2018-06-06 02:42:14 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2013-08-12 10:49:39 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2000-2005 Silicon Graphics, Inc.
|
|
|
|
|
* Copyright (c) 2013 Red Hat, Inc.
|
|
|
|
|
* All Rights Reserved.
|
|
|
|
|
*/
|
|
|
|
|
#include "xfs.h"
|
|
|
|
|
#include "xfs_fs.h"
|
2013-10-22 23:36:05 +00:00
|
|
|
#include "xfs_shared.h"
|
2013-10-22 23:50:10 +00:00
|
|
|
#include "xfs_format.h"
|
|
|
|
|
#include "xfs_log_format.h"
|
|
|
|
|
#include "xfs_trans_resv.h"
|
2013-08-12 10:49:39 +00:00
|
|
|
#include "xfs_bit.h"
|
|
|
|
|
#include "xfs_mount.h"
|
2013-10-14 22:17:51 +00:00
|
|
|
#include "xfs_da_format.h"
|
2013-08-12 10:49:39 +00:00
|
|
|
#include "xfs_da_btree.h"
|
2013-10-22 23:51:50 +00:00
|
|
|
#include "xfs_inode.h"
|
2021-04-26 22:00:33 +00:00
|
|
|
#include "xfs_attr.h"
|
2013-08-12 10:49:39 +00:00
|
|
|
#include "xfs_attr_remote.h"
|
2013-10-22 23:50:10 +00:00
|
|
|
#include "xfs_trans.h"
|
2013-08-12 10:49:39 +00:00
|
|
|
#include "xfs_bmap.h"
|
|
|
|
|
#include "xfs_attr_leaf.h"
|
|
|
|
|
#include "xfs_quota.h"
|
2013-10-29 11:11:51 +00:00
|
|
|
#include "xfs_dir2.h"
|
2019-11-02 16:40:53 +00:00
|
|
|
#include "xfs_error.h"
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
* Invalidate any incore buffers associated with this remote attribute value
|
|
|
|
|
* extent. We never log remote attribute value buffers, which means that they
|
|
|
|
|
* won't be attached to a transaction and are therefore safe to mark stale.
|
|
|
|
|
* The actual bunmapi will be taken care of later.
|
2013-08-12 10:49:39 +00:00
|
|
|
*/
|
|
|
|
|
STATIC int
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
xfs_attr3_rmt_stale(
|
2013-08-12 10:49:39 +00:00
|
|
|
struct xfs_inode *dp,
|
|
|
|
|
xfs_dablk_t blkno,
|
|
|
|
|
int blkcnt)
|
|
|
|
|
{
|
|
|
|
|
struct xfs_bmbt_irec map;
|
|
|
|
|
int nmap;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Roll through the "value", invalidating the attribute value's
|
|
|
|
|
* blocks.
|
|
|
|
|
*/
|
2020-01-14 22:31:49 +00:00
|
|
|
while (blkcnt > 0) {
|
2013-08-12 10:49:39 +00:00
|
|
|
/*
|
|
|
|
|
* Try to remember where we decided to put the value.
|
|
|
|
|
*/
|
|
|
|
|
nmap = 1;
|
2020-01-14 22:31:49 +00:00
|
|
|
error = xfs_bmapi_read(dp, (xfs_fileoff_t)blkno, blkcnt,
|
2013-08-12 10:49:39 +00:00
|
|
|
&map, &nmap, XFS_BMAPI_ATTRFORK);
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
if (error)
|
2014-06-22 05:03:54 +00:00
|
|
|
return error;
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
if (XFS_IS_CORRUPT(dp->i_mount, nmap != 1))
|
|
|
|
|
return -EFSCORRUPTED;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
* Mark any incore buffers for the remote value as stale. We
|
|
|
|
|
* never log remote attr value buffers, so the buffer should be
|
|
|
|
|
* easy to kill.
|
2013-08-12 10:49:39 +00:00
|
|
|
*/
|
xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.
On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes). On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer. Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.
This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k). On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory. We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.
Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged. Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why. Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-08 00:11:45 +00:00
|
|
|
error = xfs_attr_rmtval_stale(dp, &map, 0);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2020-01-14 22:31:49 +00:00
|
|
|
blkno += map.br_blockcount;
|
|
|
|
|
blkcnt -= map.br_blockcount;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
|
|
|
|
|
2014-06-22 05:03:54 +00:00
|
|
|
return 0;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Invalidate all of the "remote" value regions pointed to by a particular
|
|
|
|
|
* leaf block.
|
|
|
|
|
* Note that we must release the lock on the buffer so that we are not
|
|
|
|
|
* caught holding something that the logging code wants to flush to disk.
|
|
|
|
|
*/
|
|
|
|
|
STATIC int
|
|
|
|
|
xfs_attr3_leaf_inactive(
|
2020-01-14 22:31:49 +00:00
|
|
|
struct xfs_trans **trans,
|
|
|
|
|
struct xfs_inode *dp,
|
|
|
|
|
struct xfs_buf *bp)
|
2013-08-12 10:49:39 +00:00
|
|
|
{
|
2020-01-14 22:31:49 +00:00
|
|
|
struct xfs_attr3_icleaf_hdr ichdr;
|
|
|
|
|
struct xfs_mount *mp = bp->b_mount;
|
|
|
|
|
struct xfs_attr_leafblock *leaf = bp->b_addr;
|
|
|
|
|
struct xfs_attr_leaf_entry *entry;
|
2013-08-12 10:49:39 +00:00
|
|
|
struct xfs_attr_leaf_name_remote *name_rmt;
|
2020-01-23 15:54:09 +00:00
|
|
|
int error = 0;
|
2020-01-14 22:31:49 +00:00
|
|
|
int i;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2015-04-13 01:26:02 +00:00
|
|
|
xfs_attr3_leaf_hdr_from_disk(mp->m_attr_geo, &ichdr, leaf);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
2020-01-14 22:31:49 +00:00
|
|
|
* Find the remote value extents for this leaf and invalidate their
|
|
|
|
|
* incore buffers.
|
2013-08-12 10:49:39 +00:00
|
|
|
*/
|
|
|
|
|
entry = xfs_attr3_leaf_entryp(leaf);
|
|
|
|
|
for (i = 0; i < ichdr.count; entry++, i++) {
|
2020-01-14 22:31:49 +00:00
|
|
|
int blkcnt;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2020-01-14 22:31:49 +00:00
|
|
|
if (!entry->nameidx || (entry->flags & XFS_ATTR_LOCAL))
|
|
|
|
|
continue;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2020-01-14 22:31:49 +00:00
|
|
|
name_rmt = xfs_attr3_leaf_name_remote(leaf, i);
|
|
|
|
|
if (!name_rmt->valueblk)
|
|
|
|
|
continue;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2020-01-14 22:31:49 +00:00
|
|
|
blkcnt = xfs_attr3_rmt_blocks(dp->i_mount,
|
|
|
|
|
be32_to_cpu(name_rmt->valuelen));
|
|
|
|
|
error = xfs_attr3_rmt_stale(dp,
|
|
|
|
|
be32_to_cpu(name_rmt->valueblk), blkcnt);
|
|
|
|
|
if (error)
|
|
|
|
|
goto err;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
|
|
|
|
|
2020-01-14 22:31:49 +00:00
|
|
|
xfs_trans_brelse(*trans, bp);
|
|
|
|
|
err:
|
2013-08-12 10:49:39 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Recurse (gasp!) through the attribute nodes until we find leaves.
|
|
|
|
|
* We're doing a depth-first traversal in order to invalidate everything.
|
|
|
|
|
*/
|
|
|
|
|
STATIC int
|
|
|
|
|
xfs_attr3_node_inactive(
|
2019-11-08 22:57:48 +00:00
|
|
|
struct xfs_trans **trans,
|
|
|
|
|
struct xfs_inode *dp,
|
|
|
|
|
struct xfs_buf *bp,
|
|
|
|
|
int level)
|
2013-08-12 10:49:39 +00:00
|
|
|
{
|
2019-11-20 17:46:05 +00:00
|
|
|
struct xfs_mount *mp = dp->i_mount;
|
2019-11-08 22:57:48 +00:00
|
|
|
struct xfs_da_blkinfo *info;
|
|
|
|
|
xfs_dablk_t child_fsb;
|
|
|
|
|
xfs_daddr_t parent_blkno, child_blkno;
|
|
|
|
|
struct xfs_buf *child_bp;
|
2013-08-12 10:49:39 +00:00
|
|
|
struct xfs_da3_icnode_hdr ichdr;
|
2019-11-08 22:57:48 +00:00
|
|
|
int error, i;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Since this code is recursive (gasp!) we must protect ourselves.
|
|
|
|
|
*/
|
|
|
|
|
if (level > XFS_DA_NODE_MAXDEPTH) {
|
2020-03-11 17:37:54 +00:00
|
|
|
xfs_buf_mark_corrupt(bp);
|
2020-03-11 17:37:53 +00:00
|
|
|
xfs_trans_brelse(*trans, bp); /* no locks for later trans */
|
2019-10-28 23:12:34 +00:00
|
|
|
return -EFSCORRUPTED;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-08 22:57:48 +00:00
|
|
|
xfs_da3_node_hdr_from_disk(dp->i_mount, &ichdr, bp->b_addr);
|
2021-08-19 01:47:05 +00:00
|
|
|
parent_blkno = xfs_buf_daddr(bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
if (!ichdr.count) {
|
|
|
|
|
xfs_trans_brelse(*trans, bp);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2019-11-08 22:57:48 +00:00
|
|
|
child_fsb = be32_to_cpu(ichdr.btree[0].before);
|
2013-08-12 10:49:39 +00:00
|
|
|
xfs_trans_brelse(*trans, bp); /* no locks for later trans */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If this is the node level just above the leaves, simply loop
|
|
|
|
|
* over the leaves removing all of them. If this is higher up
|
|
|
|
|
* in the tree, recurse downward.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; i < ichdr.count; i++) {
|
|
|
|
|
/*
|
|
|
|
|
* Read the subsidiary block to see what we have to work with.
|
|
|
|
|
* Don't do this in a transaction. This is a depth-first
|
|
|
|
|
* traversal of the tree so we may deal with many blocks
|
|
|
|
|
* before we come back to this one.
|
|
|
|
|
*/
|
2019-11-20 17:46:04 +00:00
|
|
|
error = xfs_da3_node_read(*trans, dp, child_fsb, &child_bp,
|
2017-10-17 21:16:28 +00:00
|
|
|
XFS_ATTR_FORK);
|
2013-08-12 10:49:39 +00:00
|
|
|
if (error)
|
2014-06-22 05:03:54 +00:00
|
|
|
return error;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2017-10-17 21:16:28 +00:00
|
|
|
/* save for re-read later */
|
2021-08-19 01:46:57 +00:00
|
|
|
child_blkno = xfs_buf_daddr(child_bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2017-10-17 21:16:28 +00:00
|
|
|
/*
|
|
|
|
|
* Invalidate the subtree, however we have to.
|
|
|
|
|
*/
|
|
|
|
|
info = child_bp->b_addr;
|
|
|
|
|
switch (info->magic) {
|
|
|
|
|
case cpu_to_be16(XFS_DA_NODE_MAGIC):
|
|
|
|
|
case cpu_to_be16(XFS_DA3_NODE_MAGIC):
|
|
|
|
|
error = xfs_attr3_node_inactive(trans, dp, child_bp,
|
|
|
|
|
level + 1);
|
|
|
|
|
break;
|
|
|
|
|
case cpu_to_be16(XFS_ATTR_LEAF_MAGIC):
|
|
|
|
|
case cpu_to_be16(XFS_ATTR3_LEAF_MAGIC):
|
|
|
|
|
error = xfs_attr3_leaf_inactive(trans, dp, child_bp);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2020-03-11 17:37:54 +00:00
|
|
|
xfs_buf_mark_corrupt(child_bp);
|
2017-10-17 21:16:28 +00:00
|
|
|
xfs_trans_brelse(*trans, child_bp);
|
2019-11-02 16:40:53 +00:00
|
|
|
error = -EFSCORRUPTED;
|
2017-10-17 21:16:28 +00:00
|
|
|
break;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
2017-10-17 21:16:28 +00:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Remove the subsidiary block from the cache and from the log.
|
|
|
|
|
*/
|
2020-01-24 01:01:18 +00:00
|
|
|
error = xfs_trans_get_buf(*trans, mp->m_ddev_targp,
|
2019-11-20 17:46:05 +00:00
|
|
|
child_blkno,
|
2020-01-24 01:01:18 +00:00
|
|
|
XFS_FSB_TO_BB(mp, mp->m_attr_geo->fsbcount), 0,
|
|
|
|
|
&child_bp);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2019-11-20 17:46:05 +00:00
|
|
|
error = bp->b_error;
|
|
|
|
|
if (error) {
|
|
|
|
|
xfs_trans_brelse(*trans, child_bp);
|
2017-10-17 21:16:28 +00:00
|
|
|
return error;
|
2019-11-20 17:46:05 +00:00
|
|
|
}
|
2017-10-17 21:16:28 +00:00
|
|
|
xfs_trans_binval(*trans, child_bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we're not done, re-read the parent to get the next
|
|
|
|
|
* child block number.
|
|
|
|
|
*/
|
|
|
|
|
if (i + 1 < ichdr.count) {
|
2019-11-08 22:57:48 +00:00
|
|
|
struct xfs_da3_icnode_hdr phdr;
|
|
|
|
|
|
2019-11-20 17:46:04 +00:00
|
|
|
error = xfs_da3_node_read_mapped(*trans, dp,
|
|
|
|
|
parent_blkno, &bp, XFS_ATTR_FORK);
|
2013-08-12 10:49:39 +00:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2019-11-08 22:57:48 +00:00
|
|
|
xfs_da3_node_hdr_from_disk(dp->i_mount, &phdr,
|
|
|
|
|
bp->b_addr);
|
|
|
|
|
child_fsb = be32_to_cpu(phdr.btree[i + 1].before);
|
2013-08-12 10:49:39 +00:00
|
|
|
xfs_trans_brelse(*trans, bp);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Atomically commit the whole invalidate stuff.
|
|
|
|
|
*/
|
2017-08-28 17:21:03 +00:00
|
|
|
error = xfs_trans_roll_inode(trans, dp);
|
2013-08-12 10:49:39 +00:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Indiscriminately delete the entire attribute fork
|
|
|
|
|
*
|
|
|
|
|
* Recurse (gasp!) through the attribute nodes until we find leaves.
|
|
|
|
|
* We're doing a depth-first traversal in order to invalidate everything.
|
|
|
|
|
*/
|
2016-06-01 07:38:15 +00:00
|
|
|
static int
|
2013-08-12 10:49:39 +00:00
|
|
|
xfs_attr3_root_inactive(
|
|
|
|
|
struct xfs_trans **trans,
|
|
|
|
|
struct xfs_inode *dp)
|
|
|
|
|
{
|
2019-11-20 17:46:05 +00:00
|
|
|
struct xfs_mount *mp = dp->i_mount;
|
2013-08-12 10:49:39 +00:00
|
|
|
struct xfs_da_blkinfo *info;
|
|
|
|
|
struct xfs_buf *bp;
|
|
|
|
|
xfs_daddr_t blkno;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Read block 0 to see what we have to work with.
|
|
|
|
|
* We only get here if we have extents, since we remove
|
|
|
|
|
* the extents in reverse order the extent containing
|
|
|
|
|
* block 0 must still be there.
|
|
|
|
|
*/
|
2019-11-20 17:46:04 +00:00
|
|
|
error = xfs_da3_node_read(*trans, dp, 0, &bp, XFS_ATTR_FORK);
|
2013-08-12 10:49:39 +00:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
2021-08-19 01:47:05 +00:00
|
|
|
blkno = xfs_buf_daddr(bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Invalidate the tree, even if the "tree" is only a single leaf block.
|
|
|
|
|
* This is a depth-first traversal!
|
|
|
|
|
*/
|
|
|
|
|
info = bp->b_addr;
|
|
|
|
|
switch (info->magic) {
|
|
|
|
|
case cpu_to_be16(XFS_DA_NODE_MAGIC):
|
|
|
|
|
case cpu_to_be16(XFS_DA3_NODE_MAGIC):
|
|
|
|
|
error = xfs_attr3_node_inactive(trans, dp, bp, 1);
|
|
|
|
|
break;
|
|
|
|
|
case cpu_to_be16(XFS_ATTR_LEAF_MAGIC):
|
|
|
|
|
case cpu_to_be16(XFS_ATTR3_LEAF_MAGIC):
|
|
|
|
|
error = xfs_attr3_leaf_inactive(trans, dp, bp);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2019-10-28 23:12:34 +00:00
|
|
|
error = -EFSCORRUPTED;
|
2020-03-11 17:37:54 +00:00
|
|
|
xfs_buf_mark_corrupt(bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
xfs_trans_brelse(*trans, bp);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Invalidate the incore copy of the root block.
|
|
|
|
|
*/
|
2020-01-24 01:01:18 +00:00
|
|
|
error = xfs_trans_get_buf(*trans, mp->m_ddev_targp, blkno,
|
|
|
|
|
XFS_FSB_TO_BB(mp, mp->m_attr_geo->fsbcount), 0, &bp);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2019-11-20 17:46:05 +00:00
|
|
|
error = bp->b_error;
|
|
|
|
|
if (error) {
|
|
|
|
|
xfs_trans_brelse(*trans, bp);
|
2013-08-12 10:49:39 +00:00
|
|
|
return error;
|
2019-11-20 17:46:05 +00:00
|
|
|
}
|
2013-08-12 10:49:39 +00:00
|
|
|
xfs_trans_binval(*trans, bp); /* remove from cache */
|
|
|
|
|
/*
|
|
|
|
|
* Commit the invalidate and start the next transaction.
|
|
|
|
|
*/
|
2017-08-28 17:21:03 +00:00
|
|
|
error = xfs_trans_roll_inode(trans, dp);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-28 21:40:08 +00:00
|
|
|
/*
|
|
|
|
|
* xfs_attr_inactive kills all traces of an attribute fork on an inode. It
|
|
|
|
|
* removes both the on-disk and in-memory inode fork. Note that this also has to
|
|
|
|
|
* handle the condition of inodes without attributes but with an attribute fork
|
|
|
|
|
* configured, so we can't use xfs_inode_hasattr() here.
|
|
|
|
|
*
|
|
|
|
|
* The in-memory attribute fork is removed even on error.
|
|
|
|
|
*/
|
2013-08-12 10:49:39 +00:00
|
|
|
int
|
2015-05-28 21:40:08 +00:00
|
|
|
xfs_attr_inactive(
|
|
|
|
|
struct xfs_inode *dp)
|
2013-08-12 10:49:39 +00:00
|
|
|
{
|
2015-05-28 21:40:08 +00:00
|
|
|
struct xfs_trans *trans;
|
|
|
|
|
struct xfs_mount *mp;
|
|
|
|
|
int lock_mode = XFS_ILOCK_SHARED;
|
|
|
|
|
int error = 0;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
mp = dp->i_mount;
|
|
|
|
|
ASSERT(! XFS_NOT_DQATTACHED(mp, dp));
|
|
|
|
|
|
2015-05-28 21:40:08 +00:00
|
|
|
xfs_ilock(dp, lock_mode);
|
|
|
|
|
if (!XFS_IFORK_Q(dp))
|
|
|
|
|
goto out_destroy_fork;
|
|
|
|
|
xfs_iunlock(dp, lock_mode);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2015-05-28 21:40:08 +00:00
|
|
|
lock_mode = 0;
|
2016-04-05 23:19:55 +00:00
|
|
|
|
|
|
|
|
error = xfs_trans_alloc(mp, &M_RES(mp)->tr_attrinval, 0, 0, 0, &trans);
|
2015-05-28 21:40:08 +00:00
|
|
|
if (error)
|
2016-04-05 23:19:55 +00:00
|
|
|
goto out_destroy_fork;
|
2015-05-28 21:40:08 +00:00
|
|
|
|
|
|
|
|
lock_mode = XFS_ILOCK_EXCL;
|
|
|
|
|
xfs_ilock(dp, lock_mode);
|
|
|
|
|
|
|
|
|
|
if (!XFS_IFORK_Q(dp))
|
|
|
|
|
goto out_cancel;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* No need to make quota reservations here. We expect to release some
|
|
|
|
|
* blocks, not allocate, in the common case.
|
|
|
|
|
*/
|
|
|
|
|
xfs_trans_ijoin(trans, dp, 0);
|
|
|
|
|
|
2015-06-22 22:47:20 +00:00
|
|
|
/*
|
|
|
|
|
* Invalidate and truncate the attribute fork extents. Make sure the
|
|
|
|
|
* fork actually has attributes as otherwise the invalidation has no
|
|
|
|
|
* blocks to read and returns an error. In this case, just do the fork
|
|
|
|
|
* removal below.
|
|
|
|
|
*/
|
|
|
|
|
if (xfs_inode_hasattr(dp) &&
|
xfs: make inode attribute forks a permanent part of struct xfs_inode
Syzkaller reported a UAF bug a while back:
==================================================================
BUG: KASAN: use-after-free in xfs_ilock_attr_map_shared+0xe3/0xf6 fs/xfs/xfs_inode.c:127
Read of size 4 at addr ffff88802cec919c by task syz-executor262/2958
CPU: 2 PID: 2958 Comm: syz-executor262 Not tainted
5.15.0-0.30.3-20220406_1406 #3
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.9+0x21/0x2d5 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:459
xfs_ilock_attr_map_shared+0xe3/0xf6 fs/xfs/xfs_inode.c:127
xfs_attr_get+0x378/0x4c2 fs/xfs/libxfs/xfs_attr.c:159
xfs_xattr_get+0xe3/0x150 fs/xfs/xfs_xattr.c:36
__vfs_getxattr+0xdf/0x13d fs/xattr.c:399
cap_inode_need_killpriv+0x41/0x5d security/commoncap.c:300
security_inode_need_killpriv+0x4c/0x97 security/security.c:1408
dentry_needs_remove_privs.part.28+0x21/0x63 fs/inode.c:1912
dentry_needs_remove_privs+0x80/0x9e fs/inode.c:1908
do_truncate+0xc3/0x1e0 fs/open.c:56
handle_truncate fs/namei.c:3084 [inline]
do_open fs/namei.c:3432 [inline]
path_openat+0x30ab/0x396d fs/namei.c:3561
do_filp_open+0x1c4/0x290 fs/namei.c:3588
do_sys_openat2+0x60d/0x98c fs/open.c:1212
do_sys_open+0xcf/0x13c fs/open.c:1228
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
RIP: 0033:0x7f7ef4bb753d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73
01 c3 48 8b 0d 1b 79 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007f7ef52c2ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 0000000000404148 RCX: 00007f7ef4bb753d
RDX: 00007f7ef4bb753d RSI: 0000000000000000 RDI: 0000000020004fc0
RBP: 0000000000404140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 00007ffd794db37f R14: 00007ffd794db470 R15: 00007f7ef52c2fc0
</TASK>
Allocated by task 2953:
kasan_save_stack+0x19/0x38 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x68/0x7c mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3213 [inline]
slab_alloc mm/slub.c:3221 [inline]
kmem_cache_alloc+0x11b/0x3eb mm/slub.c:3226
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_ifork_alloc+0x25/0xa2 fs/xfs/libxfs/xfs_inode_fork.c:287
xfs_bmap_add_attrfork+0x3f2/0x9b1 fs/xfs/libxfs/xfs_bmap.c:1098
xfs_attr_set+0xe38/0x12a7 fs/xfs/libxfs/xfs_attr.c:746
xfs_xattr_set+0xeb/0x1a9 fs/xfs/xfs_xattr.c:59
__vfs_setxattr+0x11b/0x177 fs/xattr.c:180
__vfs_setxattr_noperm+0x128/0x5e0 fs/xattr.c:214
__vfs_setxattr_locked+0x1d4/0x258 fs/xattr.c:275
vfs_setxattr+0x154/0x33d fs/xattr.c:301
setxattr+0x216/0x29f fs/xattr.c:575
__do_sys_fsetxattr fs/xattr.c:632 [inline]
__se_sys_fsetxattr fs/xattr.c:621 [inline]
__x64_sys_fsetxattr+0x243/0x2fe fs/xattr.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
Freed by task 2949:
kasan_save_stack+0x19/0x38 mm/kasan/common.c:38
kasan_set_track+0x1c/0x21 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xe2/0x10e mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook mm/slub.c:1726 [inline]
slab_free mm/slub.c:3492 [inline]
kmem_cache_free+0xdc/0x3ce mm/slub.c:3508
xfs_attr_fork_remove+0x8d/0x132 fs/xfs/libxfs/xfs_attr_leaf.c:773
xfs_attr_sf_removename+0x5dd/0x6cb fs/xfs/libxfs/xfs_attr_leaf.c:822
xfs_attr_remove_iter+0x68c/0x805 fs/xfs/libxfs/xfs_attr.c:1413
xfs_attr_remove_args+0xb1/0x10d fs/xfs/libxfs/xfs_attr.c:684
xfs_attr_set+0xf1e/0x12a7 fs/xfs/libxfs/xfs_attr.c:802
xfs_xattr_set+0xeb/0x1a9 fs/xfs/xfs_xattr.c:59
__vfs_removexattr+0x106/0x16a fs/xattr.c:468
cap_inode_killpriv+0x24/0x47 security/commoncap.c:324
security_inode_killpriv+0x54/0xa1 security/security.c:1414
setattr_prepare+0x1a6/0x897 fs/attr.c:146
xfs_vn_change_ok+0x111/0x15e fs/xfs/xfs_iops.c:682
xfs_vn_setattr_size+0x5f/0x15a fs/xfs/xfs_iops.c:1065
xfs_vn_setattr+0x125/0x2ad fs/xfs/xfs_iops.c:1093
notify_change+0xae5/0x10a1 fs/attr.c:410
do_truncate+0x134/0x1e0 fs/open.c:64
handle_truncate fs/namei.c:3084 [inline]
do_open fs/namei.c:3432 [inline]
path_openat+0x30ab/0x396d fs/namei.c:3561
do_filp_open+0x1c4/0x290 fs/namei.c:3588
do_sys_openat2+0x60d/0x98c fs/open.c:1212
do_sys_open+0xcf/0x13c fs/open.c:1228
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
The buggy address belongs to the object at ffff88802cec9188
which belongs to the cache xfs_ifork of size 40
The buggy address is located 20 bytes inside of
40-byte region [ffff88802cec9188, ffff88802cec91b0)
The buggy address belongs to the page:
page:00000000c3af36a1 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x2cec9
flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0000200 ffffea00009d2580 0000000600000006 ffff88801a9ffc80
raw: 0000000000000000 0000000080490049 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802cec9080: fb fb fb fc fc fa fb fb fb fb fc fc fb fb fb fb
ffff88802cec9100: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc
>ffff88802cec9180: fc fa fb fb fb fb fc fc fa fb fb fb fb fc fc fb
^
ffff88802cec9200: fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb
ffff88802cec9280: fb fb fc fc fa fb fb fb fb fc fc fa fb fb fb fb
==================================================================
The root cause of this bug is the unlocked access to xfs_inode.i_afp
from the getxattr code paths while trying to determine which ILOCK mode
to use to stabilize the xattr data. Unfortunately, the VFS does not
acquire i_rwsem when vfs_getxattr (or listxattr) call into the
filesystem, which means that getxattr can race with a removexattr that's
tearing down the attr fork and crash:
xfs_attr_set: xfs_attr_get:
xfs_attr_fork_remove: xfs_ilock_attr_map_shared:
xfs_idestroy_fork(ip->i_afp);
kmem_cache_free(xfs_ifork_cache, ip->i_afp);
if (ip->i_afp &&
ip->i_afp = NULL;
xfs_need_iread_extents(ip->i_afp))
<KABOOM>
ip->i_forkoff = 0;
Regrettably, the VFS is much more lax about i_rwsem and getxattr than
is immediately obvious -- not only does it not guarantee that we hold
i_rwsem, it actually doesn't guarantee that we *don't* hold it either.
The getxattr system call won't acquire the lock before calling XFS, but
the file capabilities code calls getxattr with and without i_rwsem held
to determine if the "security.capabilities" xattr is set on the file.
Fixing the VFS locking requires a treewide investigation into every code
path that could touch an xattr and what i_rwsem state it expects or sets
up. That could take years or even prove impossible; fortunately, we
can fix this UAF problem inside XFS.
An earlier version of this patch used smp_wmb in xfs_attr_fork_remove to
ensure that i_forkoff is always zeroed before i_afp is set to null and
changed the read paths to use smp_rmb before accessing i_forkoff and
i_afp, which avoided these UAF problems. However, the patch author was
too busy dealing with other problems in the meantime, and by the time he
came back to this issue, the situation had changed a bit.
On a modern system with selinux, each inode will always have at least
one xattr for the selinux label, so it doesn't make much sense to keep
incurring the extra pointer dereference. Furthermore, Allison's
upcoming parent pointer patchset will also cause nearly every inode in
the filesystem to have extended attributes. Therefore, make the inode
attribute fork structure part of struct xfs_inode, at a cost of 40 more
bytes.
This patch adds a clunky if_present field where necessary to maintain
the existing logic of xattr fork null pointer testing in the existing
codebase. The next patch switches the logic over to XFS_IFORK_Q and it
all goes away.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-07-09 17:56:06 +00:00
|
|
|
dp->i_af.if_format != XFS_DINODE_FMT_LOCAL) {
|
2015-05-28 21:40:08 +00:00
|
|
|
error = xfs_attr3_root_inactive(&trans, dp);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out_cancel;
|
|
|
|
|
|
|
|
|
|
error = xfs_itruncate_extents(&trans, dp, XFS_ATTR_FORK, 0);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out_cancel;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
|
|
|
|
|
2015-05-28 21:40:08 +00:00
|
|
|
/* Reset the attribute fork - this also destroys the in-core fork */
|
|
|
|
|
xfs_attr_fork_remove(dp, trans);
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2015-06-04 03:48:08 +00:00
|
|
|
error = xfs_trans_commit(trans);
|
2015-05-28 21:40:08 +00:00
|
|
|
xfs_iunlock(dp, lock_mode);
|
2014-06-22 05:03:54 +00:00
|
|
|
return error;
|
2013-08-12 10:49:39 +00:00
|
|
|
|
2015-05-28 21:40:08 +00:00
|
|
|
out_cancel:
|
2015-06-04 03:47:56 +00:00
|
|
|
xfs_trans_cancel(trans);
|
2015-05-28 21:40:08 +00:00
|
|
|
out_destroy_fork:
|
|
|
|
|
/* kill the in-core attr fork before we drop the inode lock */
|
xfs: make inode attribute forks a permanent part of struct xfs_inode
Syzkaller reported a UAF bug a while back:
==================================================================
BUG: KASAN: use-after-free in xfs_ilock_attr_map_shared+0xe3/0xf6 fs/xfs/xfs_inode.c:127
Read of size 4 at addr ffff88802cec919c by task syz-executor262/2958
CPU: 2 PID: 2958 Comm: syz-executor262 Not tainted
5.15.0-0.30.3-20220406_1406 #3
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.9+0x21/0x2d5 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:459
xfs_ilock_attr_map_shared+0xe3/0xf6 fs/xfs/xfs_inode.c:127
xfs_attr_get+0x378/0x4c2 fs/xfs/libxfs/xfs_attr.c:159
xfs_xattr_get+0xe3/0x150 fs/xfs/xfs_xattr.c:36
__vfs_getxattr+0xdf/0x13d fs/xattr.c:399
cap_inode_need_killpriv+0x41/0x5d security/commoncap.c:300
security_inode_need_killpriv+0x4c/0x97 security/security.c:1408
dentry_needs_remove_privs.part.28+0x21/0x63 fs/inode.c:1912
dentry_needs_remove_privs+0x80/0x9e fs/inode.c:1908
do_truncate+0xc3/0x1e0 fs/open.c:56
handle_truncate fs/namei.c:3084 [inline]
do_open fs/namei.c:3432 [inline]
path_openat+0x30ab/0x396d fs/namei.c:3561
do_filp_open+0x1c4/0x290 fs/namei.c:3588
do_sys_openat2+0x60d/0x98c fs/open.c:1212
do_sys_open+0xcf/0x13c fs/open.c:1228
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
RIP: 0033:0x7f7ef4bb753d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73
01 c3 48 8b 0d 1b 79 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007f7ef52c2ed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 0000000000404148 RCX: 00007f7ef4bb753d
RDX: 00007f7ef4bb753d RSI: 0000000000000000 RDI: 0000000020004fc0
RBP: 0000000000404140 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 00007ffd794db37f R14: 00007ffd794db470 R15: 00007f7ef52c2fc0
</TASK>
Allocated by task 2953:
kasan_save_stack+0x19/0x38 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x68/0x7c mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3213 [inline]
slab_alloc mm/slub.c:3221 [inline]
kmem_cache_alloc+0x11b/0x3eb mm/slub.c:3226
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_ifork_alloc+0x25/0xa2 fs/xfs/libxfs/xfs_inode_fork.c:287
xfs_bmap_add_attrfork+0x3f2/0x9b1 fs/xfs/libxfs/xfs_bmap.c:1098
xfs_attr_set+0xe38/0x12a7 fs/xfs/libxfs/xfs_attr.c:746
xfs_xattr_set+0xeb/0x1a9 fs/xfs/xfs_xattr.c:59
__vfs_setxattr+0x11b/0x177 fs/xattr.c:180
__vfs_setxattr_noperm+0x128/0x5e0 fs/xattr.c:214
__vfs_setxattr_locked+0x1d4/0x258 fs/xattr.c:275
vfs_setxattr+0x154/0x33d fs/xattr.c:301
setxattr+0x216/0x29f fs/xattr.c:575
__do_sys_fsetxattr fs/xattr.c:632 [inline]
__se_sys_fsetxattr fs/xattr.c:621 [inline]
__x64_sys_fsetxattr+0x243/0x2fe fs/xattr.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
Freed by task 2949:
kasan_save_stack+0x19/0x38 mm/kasan/common.c:38
kasan_set_track+0x1c/0x21 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xe2/0x10e mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook mm/slub.c:1726 [inline]
slab_free mm/slub.c:3492 [inline]
kmem_cache_free+0xdc/0x3ce mm/slub.c:3508
xfs_attr_fork_remove+0x8d/0x132 fs/xfs/libxfs/xfs_attr_leaf.c:773
xfs_attr_sf_removename+0x5dd/0x6cb fs/xfs/libxfs/xfs_attr_leaf.c:822
xfs_attr_remove_iter+0x68c/0x805 fs/xfs/libxfs/xfs_attr.c:1413
xfs_attr_remove_args+0xb1/0x10d fs/xfs/libxfs/xfs_attr.c:684
xfs_attr_set+0xf1e/0x12a7 fs/xfs/libxfs/xfs_attr.c:802
xfs_xattr_set+0xeb/0x1a9 fs/xfs/xfs_xattr.c:59
__vfs_removexattr+0x106/0x16a fs/xattr.c:468
cap_inode_killpriv+0x24/0x47 security/commoncap.c:324
security_inode_killpriv+0x54/0xa1 security/security.c:1414
setattr_prepare+0x1a6/0x897 fs/attr.c:146
xfs_vn_change_ok+0x111/0x15e fs/xfs/xfs_iops.c:682
xfs_vn_setattr_size+0x5f/0x15a fs/xfs/xfs_iops.c:1065
xfs_vn_setattr+0x125/0x2ad fs/xfs/xfs_iops.c:1093
notify_change+0xae5/0x10a1 fs/attr.c:410
do_truncate+0x134/0x1e0 fs/open.c:64
handle_truncate fs/namei.c:3084 [inline]
do_open fs/namei.c:3432 [inline]
path_openat+0x30ab/0x396d fs/namei.c:3561
do_filp_open+0x1c4/0x290 fs/namei.c:3588
do_sys_openat2+0x60d/0x98c fs/open.c:1212
do_sys_open+0xcf/0x13c fs/open.c:1228
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3a/0x7e arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0x0
The buggy address belongs to the object at ffff88802cec9188
which belongs to the cache xfs_ifork of size 40
The buggy address is located 20 bytes inside of
40-byte region [ffff88802cec9188, ffff88802cec91b0)
The buggy address belongs to the page:
page:00000000c3af36a1 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x2cec9
flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0000200 ffffea00009d2580 0000000600000006 ffff88801a9ffc80
raw: 0000000000000000 0000000080490049 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802cec9080: fb fb fb fc fc fa fb fb fb fb fc fc fb fb fb fb
ffff88802cec9100: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc
>ffff88802cec9180: fc fa fb fb fb fb fc fc fa fb fb fb fb fc fc fb
^
ffff88802cec9200: fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb
ffff88802cec9280: fb fb fc fc fa fb fb fb fb fc fc fa fb fb fb fb
==================================================================
The root cause of this bug is the unlocked access to xfs_inode.i_afp
from the getxattr code paths while trying to determine which ILOCK mode
to use to stabilize the xattr data. Unfortunately, the VFS does not
acquire i_rwsem when vfs_getxattr (or listxattr) call into the
filesystem, which means that getxattr can race with a removexattr that's
tearing down the attr fork and crash:
xfs_attr_set: xfs_attr_get:
xfs_attr_fork_remove: xfs_ilock_attr_map_shared:
xfs_idestroy_fork(ip->i_afp);
kmem_cache_free(xfs_ifork_cache, ip->i_afp);
if (ip->i_afp &&
ip->i_afp = NULL;
xfs_need_iread_extents(ip->i_afp))
<KABOOM>
ip->i_forkoff = 0;
Regrettably, the VFS is much more lax about i_rwsem and getxattr than
is immediately obvious -- not only does it not guarantee that we hold
i_rwsem, it actually doesn't guarantee that we *don't* hold it either.
The getxattr system call won't acquire the lock before calling XFS, but
the file capabilities code calls getxattr with and without i_rwsem held
to determine if the "security.capabilities" xattr is set on the file.
Fixing the VFS locking requires a treewide investigation into every code
path that could touch an xattr and what i_rwsem state it expects or sets
up. That could take years or even prove impossible; fortunately, we
can fix this UAF problem inside XFS.
An earlier version of this patch used smp_wmb in xfs_attr_fork_remove to
ensure that i_forkoff is always zeroed before i_afp is set to null and
changed the read paths to use smp_rmb before accessing i_forkoff and
i_afp, which avoided these UAF problems. However, the patch author was
too busy dealing with other problems in the meantime, and by the time he
came back to this issue, the situation had changed a bit.
On a modern system with selinux, each inode will always have at least
one xattr for the selinux label, so it doesn't make much sense to keep
incurring the extra pointer dereference. Furthermore, Allison's
upcoming parent pointer patchset will also cause nearly every inode in
the filesystem to have extended attributes. Therefore, make the inode
attribute fork structure part of struct xfs_inode, at a cost of 40 more
bytes.
This patch adds a clunky if_present field where necessary to maintain
the existing logic of xattr fork null pointer testing in the existing
codebase. The next patch switches the logic over to XFS_IFORK_Q and it
all goes away.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-07-09 17:56:06 +00:00
|
|
|
if (dp->i_af.if_present) {
|
|
|
|
|
xfs_idestroy_fork(&dp->i_af);
|
|
|
|
|
xfs_ifork_zap_attr(dp);
|
2020-05-18 17:29:27 +00:00
|
|
|
}
|
2015-05-28 21:40:08 +00:00
|
|
|
if (lock_mode)
|
|
|
|
|
xfs_iunlock(dp, lock_mode);
|
2014-06-22 05:03:54 +00:00
|
|
|
return error;
|
2013-08-12 10:49:39 +00:00
|
|
|
}
|
