You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58 lines
1.9 KiB
58 lines
1.9 KiB
3 months ago
|
From d096b26c33a858ad88db98306057da67e6d18611 Mon Sep 17 00:00:00 2001
|
||
|
From: Dave Chinner <dchinner@redhat.com>
|
||
|
Date: Wed, 6 Sep 2023 13:52:48 +0200
|
||
|
Subject: [PATCH] xfs: fix bounds check in xfs_defer_agfl_block()
|
||
|
|
||
|
Source kernel commit: 2bed0d82c2f78b91a0a9a5a73da57ee883a0c070
|
||
|
|
||
|
Need to happen before we allocate and then leak the xefi. Found by
|
||
|
coverity via an xfsprogs libxfs scan.
|
||
|
|
||
|
[djwong: This also fixes the type of the @agbno argument.]
|
||
|
|
||
|
Fixes: 7dfee17b13e5 ("xfs: validate block number being freed before adding to xefi")
|
||
|
Signed-off-by: Dave Chinner <dchinner@redhat.com>
|
||
|
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||
|
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
|
||
|
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
|
||
|
Signed-off-by: Carlos Maiolino <cem@kernel.org>
|
||
|
---
|
||
|
libxfs/xfs_alloc.c | 11 ++++++-----
|
||
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
||
|
|
||
|
Index: xfsprogs-6.4.0/libxfs/xfs_alloc.c
|
||
|
===================================================================
|
||
|
--- xfsprogs-6.4.0.orig/libxfs/xfs_alloc.c
|
||
|
+++ xfsprogs-6.4.0/libxfs/xfs_alloc.c
|
||
|
@@ -2431,24 +2431,25 @@ static int
|
||
|
xfs_defer_agfl_block(
|
||
|
struct xfs_trans *tp,
|
||
|
xfs_agnumber_t agno,
|
||
|
- xfs_fsblock_t agbno,
|
||
|
+ xfs_agblock_t agbno,
|
||
|
struct xfs_owner_info *oinfo)
|
||
|
{
|
||
|
struct xfs_mount *mp = tp->t_mountp;
|
||
|
struct xfs_extent_free_item *xefi;
|
||
|
+ xfs_fsblock_t fsbno = XFS_AGB_TO_FSB(mp, agno, agbno);
|
||
|
|
||
|
ASSERT(xfs_extfree_item_cache != NULL);
|
||
|
ASSERT(oinfo != NULL);
|
||
|
|
||
|
+ if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, fsbno)))
|
||
|
+ return -EFSCORRUPTED;
|
||
|
+
|
||
|
xefi = kmem_cache_zalloc(xfs_extfree_item_cache,
|
||
|
GFP_KERNEL | __GFP_NOFAIL);
|
||
|
- xefi->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno);
|
||
|
+ xefi->xefi_startblock = fsbno;
|
||
|
xefi->xefi_blockcount = 1;
|
||
|
xefi->xefi_owner = oinfo->oi_owner;
|
||
|
|
||
|
- if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, xefi->xefi_startblock)))
|
||
|
- return -EFSCORRUPTED;
|
||
|
-
|
||
|
trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);
|
||
|
|
||
|
xfs_extent_free_get_group(mp, xefi);
|