 1430 | 1433 | ||
| 1431 | while (new_extra_isize > 0) { | 1434 | while (isize_diff > 0) { |
| 1432 | size_t offs, size, entry_size; | 1435 | size_t offs, size, entry_size; |
| 1433 | struct ext4_xattr_entry *small_entry = NULL; | 1436 | struct ext4_xattr_entry *small_entry = NULL; |
| 1434 | struct ext4_xattr_info i = { | 1437 | struct ext4_xattr_info i = { |
| @@ -1459,7 +1462,7 @@ retry: | |||
| 1459 | EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + | 1462 | EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + |
| 1460 | EXT4_XATTR_LEN(last->e_name_len); | 1463 | EXT4_XATTR_LEN(last->e_name_len); |
| 1461 | if (total_size <= free && total_size < min_total_size) { | 1464 | if (total_size <= free && total_size < min_total_size) { |
| 1462 | if (total_size < new_extra_isize) { | 1465 | if (total_size < isize_diff) { |
| 1463 | small_entry = last; | 1466 | small_entry = last; |
| 1464 | } else { | 1467 | } else { |
| 1465 | entry = last; | 1468 | entry = last; |
| @@ -1514,22 +1517,22 @@ retry: | |||
| 1514 | error = ext4_xattr_ibody_set(handle, inode, &i, is); | 1517 | error = ext4_xattr_ibody_set(handle, inode, &i, is); |
| 1515 | if (error) | 1518 | if (error) |
| 1516 | goto cleanup; | 1519 | goto cleanup; |
| 1520 | total_ino -= entry_size; | ||
| 1517 | 1521 | ||
| 1518 | entry = IFIRST(header); | 1522 | entry = IFIRST(header); |
| 1519 | if (entry_size + EXT4_XATTR_SIZE(size) >= new_extra_isize) | 1523 | if (entry_size + EXT4_XATTR_SIZE(size) >= isize_diff) |
| 1520 | shift_bytes = new_extra_isize; | 1524 | shift_bytes = isize_diff; |
| 1521 | else | 1525 | else |
| 1522 | shift_bytes = entry_size + size; | 1526 | shift_bytes = entry_size + EXT4_XATTR_SIZE(size); |
| 1523 | /* Adjust the offsets and shift the remaining entries ahead */ | 1527 | /* Adjust the offsets and shift the remaining entries ahead */ |
| 1524 | ext4_xattr_shift_entries(entry, EXT4_I(inode)->i_extra_isize - | 1528 | ext4_xattr_shift_entries(entry, -shift_bytes, |
| 1525 | shift_bytes, (void *)raw_inode + | 1529 | (void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE + |
| 1526 | EXT4_GOOD_OLD_INODE_SIZE + extra_isize + shift_bytes, | 1530 | EXT4_I(inode)->i_extra_isize + shift_bytes, |
| 1527 | (void *)header, total_ino - entry_size, | 1531 | (void *)header, total_ino, inode->i_sb->s_blocksize); |
| 1528 | inode->i_sb->s_blocksize); | ||
| 1529 | 1532 | ||
| 1530 | extra_isize += shift_bytes; | 1533 | isize_diff -= shift_bytes; |
| 1531 | new_extra_isize -= shift_bytes; | 1534 | EXT4_I(inode)->i_extra_isize += shift_bytes; |
| 1532 | EXT4_I(inode)->i_extra_isize = extra_isize; | 1535 | header = IHDR(inode, raw_inode); |
| 1533 | 1536 | ||
| 1534 | i.name = b_entry_name; | 1537 | i.name = b_entry_name; |
| 1535 | i.value = buffer; | 1538 | i.value = buffer; |
| @@ -1551,6 +1554,8 @@ retry: | |||
| 1551 | kfree(bs); | 1554 | kfree(bs); |
| 1552 | } | 1555 | } |
| 1553 | brelse(bh); | 1556 | brelse(bh); |
| 1557 | out: | ||
| 1558 | ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND); | ||
| 1554 | up_write(&EXT4_I(inode)->xattr_sem); | 1559 | up_write(&EXT4_I(inode)->xattr_sem); |
| 1555 | return 0; | 1560 | return 0; |
| 1556 | 1561 | ||
| @@ -1562,6 +1567,10 @@ cleanup: | |||
| 1562 | kfree(is); | 1567 | kfree(is); |
| 1563 | kfree(bs); | 1568 | kfree(bs); |
| 1564 | brelse(bh); | 1569 | brelse(bh); |
| 1570 | /* | ||
| 1571 | * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode | ||
| 1572 | * size expansion failed. | ||
| 1573 | */ | ||
| 1565 | up_write(&EXT4_I(inode)->xattr_sem); | 1574 | up_write(&EXT4_I(inode)->xattr_sem); |
| 1566 | return error; | 1575 | return error; |
| 1567 | } | 1576 | } |
diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h index 69dd3e6566e0..a92e783fa057 100644 --- a/fs/ext4/xattr.h +++ b/fs/ext4/xattr.h | |||
| @@ -24,6 +24,7 @@ | |||
| 24 | #define EXT4_XATTR_INDEX_SYSTEM 7 | 24 | #define EXT4_XATTR_INDEX_SYSTEM 7 |
| 25 | #define EXT4_XATTR_INDEX_RICHACL 8 | 25 | #define EXT4_XATTR_INDEX_RICHACL 8 |
| 26 | #define EXT4_XATTR_INDEX_ENCRYPTION 9 | 26 | #define EXT4_XATTR_INDEX_ENCRYPTION 9 |
| 27 | #define EXT4_XATTR_INDEX_HURD 10 /* Reserved for Hurd */ | ||
| 27 | 28 | ||
| 28 | struct ext4_xattr_header { | 29 | struct ext4_xattr_header { |
| 29 | __le32 h_magic; /* magic number for identification */ | 30 | __le32 h_magic; /* magic number for identification */ |