ACK/Cmnt: [SRU oem-5.6] xfs: add agf freeblocks verify in xfs_agf_verify

Stefan Bader stefan.bader at canonical.com
Thu Sep 17 07:43:54 UTC 2020 

On 16.09.20 19:53, Thadeu Lima de Souza Cascardo wrote:
> From: Zheng Bin <zhengbin13 at huawei.com>
> 
> We recently used fuzz(hydra) to test XFS and automatically generate
> tmp.img(XFS v5 format, but some metadata is wrong)
> 
> xfs_repair information(just one AG):
> agf_freeblks 0, counted 3224 in ag 0
> agf_longest 536874136, counted 3224 in ag 0
> sb_fdblocks 613, counted 3228
> 
> Test as follows:
> mount tmp.img tmpdir
> cp file1M tmpdir
> sync
> 
> In 4.19-stable, sync will stuck, the reason is:
> xfs_mountfs
>   xfs_check_summary_counts
>     if ((!xfs_sb_version_haslazysbcount(&mp->m_sb) ||
>        XFS_LAST_UNMOUNT_WAS_CLEAN(mp)) &&
>        !xfs_fs_has_sickness(mp, XFS_SICK_FS_COUNTERS))
> 	return 0;  -->just return, incore sb_fdblocks still be 613
>     xfs_initialize_perag_data
> 
> cp file1M tmpdir -->ok(write file to pagecache)
> sync -->stuck(write pagecache to disk)
> xfs_map_blocks
>   xfs_iomap_write_allocate
>     while (count_fsb != 0) {
>       nimaps = 0;
>       while (nimaps == 0) { --> endless loop
>          nimaps = 1;
>          xfs_bmapi_write(..., &nimaps) --> nimaps becomes 0 again
> xfs_bmapi_write
>   xfs_bmap_alloc
>     xfs_bmap_btalloc
>       xfs_alloc_vextent
>         xfs_alloc_fix_freelist
>           xfs_alloc_space_available -->fail(agf_freeblks is 0)
> 
> In linux-next, sync not stuck, cause commit c2b3164320b5 ("xfs:
> use the latest extent at writeback delalloc conversion time") remove
> the above while, dmesg is as follows:
> [   55.250114] XFS (loop0): page discard on page ffffea0008bc7380, inode 0x1b0c, offset 0.
> 
> Users do not know why this page is discard, the better soultion is:
> 1. Like xfs_repair, make sure sb_fdblocks is equal to counted
> (xfs_initialize_perag_data did this, who is not called at this mount)
> 2. Add agf verify, if fail, will tell users to repair
> 
> This patch use the second soultion.
> 
> Signed-off-by: Zheng Bin <zhengbin13 at huawei.com>
> Signed-off-by: Ren Xudong <renxudong1 at huawei.com>
> Reviewed-by: Darrick J. Wong <darrick.wong at oracle.com>
> Signed-off-by: Darrick J. Wong <darrick.wong at oracle.com>
> (cherry picked from commit d0c7feaf87678371c2c09b3709400be416b2dc62)
> CVE-2020-12655
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

Just as I noted it with this review, I would prefer to do the sob block like this:

...

CVE-2020-12655
(cherry picked from commit d0c7feaf87678371c2c09b3709400be416b2dc62)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>

>  fs/xfs/libxfs/xfs_alloc.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
> index 5a130409f173..0ebf4098a156 100644
> --- a/fs/xfs/libxfs/xfs_alloc.c
> +++ b/fs/xfs/libxfs/xfs_alloc.c
> @@ -2858,6 +2858,13 @@ xfs_agf_verify(
>  	      be32_to_cpu(agf->agf_flcount) <= xfs_agfl_size(mp)))
>  		return __this_address;
>  
> +	if (be32_to_cpu(agf->agf_length) > mp->m_sb.sb_dblocks)
> +		return __this_address;
> +
> +	if (be32_to_cpu(agf->agf_freeblks) < be32_to_cpu(agf->agf_longest) ||
> +	    be32_to_cpu(agf->agf_freeblks) > be32_to_cpu(agf->agf_length))
> +		return __this_address;
> +
>  	if (be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) < 1 ||
>  	    be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]) < 1 ||
>  	    be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]) > XFS_BTREE_MAXLEVELS ||
> @@ -2869,6 +2876,10 @@ xfs_agf_verify(
>  	     be32_to_cpu(agf->agf_levels[XFS_BTNUM_RMAP]) > XFS_BTREE_MAXLEVELS))
>  		return __this_address;
>  
> +	if (xfs_sb_version_hasrmapbt(&mp->m_sb) &&
> +	    be32_to_cpu(agf->agf_rmap_blocks) > be32_to_cpu(agf->agf_length))
> +		return __this_address;
> +
>  	/*
>  	 * during growfs operations, the perag is not fully initialised,
>  	 * so we can't use it for any useful checking. growfs ensures we can't
> @@ -2882,6 +2893,11 @@ xfs_agf_verify(
>  	    be32_to_cpu(agf->agf_btreeblks) > be32_to_cpu(agf->agf_length))
>  		return __this_address;
>  
> +	if (xfs_sb_version_hasreflink(&mp->m_sb) &&
> +	    be32_to_cpu(agf->agf_refcount_blocks) >
> +	    be32_to_cpu(agf->agf_length))
> +		return __this_address;
> +
>  	if (xfs_sb_version_hasreflink(&mp->m_sb) &&
>  	    (be32_to_cpu(agf->agf_refcount_level) < 1 ||
>  	     be32_to_cpu(agf->agf_refcount_level) > XFS_BTREE_MAXLEVELS))
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200917/fe5d8633/attachment.sig>

More information about the kernel-team mailing list