| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2022 09:16:16 +0800
From: Baokun Li <libaokun1@...wei.com>
To: Jan Kara <jack@...e.cz>
CC: <lczerner@...hat.com>, <linux-ext4@...r.kernel.org>,
<tytso@....edu>, <adilger.kernel@...ger.ca>,
<ritesh.list@...il.com>, <linux-kernel@...r.kernel.org>,
<yi.zhang@...wei.com>, <yebin10@...wei.com>, <yukuai3@...wei.com>,
Baokun Li <libaokun1@...wei.com>
Subject: Re: [PATCH 2/2] ext4: correct the judgment of BUG in
ext4_mb_normalize_request
在 2022/5/25 19:29, Jan Kara 写道:
> On Tue 24-05-22 21:44:31, Baokun Li wrote:
>> 在 2022/5/24 17:30, Jan Kara 写道:
>>> On Mon 23-05-22 21:04:16, libaokun (A) wrote:
>>>> 在 2022/5/23 17:40, Jan Kara 写道:
>>>>> On Sat 21-05-22 21:42:17, Baokun Li wrote:
>>>>>> When either of the "start + size <= ac->ac_o_ex.fe_logical" or
>>>>>> "start > ac->ac_o_ex.fe_logical" conditions is met, it indicates
>>>>>> that the fe_logical is not in the allocated range.
>>>>>> In this case, it should be bug_ON.
>>>>>>
>>>>>> Fixes: dfe076c106f6 ("ext4: get rid of code duplication")
>>>>>> Signed-off-by: Baokun Li<libaokun1@...wei.com>
>>>>> I think this is actually wrong. The original condition checks whether
>>>>> start + size does not overflow the used integer type. Your condition is
>>>>> much stronger and I don't think it always has to be true. E.g. allocation
>>>>> goal block (start variable) can be pushed to larger values by existing
>>>>> preallocation or so.
>>>>>
>>>>> Honza
>>>>>
>>>> I think there are two reasons for this:
>>>>
>>>> First of all, the code here is as follows.
>>>> ```
>>>> size = end - start;
>>>> [...]
>>>> if (start + size <= ac->ac_o_ex.fe_logical &&
>>>> start > ac->ac_o_ex.fe_logical) {
>>>> ext4_msg(ac->ac_sb, KERN_ERR,
>>>> "start %lu, size %lu, fe_logical %lu",
>>>> (unsigned long) start, (unsigned long) size,
>>>> (unsigned long) ac->ac_o_ex.fe_logical);
>>>> BUG();
>>>> }
>>>> BUG_ON(size <= 0 || size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb));
>>>> ```
>>>> First of all, there is no need to compare with ac_o_ex.fe_logical if it is
>>>> to determine whether there is an overflow.
>>>> Because the previous logic guarantees start < = ac_o_ex.fe_logical, and
>>> How does it guarantee that? The logic:
>>>
>>> if (ar->pleft && start <= ar->lleft) {
>>> size -= ar->lleft + 1 - start;
>>> start = ar->lleft + 1;
>>> }
>>>
>>> can move 'start' to further blocks...
>> This is not the case. According to the code of the preceding process,
>> ar->pleft and ar->pright are assigned values in ext4_ext_map_blocks.
>> ar->pleft is the first allocated block found to the left by map->m_lblk
>> (that is, fe_logical),
>> and ar->pright is the first allocated block found to the right.
>> ar->lleft and ar->lright are logical block numbers, so there must be
>> "ar->lleft < ac_o_ex.fe_logical < ar->lright".
> Right, I've found that out after sending my previous email. Sorry for
> confusion.
Don't be sorry. Thank you very much for your advice. It has benefited me
a lot.
>
>>>> Secondly, the following code flow also reflects this logic.
>>>>
>>>> ext4_mb_normalize_request
>>>> >>> start + size <= ac->ac_o_ex.fe_logical
>>>> ext4_mb_regular_allocator
>>>> ext4_mb_simple_scan_group
>>>> ext4_mb_use_best_found
>>>> ext4_mb_new_preallocation
>>>> ext4_mb_new_inode_pa
>>>> ext4_mb_use_inode_pa
>>>> >>> set ac->ac_b_ex.fe_len <= 0
>>>> ext4_mb_mark_diskspace_used
>>>> >>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
>>>>
>>>> In ext4_mb_use_inode_pa, you have the following code.
>>>> ```
>>>> start = pa->pa_pstart + (ac->ac_o_ex.fe_logical - pa->pa_lstart);
>>>> end = min(pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len), start + EXT4_C2B(sbi,
>>>> ac->ac_o_ex.fe_len));
>>>> len = EXT4_NUM_B2C(sbi, end - start);
>>>> ac->ac_b_ex.fe_len = len;
>>>> ```
>>>> The starting position in ext4_mb_mark_diskspace_used will be assert.
>>>> BUG_ON(ac->ac_b_ex.fe_len <= 0);
>>>> When end == start + EXT4_C2B(sbi, ac->ac_o_ex.fe_len) is used, the value of
>>>> end - start must be greater than 0.
>>>> However, when end == pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) occurs, this
>>>> bug_ON may be triggered.
>>>> When this bug_ON is triggered, that is,
>>>>
>>>> ac->ac_b_ex.fe_len <= 0
>>>> end - start <= 0
>>>> end <= start
>>>> pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) <= pa->pa_pstart +
>>>> (ac->ac_o_ex.fe_logical - pa->pa_lstart)
>>>> pa->pa_len <= ac->ac_o_ex.fe_logical - pa->pa_lstart
>>>> pa->pa_lstart + pa->pa_len <= ac->ac_o_ex.fe_logical
>>>> start + size <= ac->ac_o_ex.fe_logical
>>>>
>>>> So I think that "&&" here should be changed to "||".
>>> Sorry, I still disagree. After some more code reading I agree that
>>> ac->ac_o_ex.fe_logical is the logical block where we want allocated blocks
>>> to be placed in the inode so logical extent of allocated blocks should include
>>> ac->ac_o_ex.fe_logical. But I would be reluctant to make assertion you
>>> suggest unless we make sure ac->ac_o_ex.fe_logical in unallocated (in which
>>> case we can also remove some other code from ext4_mb_normalize_request()).
>>>
>>> Honza
>>>
>> What codes are you referring to that can be deleted?
> So I though the shifting of 'start' by lleft cannot happen but then I
> realized that if 'start' got aligned down, it can now be lower than lleft
> so the shifting is indeed needed. So all code is needed there.
>
> Honza
Okay, thanks again!
--
With Best Regards,
Baokun Li
.
Powered by blists - more mailing lists