lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-217209-13602@https.bugzilla.kernel.org/>
Date:   Fri, 17 Mar 2023 01:31:14 +0000
From:   bugzilla-daemon@...nel.org
To:     linux-ext4@...r.kernel.org
Subject: [Bug 217209] New: ext4_da_write_end: i_disksize exceeds i_size in
 paritally written case

https://bugzilla.kernel.org/show_bug.cgi?id=217209

            Bug ID: 217209
           Summary: ext4_da_write_end: i_disksize exceeds i_size in
                    paritally written case
           Product: File System
           Version: 2.5
    Kernel Version: 6.3.0-rc2
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: chengzhihao1@...wei.com
        Regression: No

Following process makes i_disksize exceed i_size:

    generic_perform_write
     copied = iov_iter_copy_from_user_atomic(len) // copied < len
     ext4_da_write_end
     | ext4_update_i_disksize
     |  new_i_size = pos + copied;
     |  WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
     | generic_write_end
     |  copied = block_write_end(copied, len) // copied = 0
     |   if (unlikely(copied < len))
     |    if (!PageUptodate(page))
     |     copied = 0;
     |  if (pos + copied > inode->i_size) // return false
     if (unlikely(copied == 0))
      goto again;
     if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
      status = -EFAULT;
      break;
     }

We get i_disksize greater than i_size here, which could trigger WARNING check
'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:

    ext4_dio_write_iter
     iomap_dio_rw
      __iomap_dio_rw // return err, length is not aligned to 512
     ext4_handle_inode_extension
      WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ