xfs: forbid AG btrees with level == 0

commit d2a047f31e86941fa896e0e3271536d50aba415e upstream. There is no such thing as a zero-level AG btree since even a single-node zero-records btree has one level. Btree cursor constructors read cur_nlevels straight from disk and then access things like cur_bufs[cur_nlevels - 1] which is /really/ bad if cur_nlevels is zero! Therefore, strengthen the verifiers to prevent this possibility. Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by: Dave Chinner <dchinner@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Darrick J. Wong <darrick.wong@oracle.com> 2017-01-09 10:38:51 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-12 05:39:42 -0500
commit: b85f32481d93a23488d208fca4558e84515dc0f4 (patch)
tree: 37fc914d5e42c633c1ac82b1db1ebb8a61065f6d /fs
parent: 4081d4a79a95252486569b014b9a666ad5bfdbee (diff)
2 files changed, 15 insertions, 4 deletions
diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
index effb64cf714f..5050056a0b06 100644
--- a/fs/xfs/libxfs/xfs_alloc.c
+++ b/fs/xfs/libxfs/xfs_alloc.c
@@ -2455,12 +2455,15 @@ xfs_agf_verify(
              be32_to_cpu(agf->agf_flcount) <= XFS_AGFL_SIZE(mp)))
                return false;
-        if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
+        if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) < 1 ||
+            be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) < 1 ||
+            be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
            be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) > XFS_BTREE_MAXLEVELS)
                return false;
        if (xfs_sb_version_hasrmapbt(&mp->m_sb) &&
-            be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS)
+            (be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) < 1 ||
+             be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS))
                return false;
        /*
@@ -2477,7 +2480,8 @@ xfs_agf_verify(
                return false;
        if (xfs_sb_version_hasreflink(&mp->m_sb) &&
-            be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS)
+            (be32_to_cpu(agf->agf_refcount_level) < 1 ||
+             be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS))
                return false;
        return true;;
diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index c482b9716347..d45c03779dae 100644
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -2510,8 +2510,15 @@ xfs_agi_verify(
        if (!XFS_AGI_GOOD_VERSION(be32_to_cpu(agi->agi_versionnum)))
                return false;
-        if (be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS)
+        if (be32_to_cpu(agi->agi_level) < 1 ||
+            be32_to_cpu(agi->agi_level) > XFS_BTREE_MAXLEVELS)
                return false;
+        if (xfs_sb_version_hasfinobt(&mp->m_sb) &&
+            (be32_to_cpu(agi->agi_free_level) < 1 ||
+             be32_to_cpu(agi->agi_free_level) > XFS_BTREE_MAXLEVELS))
+                return false;
        /*
         * during growfs operations, the perag is not fully initialised,
         * so we can't use it for any useful checking. growfs ensures we can't
author	Darrick J. Wong <darrick.wong@oracle.com>	2017-01-09 10:38:51 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-01-12 05:39:42 -0500
commit	b85f32481d93a23488d208fca4558e84515dc0f4 (patch)
tree	37fc914d5e42c633c1ac82b1db1ebb8a61065f6d /fs
parent	4081d4a79a95252486569b014b9a666ad5bfdbee (diff)