• Brian Foster's avatar
    xfs: fix attr leaf header freemap.size underflow · 6924da69
    Brian Foster authored
    [ Upstream commit 2a2b5932 ]
    
    The leaf format xattr addition helper xfs_attr3_leaf_add_work()
    adjusts the block freemap in a couple places. The first update drops
    the size of the freemap that the caller had already selected to
    place the xattr name/value data. Before the function returns, it
    also checks whether the entries array has encroached on a freemap
    range by virtue of the new entry addition. This is necessary because
    the entries array grows from the start of the block (but end of the
    block header) towards the end of the block while the name/value data
    grows from the end of the block in the opposite direction. If the
    associated freemap is already empty, however, size is zero and the
    subtraction underflows the field and causes corruption.
    
    This is reproduced rarely by generic/070. The observed behavior is
    that a smaller sized freemap is aligned to the end of the entries
    list, several subsequent xattr additions land in larger freemaps and
    the entries list expands into the smaller freemap until it is fully
    consumed and then underflows. Note that it is not otherwise a
    corruption for the entries array to consume an empty freemap because
    the nameval list (i.e. the firstused pointer in the xattr header)
    starts beyond the end of the corrupted freemap.
    
    Update the freemap size modification to account for the fact that
    the freemap entry can be empty and thus stale.
    Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
    Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    6924da69
xfs_attr_leaf.c 79.2 KB