lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 May 2022 09:16:16 +0800 From: Baokun Li <libaokun1@...wei.com> To: Jan Kara <jack@...e.cz> CC: <lczerner@...hat.com>, <linux-ext4@...r.kernel.org>, <tytso@....edu>, <adilger.kernel@...ger.ca>, <ritesh.list@...il.com>, <linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com>, <yebin10@...wei.com>, <yukuai3@...wei.com>, Baokun Li <libaokun1@...wei.com> Subject: Re: [PATCH 2/2] ext4: correct the judgment of BUG in ext4_mb_normalize_request 在 2022/5/25 19:29, Jan Kara 写道: > On Tue 24-05-22 21:44:31, Baokun Li wrote: >> 在 2022/5/24 17:30, Jan Kara 写道: >>> On Mon 23-05-22 21:04:16, libaokun (A) wrote: >>>> 在 2022/5/23 17:40, Jan Kara 写道: >>>>> On Sat 21-05-22 21:42:17, Baokun Li wrote: >>>>>> When either of the "start + size <= ac->ac_o_ex.fe_logical" or >>>>>> "start > ac->ac_o_ex.fe_logical" conditions is met, it indicates >>>>>> that the fe_logical is not in the allocated range. >>>>>> In this case, it should be bug_ON. >>>>>> >>>>>> Fixes: dfe076c106f6 ("ext4: get rid of code duplication") >>>>>> Signed-off-by: Baokun Li<libaokun1@...wei.com> >>>>> I think this is actually wrong. The original condition checks whether >>>>> start + size does not overflow the used integer type. Your condition is >>>>> much stronger and I don't think it always has to be true. E.g. allocation >>>>> goal block (start variable) can be pushed to larger values by existing >>>>> preallocation or so. >>>>> >>>>> Honza >>>>> >>>> I think there are two reasons for this: >>>> >>>> First of all, the code here is as follows. >>>> ``` >>>> size = end - start; >>>> [...] >>>> if (start + size <= ac->ac_o_ex.fe_logical && >>>> start > ac->ac_o_ex.fe_logical) { >>>> ext4_msg(ac->ac_sb, KERN_ERR, >>>> "start %lu, size %lu, fe_logical %lu", >>>> (unsigned long) start, (unsigned long) size, >>>> (unsigned long) ac->ac_o_ex.fe_logical); >>>> BUG(); >>>> } >>>> BUG_ON(size <= 0 || size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb)); >>>> ``` >>>> First of all, there is no need to compare with ac_o_ex.fe_logical if it is >>>> to determine whether there is an overflow. >>>> Because the previous logic guarantees start < = ac_o_ex.fe_logical, and >>> How does it guarantee that? The logic: >>> >>> if (ar->pleft && start <= ar->lleft) { >>> size -= ar->lleft + 1 - start; >>> start = ar->lleft + 1; >>> } >>> >>> can move 'start' to further blocks... >> This is not the case. According to the code of the preceding process, >> ar->pleft and ar->pright are assigned values in ext4_ext_map_blocks. >> ar->pleft is the first allocated block found to the left by map->m_lblk >> (that is, fe_logical), >> and ar->pright is the first allocated block found to the right. >> ar->lleft and ar->lright are logical block numbers, so there must be >> "ar->lleft < ac_o_ex.fe_logical < ar->lright". > Right, I've found that out after sending my previous email. Sorry for > confusion. Don't be sorry. Thank you very much for your advice. It has benefited me a lot. > >>>> Secondly, the following code flow also reflects this logic. >>>> >>>> ext4_mb_normalize_request >>>> >>> start + size <= ac->ac_o_ex.fe_logical >>>> ext4_mb_regular_allocator >>>> ext4_mb_simple_scan_group >>>> ext4_mb_use_best_found >>>> ext4_mb_new_preallocation >>>> ext4_mb_new_inode_pa >>>> ext4_mb_use_inode_pa >>>> >>> set ac->ac_b_ex.fe_len <= 0 >>>> ext4_mb_mark_diskspace_used >>>> >>> BUG_ON(ac->ac_b_ex.fe_len <= 0); >>>> >>>> In ext4_mb_use_inode_pa, you have the following code. >>>> ``` >>>> start = pa->pa_pstart + (ac->ac_o_ex.fe_logical - pa->pa_lstart); >>>> end = min(pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len), start + EXT4_C2B(sbi, >>>> ac->ac_o_ex.fe_len)); >>>> len = EXT4_NUM_B2C(sbi, end - start); >>>> ac->ac_b_ex.fe_len = len; >>>> ``` >>>> The starting position in ext4_mb_mark_diskspace_used will be assert. >>>> BUG_ON(ac->ac_b_ex.fe_len <= 0); >>>> When end == start + EXT4_C2B(sbi, ac->ac_o_ex.fe_len) is used, the value of >>>> end - start must be greater than 0. >>>> However, when end == pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) occurs, this >>>> bug_ON may be triggered. >>>> When this bug_ON is triggered, that is, >>>> >>>> ac->ac_b_ex.fe_len <= 0 >>>> end - start <= 0 >>>> end <= start >>>> pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len) <= pa->pa_pstart + >>>> (ac->ac_o_ex.fe_logical - pa->pa_lstart) >>>> pa->pa_len <= ac->ac_o_ex.fe_logical - pa->pa_lstart >>>> pa->pa_lstart + pa->pa_len <= ac->ac_o_ex.fe_logical >>>> start + size <= ac->ac_o_ex.fe_logical >>>> >>>> So I think that "&&" here should be changed to "||". >>> Sorry, I still disagree. After some more code reading I agree that >>> ac->ac_o_ex.fe_logical is the logical block where we want allocated blocks >>> to be placed in the inode so logical extent of allocated blocks should include >>> ac->ac_o_ex.fe_logical. But I would be reluctant to make assertion you >>> suggest unless we make sure ac->ac_o_ex.fe_logical in unallocated (in which >>> case we can also remove some other code from ext4_mb_normalize_request()). >>> >>> Honza >>> >> What codes are you referring to that can be deleted? > So I though the shifting of 'start' by lleft cannot happen but then I > realized that if 'start' got aligned down, it can now be lower than lleft > so the shifting is indeed needed. So all code is needed there. > > Honza Okay, thanks again! -- With Best Regards, Baokun Li .
Powered by blists - more mailing lists