Commit 1f2acb60 authored by Theodore Ts'o's avatar Theodore Ts'o
Browse files

ext4: Add block validity check when truncating indirect block mapped inodes 



Add checks to ext4_free_branches() to make sure a block number found
in an indirect block are valid before trying to free it.  If a bad
block number is found, stop freeing the indirect block immediately,
since the file system is corrupt and we will need to run fsck anyway.
This also avoids spamming the logs, and specifically avoids
driver-level "attempt to access beyond end of device" errors obscure
what is really going on.

If you get *really*, *really*, *really* unlucky, without this patch, a
supposed indirect block containing garbage might contain a reference
to a primary block group descriptor, in which case
ext4_free_branches() could end up zero'ing out a block group
descriptor block, and if then one of the block bitmaps for a block
group described by that bg descriptor block is not in memory, and is
read in by ext4_read_block_bitmap().  This function calls
ext4_valid_block_bitmap(), which assumes that bg_inode_table() was
validated at mount time and hasn't been modified since.  Since this
assumption is no longer valid, it's possible for the value
(ext4_inode_table(sb, desc) - group_first_block) to go negative, which
will cause ext4_find_next_zero_bit() to trigger a kernel GPF.

Addresses-Google-Bug: #2220436

Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
parent 15121c18

fs/ext4/ext4.h

+1 −0
Original line number Diff line number Diff line
@@ -377,6 +377,7 @@ struct ext4_new_group_data { 
 */

#define EXT4_FREE_BLOCKS_METADATA	0x0001

#define EXT4_FREE_BLOCKS_FORGET		0x0002

#define EXT4_FREE_BLOCKS_VALIDATED	0x0004



/*

 * ioctl commands

fs/ext4/inode.c

+30 −9
Original line number Diff line number Diff line
@@ -4130,18 +4130,27 @@ no_top: 
 * We release `count' blocks on disk, but (last - first) may be greater

 * than `count' because there can be holes in there.

 */

static void ext4_clear_blocks(handle_t *handle, struct inode *inode,

static int ext4_clear_blocks(handle_t *handle, struct inode *inode,

			     struct buffer_head *bh,

			     ext4_fsblk_t block_to_free,

			     unsigned long count, __le32 *first,

			     __le32 *last)

{

	__le32 *p;

	int	flags = EXT4_FREE_BLOCKS_FORGET;

	int	flags = EXT4_FREE_BLOCKS_FORGET | EXT4_FREE_BLOCKS_VALIDATED;



	if (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode))

		flags |= EXT4_FREE_BLOCKS_METADATA;



	if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), block_to_free,

				   count)) {

		ext4_error(inode->i_sb, __func__, "inode #%lu: "

			   "attempt to clear blocks %llu len %lu, invalid",

			   inode->i_ino, (unsigned long long) block_to_free,

			   count);

		return 1;

	}



	if (try_to_extend_transaction(handle, inode)) {

		if (bh) {

			BUFFER_TRACE(bh, "call ext4_handle_dirty_metadata");
@@ -4160,6 +4169,7 @@ static void ext4_clear_blocks(handle_t *handle, struct inode *inode, 
		*p = 0;



	ext4_free_blocks(handle, inode, 0, block_to_free, count, flags);

	return 0;

}



/**
@@ -4215,9 +4225,10 @@ static void ext4_free_data(handle_t *handle, struct inode *inode, 
			} else if (nr == block_to_free + count) {

				count++;

			} else {

				ext4_clear_blocks(handle, inode, this_bh,

						  block_to_free,

						  count, block_to_free_p, p);

				if (ext4_clear_blocks(handle, inode, this_bh,

						      block_to_free, count,

						      block_to_free_p, p))

					break;

				block_to_free = nr;

				block_to_free_p = p;

				count = 1;
@@ -4281,6 +4292,16 @@ static void ext4_free_branches(handle_t *handle, struct inode *inode, 
			if (!nr)

				continue;		/* A hole */



			if (!ext4_data_block_valid(EXT4_SB(inode->i_sb),

						   nr, 1)) {

				ext4_error(inode->i_sb, __func__,

					   "indirect mapped block in inode "

					   "#%lu invalid (level %d, blk #%lu)",

					   inode->i_ino, depth,

					   (unsigned long) nr);

				break;

			}



			/* Go read the buffer for the next level down */

			bh = sb_bread(inode->i_sb, nr);

fs/ext4/mballoc.c

+4 −3
Original line number Diff line number Diff line
@@ -4476,7 +4476,8 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, 


	sbi = EXT4_SB(sb);

	es = EXT4_SB(sb)->s_es;

	if (!ext4_data_block_valid(sbi, block, count)) {

	if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) &&

	    !ext4_data_block_valid(sbi, block, count)) {

		ext4_error(sb, __func__,

			   "Freeing blocks not in datazone - "

			   "block = %llu, count = %lu", block, count);

CRA Git | Maintained and supported by SUSTech CRA and CCSE