From: Darrick J. Wong Date: Fri, 18 Nov 2022 10:00:45 +0000 (+0100) Subject: xfs: make sure aglen never goes negative in xfs_refcount_adjust_extents X-Git-Tag: origin/for-next_2022-11-30~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d5166b9dd5adc87a1399d4f3b0ef4569526798e;p=thirdparty%2Fxfsprogs-dev.git xfs: make sure aglen never goes negative in xfs_refcount_adjust_extents Source kernel commit: f850995f60e49818093ef5e477cdb0ff2c11a0a4 Prior to calling xfs_refcount_adjust_extents, we trimmed agbno/aglen such that the end of the range would not be in the middle of a refcount record. If this is no longer the case, something is seriously wrong with the btree. Bail out with a corruption error. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Carlos Maiolino --- diff --git a/libxfs/xfs_refcount.c b/libxfs/xfs_refcount.c index bcd760fe1..146e833b0 100644 --- a/libxfs/xfs_refcount.c +++ b/libxfs/xfs_refcount.c @@ -985,15 +985,29 @@ xfs_refcount_adjust_extents( (*agbno) += tmp.rc_blockcount; (*aglen) -= tmp.rc_blockcount; + /* Stop if there's nothing left to modify */ + if (*aglen == 0 || !xfs_refcount_still_have_space(cur)) + break; + + /* Move the cursor to the start of ext. */ error = xfs_refcount_lookup_ge(cur, *agbno, &found_rec); if (error) goto out_error; } - /* Stop if there's nothing left to modify */ - if (*aglen == 0 || !xfs_refcount_still_have_space(cur)) - break; + /* + * A previous step trimmed agbno/aglen such that the end of the + * range would not be in the middle of the record. If this is + * no longer the case, something is seriously wrong with the + * btree. Make sure we never feed the synthesized record into + * the processing loop below. + */ + if (XFS_IS_CORRUPT(cur->bc_mp, ext.rc_blockcount == 0) || + XFS_IS_CORRUPT(cur->bc_mp, ext.rc_blockcount > *aglen)) { + error = -EFSCORRUPTED; + goto out_error; + } /* * Adjust the reference count and either update the tree