xfs: remote attribute overwrite causes transaction overrun

Commit e461fcb ("xfs: remote attribute lookups require the value
length") passes the remote attribute length in the xfs_da_args
structure on lookup so that CRC calculations and validity checking
can be performed correctly by related code. This, unfortunately has
the side effect of changing the args->valuelen parameter in cases
where it shouldn't.

That is, when we replace a remote attribute, the incoming
replacement stores the value and length in args->value and
args->valuelen, but then the lookup which finds the existing remote
attribute overwrites args->valuelen with the length of the remote
attribute being replaced. Hence when we go to create the new
attribute, we create it of the size of the existing remote
attribute, not the size it is supposed to be. When the new attribute
is much smaller than the old attribute, this results in a
transaction overrun and an ASSERT() failure on a debug kernel:

XFS: Assertion failed: tp->t_blk_res_used <= tp->t_blk_res, file: fs/xfs/xfs_trans.c, line: 331

Fix this by keeping the remote attribute value length separate to
the attribute value length in the xfs_da_args structure. The enables
us to pass the length of the remote attribute to be removed without
overwriting the new attribute's length.

Also, ensure that when we save remote block contexts for a later
rename we zero the original state variables so that we don't confuse
the state of the attribute to be removes with the state of the new
attribute that we just added. [Spotted by Brain Foster.]

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/fs/xfs/xfs_attr_remote.c b/fs/xfs/xfs_attr_remote.c
index 6e37823e2932..d2e6e948cec7 100644
--- a/fs/xfs/xfs_attr_remote.c
+++ b/fs/xfs/xfs_attr_remote.c
@@ -337,7 +337,7 @@ xfs_attr_rmtval_get(
         struct xfs_buf          *bp;
         xfs_dablk_t             lblkno = args->rmtblkno;
         __uint8_t               *dst = args->value;
-        int                     valuelen = args->valuelen;
+        int                     valuelen;
         int                     nmap;
         int                     error;
         int                     blkcnt = args->rmtblkcnt;
@@ -347,7 +347,9 @@ xfs_attr_rmtval_get(
         trace_xfs_attr_rmtval_get(args);
 
         ASSERT(!(args->flags & ATTR_KERNOVAL));
+        ASSERT(args->rmtvaluelen == args->valuelen);
 
+        valuelen = args->rmtvaluelen;
         while (valuelen > 0) {
                 nmap = ATTR_RMTVALUE_MAPSIZE;
                 error = xfs_bmapi_read(args->dp, (xfs_fileoff_t)lblkno,
@@ -415,7 +417,7 @@ xfs_attr_rmtval_set(
          * attributes have headers, we can't just do a straight byte to FSB
          * conversion and have to take the header space into account.
          */
-        blkcnt = xfs_attr3_rmt_blocks(mp, args->valuelen);
+        blkcnt = xfs_attr3_rmt_blocks(mp, args->rmtvaluelen);
         error = xfs_bmap_first_unused(args->trans, args->dp, blkcnt, &lfileoff,
                                                    XFS_ATTR_FORK);
         if (error)
@@ -480,7 +482,7 @@ xfs_attr_rmtval_set(
          */
         lblkno = args->rmtblkno;
         blkcnt = args->rmtblkcnt;
-        valuelen = args->valuelen;
+        valuelen = args->rmtvaluelen;
         while (valuelen > 0) {
                 struct xfs_buf  *bp;
                 xfs_daddr_t     dblkno;