linux/fs/xfs
Darrick J. Wong e8db2aafce xfs: fix memory corruption during remote attr value buffer invalidation
While running generic/103, I observed what looks like memory corruption
and (with slub debugging turned on) a slub redzone warning on i386 when
inactivating an inode with a 64k remote attr value.

On a v5 filesystem, maximally sized remote attr values require one block
more than 64k worth of space to hold both the remote attribute value
header (64 bytes).  On a 4k block filesystem this results in a 68k
buffer; on a 64k block filesystem, this would be a 128k buffer.  Note
that even though we'll never use more than 65,600 bytes of this buffer,
XFS_MAX_BLOCKSIZE is 64k.

This is a problem because the definition of struct xfs_buf_log_format
allows for XFS_MAX_BLOCKSIZE worth of dirty bitmap (64k).  On i386 when we
invalidate a remote attribute, xfs_trans_binval zeroes all 68k worth of
the dirty map, writing right off the end of the log item and corrupting
memory.  We've gotten away with this on x86_64 for years because the
compiler inserts a u32 padding on the end of struct xfs_buf_log_format.

Fortunately for us, remote attribute values are written to disk with
xfs_bwrite(), which is to say that they are not logged.  Fix the problem
by removing all places where we could end up creating a buffer log item
for a remote attribute value and leave a note explaining why.  Next,
replace the open-coded buffer invalidation with a call to the helper we
created in the previous patch that does better checking for bad metadata
before marking the buffer stale.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-01-16 08:07:23 -08:00
..
libxfs xfs: fix memory corruption during remote attr value buffer invalidation 2020-01-16 08:07:23 -08:00
scrub xfs: remove bogus assertion when online repair isn't enabled 2020-01-09 10:55:19 -08:00
Kconfig
kmem.c xfs: Correct comment tyops -> typos 2019-11-10 10:21:57 -08:00
kmem.h xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
Makefile xfs: remove the now unused dir ops infrastructure 2019-11-10 16:54:24 -08:00
mrlock.h
xfs_acl.c xfs: Remove all strlen in all xfs_attr_* functions for attr names. 2020-01-09 10:55:19 -08:00
xfs_acl.h
xfs_aops.c xfs: add a xfs_inode_buftarg helper 2019-10-28 08:37:54 -07:00
xfs_aops.h xfs: add a xfs_inode_buftarg helper 2019-10-28 08:37:54 -07:00
xfs_attr_inactive.c xfs: fix memory corruption during remote attr value buffer invalidation 2020-01-16 08:07:23 -08:00
xfs_attr_list.c xfs: split xfs_da3_node_read 2019-11-22 08:17:10 -08:00
xfs_bio_io.c
xfs_bmap_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_bmap_item.h
xfs_bmap_util.c xfs: stabilize insert range start boundary to avoid COW writeback race 2019-12-11 13:18:42 -08:00
xfs_bmap_util.h xfs: simplify xfs_iomap_eof_align_last_fsb 2019-11-03 10:22:30 -08:00
xfs_buf_item.c xfs: use bitops interface for buf log item AIL flag check 2019-12-19 07:53:47 -08:00
xfs_buf_item.h
xfs_buf.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_buf.h xfs: mark xfs_buf_free static 2019-10-28 08:37:54 -07:00
xfs_dir2_readdir.c xfs: remove the mappedbno argument to xfs_da_read_buf 2019-11-22 08:17:10 -08:00
xfs_discard.c xfs: kill the XFS_WANT_CORRUPT_* macros 2019-11-12 17:19:02 -08:00
xfs_discard.h
xfs_dquot_item.c
xfs_dquot_item.h xfs: remove the xfs_qoff_logitem_t typedef 2019-11-13 18:22:28 -08:00
xfs_dquot.c xfs: quota: move to time64_t interfaces 2020-01-06 08:57:37 -08:00
xfs_dquot.h xfs: remove the xfs_dq_logitem_t typedef 2019-11-13 18:22:26 -08:00
xfs_error.c xfs: report corruption only as a regular error 2019-11-18 08:40:44 -08:00
xfs_error.h xfs: kill the XFS_WANT_CORRUPT_* macros 2019-11-12 17:19:02 -08:00
xfs_export.c
xfs_export.h
xfs_extent_busy.c xfs: cleanup use of the XFS_ALLOC_ flags 2019-11-03 10:22:31 -08:00
xfs_extent_busy.h
xfs_extfree_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_extfree_item.h
xfs_file.c xfs: fix IOCB_NOWAIT handling in xfs_file_dio_aio_read 2020-01-15 22:13:11 -08:00
xfs_filestream.c xfs: fix another missing include 2019-11-13 18:22:41 -08:00
xfs_filestream.h
xfs_fsmap.c xfs: add missing assert in xfs_fsmap_owner_from_rmap 2019-11-05 08:28:27 -08:00
xfs_fsmap.h
xfs_fsops.c
xfs_fsops.h
xfs_globals.c
xfs_health.c
xfs_icache.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_icache.h
xfs_icreate_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_icreate_item.h
xfs_inode_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_inode_item.h
xfs_inode.c xfs: truncate should remove all blocks, not just to the end of the page cache 2020-01-14 08:02:52 -08:00
xfs_inode.h xfs: merge the projid fields in struct xfs_icdinode 2019-11-13 11:13:45 -08:00
xfs_ioctl32.c xfs: reject invalid flags combinations in XFS_IOC_ATTRMULTI_BY_HANDLE 2020-01-09 10:55:18 -08:00
xfs_ioctl32.h xfs: rename compat_time_t to old_time32_t 2020-01-06 08:57:36 -08:00
xfs_ioctl.c xfs: Remove all strlen in all xfs_attr_* functions for attr names. 2020-01-09 10:55:19 -08:00
xfs_ioctl.h xfs: remove XFS_IOC_FSSETDM and XFS_IOC_FSSETDM_BY_HANDLE 2019-11-13 18:22:41 -08:00
xfs_iomap.c xfs: convert open coded corruption check to use XFS_IS_CORRUPT 2019-11-13 11:08:01 -08:00
xfs_iomap.h xfs: simplify the xfs_iomap_write_direct calling 2019-11-03 10:22:30 -08:00
xfs_iops.c xfs: Remove all strlen in all xfs_attr_* functions for attr names. 2020-01-09 10:55:19 -08:00
xfs_iops.h
xfs_itable.c xfs: merge the projid fields in struct xfs_icdinode 2019-11-13 11:13:45 -08:00
xfs_itable.h
xfs_iwalk.c xfs: kill the XFS_WANT_CORRUPT_* macros 2019-11-12 17:19:02 -08:00
xfs_iwalk.h
xfs_linux.h xfs: report corruption only as a regular error 2019-11-18 08:40:44 -08:00
xfs_log_cil.c xfs: Correct comment tyops -> typos 2019-11-10 10:21:57 -08:00
xfs_log_priv.h xfs: remove unused structure members & simple typedefs 2019-11-13 18:22:41 -08:00
xfs_log_recover.c xfs: fix some memory leaks in log recovery 2019-11-15 21:15:29 -08:00
xfs_log.c xfs: fix mount failure crash on invalid iclog memory access 2019-12-03 14:53:07 -08:00
xfs_log.h
xfs_message.c xfs: make the assertion message functions take a mount parameter 2019-11-05 08:28:27 -08:00
xfs_message.h xfs: make the assertion message functions take a mount parameter 2019-11-05 08:28:27 -08:00
xfs_mount.c xfs: don't commit sunit/swidth updates to disk if that would cause repair failures 2019-12-19 07:53:48 -08:00
xfs_mount.h xfs: remove unused structure members & simple typedefs 2019-11-13 18:22:41 -08:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h
xfs_pnfs.c xfs: use super s_id instead of struct xfs_mount m_fsname 2019-11-05 08:28:25 -08:00
xfs_pnfs.h
xfs_pwork.c
xfs_pwork.h
xfs_qm_bhv.c xfs: remove the xfs_disk_dquot_t and xfs_dquot_t 2019-11-13 11:13:45 -08:00
xfs_qm_syscalls.c xfs: Replace function declaration by actual definition 2019-11-13 18:22:40 -08:00
xfs_qm.c xfs: remove the xfs_quotainfo_t typedef 2019-11-13 18:22:23 -08:00
xfs_qm.h xfs: quota: move to time64_t interfaces 2020-01-06 08:57:37 -08:00
xfs_quota.h
xfs_quotaops.c xfs: quota: move to time64_t interfaces 2020-01-06 08:57:37 -08:00
xfs_refcount_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_refcount_item.h
xfs_reflink.c xfs: introduce XFS_MAX_FILEOFF 2020-01-14 08:02:51 -08:00
xfs_reflink.h xfs: pass two imaps to xfs_reflink_allocate_cow 2019-10-21 09:04:58 -07:00
xfs_rmap_item.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_rmap_item.h
xfs_rtalloc.c xfs: don't set bmapi total block req where minleft is 2019-10-23 17:01:08 -07:00
xfs_rtalloc.h
xfs_stats.c
xfs_stats.h
xfs_super.c xfs: fix s_maxbytes computation on 32-bit kernels 2020-01-14 08:02:53 -08:00
xfs_super.h xfs: include QUOTA, FATAL ASSERT build options in XFS_BUILD_OPTIONS 2019-10-21 09:04:57 -07:00
xfs_symlink.c xfs: fix missing header includes 2019-11-07 13:00:53 -08:00
xfs_symlink.h xfs: Correct comment tyops -> typos 2019-11-10 10:21:57 -08:00
xfs_sysctl.c
xfs_sysctl.h
xfs_sysfs.c xfs: avoid unused to_mp() function warning 2019-09-24 09:40:19 -07:00
xfs_sysfs.h
xfs_trace.c
xfs_trace.h xfs: don't commit sunit/swidth updates to disk if that would cause repair failures 2019-12-19 07:53:48 -08:00
xfs_trans_ail.c xfs: Correct comment tyops -> typos 2019-11-10 10:21:57 -08:00
xfs_trans_buf.c
xfs_trans_dquot.c xfs: quota: move to time64_t interfaces 2020-01-06 08:57:37 -08:00
xfs_trans_priv.h
xfs_trans.c xfs: Remove kmem_zone_free() wrapper 2019-11-18 08:40:44 -08:00
xfs_trans.h
xfs_xattr.c xfs: Remove all strlen in all xfs_attr_* functions for attr names. 2020-01-09 10:55:19 -08:00
xfs.h