lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190318110822.GE9415@quack2.suse.cz>
Date:   Mon, 18 Mar 2019 12:08:22 +0100
From:   Jan Kara <jack@...e.cz>
To:     "zhangyi (F)" <yi.zhang@...wei.com>
Cc:     linux-ext4@...r.kernel.org, tytso@....edu, jack@...e.cz,
        adilger.kernel@...ger.ca, miaoxie@...wei.com
Subject: Re: [PATCH v2 1/2] ext4: brelse all indirect buffer in
 ext4_ind_remove_space()

On Fri 15-03-19 15:10:12, zhangyi (F) wrote:
> All indirect buffers get by ext4_find_shared() should be released no
> mater the branch should be freed or not. But now, we forget to release
> the lower depth indirect buffers when removing space from the same
> higher depth indirect block. It will lead to buffer leak and futher
> more, it may lead to quota information corruption when using old quota,
> consider the following case.
> 
>  - Create and mount an empty ext4 filesystem without extent and quota
>    features,
>  - quotacheck and enable the user & group quota,
>  - Create some files and write some data to them, and then punch hole
>    to some files of them, it may trigger the buffer leak problem
>    mentioned above.
>  - Disable quota and run quotacheck again, it will create two new
>    aquota files and write the checked quota information to them, which
>    probably may reuse the freed indirect block(the buffer and page
>    cache was not freed) as data block.
>  - Enable quota again, it will invoke
>    vfs_load_quota_inode()->invalidate_bdev() to try to clean unused
>    buffers and pagecache. Unfortunately, because of the buffer of quota
>    data block is still referenced, quota code cannot read the up to date
>    quota info from the device and lead to quota information corruption.
> 
> This problem can be reproduced by xfstests generic/231 on ext3 file
> system or ext4 file system without extent and quota features.
> 
> This patch fix this problem by brelse the missing indirect buffers, in
> ext4_ind_remove_space().
> 
> Reported-by: Hulk Robot <hulkci@...wei.com>
> Signed-off-by: zhangyi (F) <yi.zhang@...wei.com>
> Suggested-by: Jan Kara <jack@...e.cz>
> Cc: <stable@...r.kernel.org>

Looks good. You can add:

Reviewed-by: Jan Kara <jack@...e.cz>

								Honza

> ---
>  fs/ext4/indirect.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
> index bf7fa15..9e96a0b 100644
> --- a/fs/ext4/indirect.c
> +++ b/fs/ext4/indirect.c
> @@ -1387,10 +1387,14 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode,
>  					   partial->p + 1,
>  					   partial2->p,
>  					   (chain+n-1) - partial);
> -			BUFFER_TRACE(partial->bh, "call brelse");
> -			brelse(partial->bh);
> -			BUFFER_TRACE(partial2->bh, "call brelse");
> -			brelse(partial2->bh);
> +			while (partial > chain) {
> +				BUFFER_TRACE(partial->bh, "call brelse");
> +				brelse(partial->bh);
> +			}
> +			while (partial2 > chain2) {
> +				BUFFER_TRACE(partial2->bh, "call brelse");
> +				brelse(partial2->bh);
> +			}
>  			return 0;
>  		}
>  
> -- 
> 2.7.4
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ