<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/ext4, branch v4.4.17</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ext4: verify extent header depth</title>
<updated>2016-08-10T09:49:27+00:00</updated>
<author>
<name>Vegard Nossum</name>
<email>vegard.nossum@oracle.com</email>
</author>
<published>2016-07-15T04:22:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=26015f0ad252dd1ae397a6b6e9400ca868f4e584'/>
<id>26015f0ad252dd1ae397a6b6e9400ca868f4e584</id>
<content type='text'>
commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.

Although the extent tree depth of 5 should enough be for the worst
case of 2*32 extents of length 1, the extent tree code does not
currently to merge nodes which are less than half-full with a sibling
node, or to shrink the tree depth if possible.  So it's possible, at
least in theory, for the tree depth to be greater than 5.  However,
even in the worst case, a tree depth of 32 is highly unlikely, and if
the file system is maliciously corrupted, an insanely large eh_depth
can cause memory allocation failures that will trigger kernel warnings
(here, eh_depth = 65280):

    JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
    CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
    Stack:
     604a8947 625badd8 0002fd09 00000000
     60078643 00000000 62623910 601bf9bc
     62623970 6002fc84 626239b0 900000125
    Call Trace:
     [&lt;6001c2dc&gt;] show_stack+0xdc/0x1a0
     [&lt;601bf9bc&gt;] dump_stack+0x2a/0x2e
     [&lt;6002fc84&gt;] __warn+0x114/0x140
     [&lt;6002fdff&gt;] warn_slowpath_null+0x1f/0x30
     [&lt;60165829&gt;] start_this_handle+0x569/0x580
     [&lt;60165d4e&gt;] jbd2__journal_start+0x11e/0x220
     [&lt;60146690&gt;] __ext4_journal_start_sb+0x60/0xa0
     [&lt;60120a81&gt;] ext4_truncate+0x131/0x3a0
     [&lt;60123677&gt;] ext4_setattr+0x757/0x840
     [&lt;600d5d0f&gt;] notify_change+0x16f/0x2a0
     [&lt;600b2b16&gt;] do_truncate+0x76/0xc0
     [&lt;600c3e56&gt;] path_openat+0x806/0x1300
     [&lt;600c55c9&gt;] do_filp_open+0x89/0xf0
     [&lt;600b4074&gt;] do_sys_open+0x134/0x1e0
     [&lt;600b4140&gt;] SyS_open+0x20/0x30
     [&lt;6001ea68&gt;] handle_syscall+0x88/0x90
     [&lt;600295fd&gt;] userspace+0x3fd/0x500
     [&lt;6001ac55&gt;] fork_handler+0x85/0x90

    ---[ end trace 08b0b88b6387a244 ]---

[ Commit message modified and the extent tree depath check changed
from 5 to 32 -- tytso ]

Cc: Darrick J. Wong &lt;darrick.wong@oracle.com&gt;
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.

Although the extent tree depth of 5 should enough be for the worst
case of 2*32 extents of length 1, the extent tree code does not
currently to merge nodes which are less than half-full with a sibling
node, or to shrink the tree depth if possible.  So it's possible, at
least in theory, for the tree depth to be greater than 5.  However,
even in the worst case, a tree depth of 32 is highly unlikely, and if
the file system is maliciously corrupted, an insanely large eh_depth
can cause memory allocation failures that will trigger kernel warnings
(here, eh_depth = 65280):

    JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
    CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
    Stack:
     604a8947 625badd8 0002fd09 00000000
     60078643 00000000 62623910 601bf9bc
     62623970 6002fc84 626239b0 900000125
    Call Trace:
     [&lt;6001c2dc&gt;] show_stack+0xdc/0x1a0
     [&lt;601bf9bc&gt;] dump_stack+0x2a/0x2e
     [&lt;6002fc84&gt;] __warn+0x114/0x140
     [&lt;6002fdff&gt;] warn_slowpath_null+0x1f/0x30
     [&lt;60165829&gt;] start_this_handle+0x569/0x580
     [&lt;60165d4e&gt;] jbd2__journal_start+0x11e/0x220
     [&lt;60146690&gt;] __ext4_journal_start_sb+0x60/0xa0
     [&lt;60120a81&gt;] ext4_truncate+0x131/0x3a0
     [&lt;60123677&gt;] ext4_setattr+0x757/0x840
     [&lt;600d5d0f&gt;] notify_change+0x16f/0x2a0
     [&lt;600b2b16&gt;] do_truncate+0x76/0xc0
     [&lt;600c3e56&gt;] path_openat+0x806/0x1300
     [&lt;600c55c9&gt;] do_filp_open+0x89/0xf0
     [&lt;600b4074&gt;] do_sys_open+0x134/0x1e0
     [&lt;600b4140&gt;] SyS_open+0x20/0x30
     [&lt;6001ea68&gt;] handle_syscall+0x88/0x90
     [&lt;600295fd&gt;] userspace+0x3fd/0x500
     [&lt;6001ac55&gt;] fork_handler+0x85/0x90

    ---[ end trace 08b0b88b6387a244 ]---

[ Commit message modified and the extent tree depath check changed
from 5 to 32 -- tytso ]

Cc: Darrick J. Wong &lt;darrick.wong@oracle.com&gt;
Signed-off-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: silence UBSAN in ext4_mb_init()</title>
<updated>2016-06-08T01:14:37+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nicstange@gmail.com</email>
</author>
<published>2016-05-05T23:46:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8b8de1c9295cafcc9a9b85b3287acac7d948fb63'/>
<id>8b8de1c9295cafcc9a9b85b3287acac7d948fb63</id>
<content type='text'>
commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.

Currently, in ext4_mb_init(), there's a loop like the following:

  do {
    ...
    offset += 1 &lt;&lt; (sb-&gt;s_blocksize_bits - i);
    i++;
  } while (i &lt;= sb-&gt;s_blocksize_bits + 1);

Note that the updated offset is used in the loop's next iteration only.

However, at the last iteration, that is at i == sb-&gt;s_blocksize_bits + 1,
the shift count becomes equal to (unsigned)-1 &gt; 31 (c.f. C99 6.5.7(3))
and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
  shift exponent 4294967295 is too large for 32-bit type 'int'
  [...]
  Call Trace:
   [&lt;ffffffff818c4d25&gt;] dump_stack+0xbc/0x117
   [&lt;ffffffff818c4c69&gt;] ? _atomic_dec_and_lock+0x169/0x169
   [&lt;ffffffff819411ab&gt;] ubsan_epilogue+0xd/0x4e
   [&lt;ffffffff81941cac&gt;] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [&lt;ffffffff81941ab1&gt;] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [&lt;ffffffff814b6dc1&gt;] ? kmem_cache_alloc+0x101/0x390
   [&lt;ffffffff816fc13b&gt;] ? ext4_mb_init+0x13b/0xfd0
   [&lt;ffffffff814293c7&gt;] ? create_cache+0x57/0x1f0
   [&lt;ffffffff8142948a&gt;] ? create_cache+0x11a/0x1f0
   [&lt;ffffffff821c2168&gt;] ? mutex_lock+0x38/0x60
   [&lt;ffffffff821c23ab&gt;] ? mutex_unlock+0x1b/0x50
   [&lt;ffffffff814c26ab&gt;] ? put_online_mems+0x5b/0xc0
   [&lt;ffffffff81429677&gt;] ? kmem_cache_create+0x117/0x2c0
   [&lt;ffffffff816fcc49&gt;] ext4_mb_init+0xc49/0xfd0
   [...]

Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1.

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of offset is never used again.

Silence UBSAN by introducing another variable, offset_incr, holding the
next increment to apply to offset and adjust that one by right shifting it
by one position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.

Currently, in ext4_mb_init(), there's a loop like the following:

  do {
    ...
    offset += 1 &lt;&lt; (sb-&gt;s_blocksize_bits - i);
    i++;
  } while (i &lt;= sb-&gt;s_blocksize_bits + 1);

Note that the updated offset is used in the loop's next iteration only.

However, at the last iteration, that is at i == sb-&gt;s_blocksize_bits + 1,
the shift count becomes equal to (unsigned)-1 &gt; 31 (c.f. C99 6.5.7(3))
and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
  shift exponent 4294967295 is too large for 32-bit type 'int'
  [...]
  Call Trace:
   [&lt;ffffffff818c4d25&gt;] dump_stack+0xbc/0x117
   [&lt;ffffffff818c4c69&gt;] ? _atomic_dec_and_lock+0x169/0x169
   [&lt;ffffffff819411ab&gt;] ubsan_epilogue+0xd/0x4e
   [&lt;ffffffff81941cac&gt;] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [&lt;ffffffff81941ab1&gt;] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [&lt;ffffffff814b6dc1&gt;] ? kmem_cache_alloc+0x101/0x390
   [&lt;ffffffff816fc13b&gt;] ? ext4_mb_init+0x13b/0xfd0
   [&lt;ffffffff814293c7&gt;] ? create_cache+0x57/0x1f0
   [&lt;ffffffff8142948a&gt;] ? create_cache+0x11a/0x1f0
   [&lt;ffffffff821c2168&gt;] ? mutex_lock+0x38/0x60
   [&lt;ffffffff821c23ab&gt;] ? mutex_unlock+0x1b/0x50
   [&lt;ffffffff814c26ab&gt;] ? put_online_mems+0x5b/0xc0
   [&lt;ffffffff81429677&gt;] ? kmem_cache_create+0x117/0x2c0
   [&lt;ffffffff816fcc49&gt;] ext4_mb_init+0xc49/0xfd0
   [...]

Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1.

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of offset is never used again.

Silence UBSAN by introducing another variable, offset_incr, holding the
next increment to apply to offset and adjust that one by right shifting it
by one position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: address UBSAN warning in mb_find_order_for_block()</title>
<updated>2016-06-08T01:14:37+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nicstange@gmail.com</email>
</author>
<published>2016-05-05T21:38:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=12aa7d95f4882d21cd337d4f6fd40859cac67688'/>
<id>12aa7d95f4882d21cd337d4f6fd40859cac67688</id>
<content type='text'>
commit b5cb316cdf3a3f5f6125412b0f6065185240cfdc upstream.

Currently, in mb_find_order_for_block(), there's a loop like the following:

  while (order &lt;= e4b-&gt;bd_blkbits + 1) {
    ...
    bb += 1 &lt;&lt; (e4b-&gt;bd_blkbits - order);
  }

Note that the updated bb is used in the loop's next iteration only.

However, at the last iteration, that is at order == e4b-&gt;bd_blkbits + 1,
the shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11
  shift exponent -1 is negative
  [...]
  Call Trace:
   [&lt;ffffffff818c4d35&gt;] dump_stack+0xbc/0x117
   [&lt;ffffffff818c4c79&gt;] ? _atomic_dec_and_lock+0x169/0x169
   [&lt;ffffffff819411bb&gt;] ubsan_epilogue+0xd/0x4e
   [&lt;ffffffff81941cbc&gt;] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [&lt;ffffffff81941ac1&gt;] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [&lt;ffffffff816e93a0&gt;] ? ext4_mb_generate_from_pa+0x590/0x590
   [&lt;ffffffff816502c8&gt;] ? ext4_read_block_bitmap_nowait+0x598/0xe80
   [&lt;ffffffff816e7b7e&gt;] mb_find_order_for_block+0x1ce/0x240
   [...]

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of bb is never used again.

Silence UBSAN by introducing another variable, bb_incr, holding the next
increment to apply to bb and adjust that one by right shifting it by one
position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b5cb316cdf3a3f5f6125412b0f6065185240cfdc upstream.

Currently, in mb_find_order_for_block(), there's a loop like the following:

  while (order &lt;= e4b-&gt;bd_blkbits + 1) {
    ...
    bb += 1 &lt;&lt; (e4b-&gt;bd_blkbits - order);
  }

Note that the updated bb is used in the loop's next iteration only.

However, at the last iteration, that is at order == e4b-&gt;bd_blkbits + 1,
the shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports

  UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11
  shift exponent -1 is negative
  [...]
  Call Trace:
   [&lt;ffffffff818c4d35&gt;] dump_stack+0xbc/0x117
   [&lt;ffffffff818c4c79&gt;] ? _atomic_dec_and_lock+0x169/0x169
   [&lt;ffffffff819411bb&gt;] ubsan_epilogue+0xd/0x4e
   [&lt;ffffffff81941cbc&gt;] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
   [&lt;ffffffff81941ac1&gt;] ? __ubsan_handle_load_invalid_value+0x158/0x158
   [&lt;ffffffff816e93a0&gt;] ? ext4_mb_generate_from_pa+0x590/0x590
   [&lt;ffffffff816502c8&gt;] ? ext4_read_block_bitmap_nowait+0x598/0xe80
   [&lt;ffffffff816e7b7e&gt;] mb_find_order_for_block+0x1ce/0x240
   [...]

Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of bb is never used again.

Silence UBSAN by introducing another variable, bb_incr, holding the next
increment to apply to bb and adjust that one by right shifting it by one
position per loop iteration.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161

Signed-off-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: fix oops on corrupted filesystem</title>
<updated>2016-06-08T01:14:37+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.cz</email>
</author>
<published>2016-05-05T15:10:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b2601bb015a7681fb44bd7a2f15760b2396d0de7'/>
<id>b2601bb015a7681fb44bd7a2f15760b2396d0de7</id>
<content type='text'>
commit 74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.

When filesystem is corrupted in the right way, it can happen
ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
subsequently remove inode from the in-memory orphan list. However this
deletion is done with list_del(&amp;EXT4_I(inode)-&gt;i_orphan) and thus we
leave i_orphan list_head with a stale content. Later we can look at this
content causing list corruption, oops, or other issues. The reported
trace looked like:

WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
list_del corruption, 0000000061c1d6e0-&gt;next is LIST_POISON1
0000000000100100)
CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
Stack:
 60462947 62219960 602ede24 62219960
 602ede24 603ca293 622198f0 602f02eb
 62219950 6002c12c 62219900 601b4d6b
Call Trace:
 [&lt;6005769c&gt;] ? vprintk_emit+0x2dc/0x5c0
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;600190bc&gt;] show_stack+0xdc/0x1a0
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;602f02eb&gt;] dump_stack+0x2a/0x2c
 [&lt;6002c12c&gt;] warn_slowpath_common+0x9c/0xf0
 [&lt;601b4d6b&gt;] ? __list_del_entry+0x6b/0x100
 [&lt;6002c254&gt;] warn_slowpath_fmt+0x94/0xa0
 [&lt;602f4d09&gt;] ? __mutex_lock_slowpath+0x239/0x3a0
 [&lt;6002c1c0&gt;] ? warn_slowpath_fmt+0x0/0xa0
 [&lt;60023ebf&gt;] ? set_signals+0x3f/0x50
 [&lt;600a205a&gt;] ? kmem_cache_free+0x10a/0x180
 [&lt;602f4e88&gt;] ? mutex_lock+0x18/0x30
 [&lt;601b4d6b&gt;] __list_del_entry+0x6b/0x100
 [&lt;601177ec&gt;] ext4_orphan_del+0x22c/0x2f0
 [&lt;6012f27c&gt;] ? __ext4_journal_start_sb+0x2c/0xa0
 [&lt;6010b973&gt;] ? ext4_truncate+0x383/0x390
 [&lt;6010bc8b&gt;] ext4_write_begin+0x30b/0x4b0
 [&lt;6001bb50&gt;] ? copy_from_user+0x0/0xb0
 [&lt;601aa840&gt;] ? iov_iter_fault_in_readable+0xa0/0xc0
 [&lt;60072c4f&gt;] generic_perform_write+0xaf/0x1e0
 [&lt;600c4166&gt;] ? file_update_time+0x46/0x110
 [&lt;60072f0f&gt;] __generic_file_write_iter+0x18f/0x1b0
 [&lt;6010030f&gt;] ext4_file_write_iter+0x15f/0x470
 [&lt;60094e10&gt;] ? unlink_file_vma+0x0/0x70
 [&lt;6009b180&gt;] ? unlink_anon_vmas+0x0/0x260
 [&lt;6008f169&gt;] ? free_pgtables+0xb9/0x100
 [&lt;600a6030&gt;] __vfs_write+0xb0/0x130
 [&lt;600a61d5&gt;] vfs_write+0xa5/0x170
 [&lt;600a63d6&gt;] SyS_write+0x56/0xe0
 [&lt;6029fcb0&gt;] ? __libc_waitpid+0x0/0xa0
 [&lt;6001b698&gt;] handle_syscall+0x68/0x90
 [&lt;6002633d&gt;] userspace+0x4fd/0x600
 [&lt;6002274f&gt;] ? save_registers+0x1f/0x40
 [&lt;60028bd7&gt;] ? arch_prctl+0x177/0x1b0
 [&lt;60017bd5&gt;] fork_handler+0x85/0x90

Fix the problem by using list_del_init() as we always should with
i_orphan list.

Reported-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.

When filesystem is corrupted in the right way, it can happen
ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
subsequently remove inode from the in-memory orphan list. However this
deletion is done with list_del(&amp;EXT4_I(inode)-&gt;i_orphan) and thus we
leave i_orphan list_head with a stale content. Later we can look at this
content causing list corruption, oops, or other issues. The reported
trace looked like:

WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
list_del corruption, 0000000061c1d6e0-&gt;next is LIST_POISON1
0000000000100100)
CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
Stack:
 60462947 62219960 602ede24 62219960
 602ede24 603ca293 622198f0 602f02eb
 62219950 6002c12c 62219900 601b4d6b
Call Trace:
 [&lt;6005769c&gt;] ? vprintk_emit+0x2dc/0x5c0
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;600190bc&gt;] show_stack+0xdc/0x1a0
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;602ede24&gt;] ? printk+0x0/0x94
 [&lt;602f02eb&gt;] dump_stack+0x2a/0x2c
 [&lt;6002c12c&gt;] warn_slowpath_common+0x9c/0xf0
 [&lt;601b4d6b&gt;] ? __list_del_entry+0x6b/0x100
 [&lt;6002c254&gt;] warn_slowpath_fmt+0x94/0xa0
 [&lt;602f4d09&gt;] ? __mutex_lock_slowpath+0x239/0x3a0
 [&lt;6002c1c0&gt;] ? warn_slowpath_fmt+0x0/0xa0
 [&lt;60023ebf&gt;] ? set_signals+0x3f/0x50
 [&lt;600a205a&gt;] ? kmem_cache_free+0x10a/0x180
 [&lt;602f4e88&gt;] ? mutex_lock+0x18/0x30
 [&lt;601b4d6b&gt;] __list_del_entry+0x6b/0x100
 [&lt;601177ec&gt;] ext4_orphan_del+0x22c/0x2f0
 [&lt;6012f27c&gt;] ? __ext4_journal_start_sb+0x2c/0xa0
 [&lt;6010b973&gt;] ? ext4_truncate+0x383/0x390
 [&lt;6010bc8b&gt;] ext4_write_begin+0x30b/0x4b0
 [&lt;6001bb50&gt;] ? copy_from_user+0x0/0xb0
 [&lt;601aa840&gt;] ? iov_iter_fault_in_readable+0xa0/0xc0
 [&lt;60072c4f&gt;] generic_perform_write+0xaf/0x1e0
 [&lt;600c4166&gt;] ? file_update_time+0x46/0x110
 [&lt;60072f0f&gt;] __generic_file_write_iter+0x18f/0x1b0
 [&lt;6010030f&gt;] ext4_file_write_iter+0x15f/0x470
 [&lt;60094e10&gt;] ? unlink_file_vma+0x0/0x70
 [&lt;6009b180&gt;] ? unlink_anon_vmas+0x0/0x260
 [&lt;6008f169&gt;] ? free_pgtables+0xb9/0x100
 [&lt;600a6030&gt;] __vfs_write+0xb0/0x130
 [&lt;600a61d5&gt;] vfs_write+0xa5/0x170
 [&lt;600a63d6&gt;] SyS_write+0x56/0xe0
 [&lt;6029fcb0&gt;] ? __libc_waitpid+0x0/0xa0
 [&lt;6001b698&gt;] handle_syscall+0x68/0x90
 [&lt;6002633d&gt;] userspace+0x4fd/0x600
 [&lt;6002274f&gt;] ? save_registers+0x1f/0x40
 [&lt;60028bd7&gt;] ? arch_prctl+0x177/0x1b0
 [&lt;60017bd5&gt;] fork_handler+0x85/0x90

Fix the problem by using list_del_init() as we always should with
i_orphan list.

Reported-by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: clean up error handling when orphan list is corrupted</title>
<updated>2016-06-08T01:14:37+00:00</updated>
<author>
<name>Theodore Ts'o</name>
<email>tytso@mit.edu</email>
</author>
<published>2016-04-30T04:49:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b2044c3f8310ccac10122f2fa64f8ae574b4bfef'/>
<id>b2044c3f8310ccac10122f2fa64f8ae574b4bfef</id>
<content type='text'>
commit 7827a7f6ebfcb7f388dc47fddd48567a314701ba upstream.

Instead of just printing warning messages, if the orphan list is
corrupted, declare the file system is corrupted.  If there are any
reserved inodes in the orphaned inode list, declare the file system
corrupted and stop right away to avoid doing more potential damage to
the file system.

Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7827a7f6ebfcb7f388dc47fddd48567a314701ba upstream.

Instead of just printing warning messages, if the orphan list is
corrupted, declare the file system is corrupted.  If there are any
reserved inodes in the orphaned inode list, declare the file system
corrupted and stop right away to avoid doing more potential damage to
the file system.

Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: fix hang when processing corrupted orphaned inode list</title>
<updated>2016-06-08T01:14:37+00:00</updated>
<author>
<name>Theodore Ts'o</name>
<email>tytso@mit.edu</email>
</author>
<published>2016-04-30T04:48:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c5ce389844f2686564e1217c94c4c3e92fab413d'/>
<id>c5ce389844f2686564e1217c94c4c3e92fab413d</id>
<content type='text'>
commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.

If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly).  Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.

This can be reproduced via:

   mke2fs -t ext4 /tmp/foo.img 100
   debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
   mount -o loop /tmp/foo.img /mnt

(But don't do this if you are using an unpatched kernel if you care
about the system staying functional.  :-)

This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1].  (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)

[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf

Reported by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.

If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly).  Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.

This can be reproduced via:

   mke2fs -t ext4 /tmp/foo.img 100
   debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
   mount -o loop /tmp/foo.img /mnt

(But don't do this if you are using an unpatched kernel if you care
about the system staying functional.  :-)

This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1].  (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)

[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf

Reported by: Vegard Nossum &lt;vegard.nossum@oracle.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: iterate over buffer heads correctly in move_extent_per_page()</title>
<updated>2016-06-01T19:15:48+00:00</updated>
<author>
<name>Eryu Guan</name>
<email>guaneryu@gmail.com</email>
</author>
<published>2016-02-21T23:38:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fa5613b1f39ec020671705453eeceaaf57459e49'/>
<id>fa5613b1f39ec020671705453eeceaaf57459e49</id>
<content type='text'>
commit 6ffe77bad545f4a7c8edd2a4ee797ccfcd894ab4 upstream.

In commit bcff24887d00 ("ext4: don't read blocks from disk after extents
being swapped") bh is not updated correctly in the for loop and wrong
data has been written to disk. generic/324 catches this on sub-page
block size ext4.

Fixes: bcff24887d00 ("ext4: don't read blocks from disk after extentsbeing swapped")
Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6ffe77bad545f4a7c8edd2a4ee797ccfcd894ab4 upstream.

In commit bcff24887d00 ("ext4: don't read blocks from disk after extents
being swapped") bh is not updated correctly in the for loop and wrong
data has been written to disk. generic/324 catches this on sub-page
block size ext4.

Fixes: bcff24887d00 ("ext4: don't read blocks from disk after extentsbeing swapped")
Signed-off-by: Eryu Guan &lt;guaneryu@gmail.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: fix races of writeback with punch hole and zero range</title>
<updated>2016-05-04T21:48:53+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.com</email>
</author>
<published>2015-12-07T19:34:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=21228341bf17496062b0e6a1b37265f6bcf5c8f3'/>
<id>21228341bf17496062b0e6a1b37265f6bcf5c8f3</id>
<content type='text'>
commit 011278485ecc3cd2a3954b5d4c73101d919bf1fa upstream.

When doing delayed allocation, update of on-disk inode size is postponed
until IO submission time. However hole punch or zero range fallocate
calls can end up discarding the tail page cache page and thus on-disk
inode size would never be properly updated.

Make sure the on-disk inode size is updated before truncating page
cache.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 011278485ecc3cd2a3954b5d4c73101d919bf1fa upstream.

When doing delayed allocation, update of on-disk inode size is postponed
until IO submission time. However hole punch or zero range fallocate
calls can end up discarding the tail page cache page and thus on-disk
inode size would never be properly updated.

Make sure the on-disk inode size is updated before truncating page
cache.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: fix races between buffered IO and collapse / insert range</title>
<updated>2016-05-04T21:48:53+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.com</email>
</author>
<published>2015-12-07T19:31:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1f7b7e9a4ba3d60af27c78a149743d269e6fb848'/>
<id>1f7b7e9a4ba3d60af27c78a149743d269e6fb848</id>
<content type='text'>
commit 32ebffd3bbb4162da5ff88f9a35dd32d0a28ea70 upstream.

Current code implementing FALLOC_FL_COLLAPSE_RANGE and
FALLOC_FL_INSERT_RANGE is prone to races with buffered writes and page
faults. If buffered write or write via mmap manages to squeeze between
filemap_write_and_wait_range() and truncate_pagecache() in the fallocate
implementations, the written data is simply discarded by
truncate_pagecache() although it should have been shifted.

Fix the problem by moving filemap_write_and_wait_range() call inside
i_mutex and i_mmap_sem. That way we are protected against races with
both buffered writes and page faults.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 32ebffd3bbb4162da5ff88f9a35dd32d0a28ea70 upstream.

Current code implementing FALLOC_FL_COLLAPSE_RANGE and
FALLOC_FL_INSERT_RANGE is prone to races with buffered writes and page
faults. If buffered write or write via mmap manages to squeeze between
filemap_write_and_wait_range() and truncate_pagecache() in the fallocate
implementations, the written data is simply discarded by
truncate_pagecache() although it should have been shifted.

Fix the problem by moving filemap_write_and_wait_range() call inside
i_mutex and i_mmap_sem. That way we are protected against races with
both buffered writes and page faults.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ext4: move unlocked dio protection from ext4_alloc_file_blocks()</title>
<updated>2016-05-04T21:48:53+00:00</updated>
<author>
<name>Jan Kara</name>
<email>jack@suse.com</email>
</author>
<published>2015-12-07T19:29:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e096ade68c13011ba6548a542c1fc00e14555f5c'/>
<id>e096ade68c13011ba6548a542c1fc00e14555f5c</id>
<content type='text'>
commit 17048e8a083fec7ad841d88ef0812707fbc7e39f upstream.

Currently ext4_alloc_file_blocks() was handling protection against
unlocked DIO. However we now need to sometimes call it under i_mmap_sem
and sometimes not and DIO protection ranks above it (although strictly
speaking this cannot currently create any deadlocks). Also
ext4_zero_range() was actually getting &amp; releasing unlocked DIO
protection twice in some cases. Luckily it didn't introduce any real bug
but it was a land mine waiting to be stepped on.  So move DIO protection
out from ext4_alloc_file_blocks() into the two callsites.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 17048e8a083fec7ad841d88ef0812707fbc7e39f upstream.

Currently ext4_alloc_file_blocks() was handling protection against
unlocked DIO. However we now need to sometimes call it under i_mmap_sem
and sometimes not and DIO protection ranks above it (although strictly
speaking this cannot currently create any deadlocks). Also
ext4_zero_range() was actually getting &amp; releasing unlocked DIO
protection twice in some cases. Luckily it didn't introduce any real bug
but it was a land mine waiting to be stepped on.  So move DIO protection
out from ext4_alloc_file_blocks() into the two callsites.

Signed-off-by: Jan Kara &lt;jack@suse.com&gt;
Signed-off-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
