From: Greg Kroah-Hartman Date: Mon, 24 Apr 2023 06:04:03 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.14.314~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99ac737e21a02b597cedb2ab990d39be4e3eef01;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: xfs-fix-forkoff-miscalculation-related-to-xfs_litino-mp.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index c7cc295cbdc..8358707d9f4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -34,3 +34,4 @@ tcp-udp-call-inet6_destroy_sock-in-ipv6-sk-sk_destruct.patch inet6-remove-inet6_destroy_sock-in-sk-sk_prot-destroy.patch dccp-call-inet6_destroy_sock-via-sk-sk_destruct.patch sctp-call-inet6_destroy_sock-via-sk-sk_destruct.patch +xfs-fix-forkoff-miscalculation-related-to-xfs_litino-mp.patch diff --git a/queue-5.4/xfs-fix-forkoff-miscalculation-related-to-xfs_litino-mp.patch b/queue-5.4/xfs-fix-forkoff-miscalculation-related-to-xfs_litino-mp.patch new file mode 100644 index 00000000000..bc793ccef94 --- /dev/null +++ b/queue-5.4/xfs-fix-forkoff-miscalculation-related-to-xfs_litino-mp.patch @@ -0,0 +1,89 @@ +From ada49d64fb3538144192181db05de17e2ffc3551 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sat, 14 Nov 2020 11:06:01 -0800 +Subject: xfs: fix forkoff miscalculation related to XFS_LITINO(mp) + +From: Gao Xiang + +commit ada49d64fb3538144192181db05de17e2ffc3551 upstream. + +Currently, commit e9e2eae89ddb dropped a (int) decoration from +XFS_LITINO(mp), and since sizeof() expression is also involved, +the result of XFS_LITINO(mp) is simply as the size_t type +(commonly unsigned long). + +Considering the expression in xfs_attr_shortform_bytesfit(): + offset = (XFS_LITINO(mp) - bytes) >> 3; +let "bytes" be (int)340, and + "XFS_LITINO(mp)" be (unsigned long)336. + +on 64-bit platform, the expression is + offset = ((unsigned long)336 - (int)340) >> 3 = + (int)(0xfffffffffffffffcUL >> 3) = -1 + +but on 32-bit platform, the expression is + offset = ((unsigned long)336 - (int)340) >> 3 = + (int)(0xfffffffcUL >> 3) = 0x1fffffff +instead. + +so offset becomes a large positive number on 32-bit platform, and +cause xfs_attr_shortform_bytesfit() returns maxforkoff rather than 0. + +Therefore, one result is + "ASSERT(new_size <= XFS_IFORK_SIZE(ip, whichfork));" + +assertion failure in xfs_idata_realloc(), which was also the root +cause of the original bugreport from Dennis, see: + https://bugzilla.redhat.com/show_bug.cgi?id=1894177 + +And it can also be manually triggered with the following commands: + $ touch a; + $ setfattr -n user.0 -v "`seq 0 80`" a; + $ setfattr -n user.1 -v "`seq 0 80`" a + +on 32-bit platform. + +Fix the case in xfs_attr_shortform_bytesfit() by bailing out +"XFS_LITINO(mp) < bytes" in advance suggested by Eric and a misleading +comment together with this bugfix suggested by Darrick. It seems the +other users of XFS_LITINO(mp) are not impacted. + +Fixes: e9e2eae89ddb ("xfs: only check the superblock version for dinode size calculation") +Cc: # 5.7+ +Reported-and-tested-by: Dennis Gilmore +Reviewed-by: Christoph Hellwig +Signed-off-by: Gao Xiang +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Chandan Babu R +Acked-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/libxfs/xfs_attr_leaf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -435,7 +435,7 @@ xfs_attr_copy_value( + *========================================================================*/ + + /* +- * Query whether the requested number of additional bytes of extended ++ * Query whether the total requested number of attr fork bytes of extended + * attribute space will be able to fit inline. + * + * Returns zero if not, else the di_forkoff fork offset to be used in the +@@ -455,6 +455,12 @@ xfs_attr_shortform_bytesfit( + int maxforkoff; + int offset; + ++ /* ++ * Check if the new size could fit at all first: ++ */ ++ if (bytes > XFS_LITINO(mp)) ++ return 0; ++ + /* rounded down */ + offset = (XFS_LITINO(mp) - bytes) >> 3; +