From patchwork Tue Jun 30 13:04:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hou Tao X-Patchwork-Id: 1319868 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=TeBitrCk; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49x4Ds1Mzlz9sTF for ; Tue, 30 Jun 2020 22:59:09 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=bS0YkFfUEBneZ8flBxjyGPjopGOCHf3tMJ+xSL78pzo=; b=TeBitrCk9HIRes6gVfh98QdPs HmXuj1jqHGlcVxs0qLoJFyFvE2mShAXTMp6WqqG1N5/EJ3R1nRiifzsOie6MFt8zHVPqxyDD9HrrR OGGD10wBSrL7ahqWSMRReUf/EHkZ86UFq5rngaGbEUvGU7GQ8rlasQ8eRij0kGWGTsSR2zhH2z00B S7f9pjhK5Z53fITACRZ7/MwIszKxnaBpnF07gVtj/HZFa+tues+oR9wcukKFhA5dEkUPp4FC55ZnM rcGEfokUXmgh9cNTKwMRQbrHGjQ5ulyAwASyRGOIt177FjQNte4ppR6/4an+hscWNAI/owvlKUTLS XaPXBMkyA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpm-00089C-Ks; Tue, 30 Jun 2020 12:57:59 +0000 Received: from szxga04-in.huawei.com ([45.249.212.190] helo=huawei.com) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpi-00087u-H6 for linux-mtd@lists.infradead.org; Tue, 30 Jun 2020 12:57:55 +0000 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id D73AEEBB9A014284A02A; Tue, 30 Jun 2020 20:57:41 +0800 (CST) Received: from huawei.com (10.90.53.225) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Tue, 30 Jun 2020 20:57:36 +0800 From: Hou Tao To: Richard Weinberger , Subject: [PATCH 1/3] ubifs: check the remaining name buffer during xattr list Date: Tue, 30 Jun 2020 21:04:36 +0800 Message-ID: <20200630130438.141649-2-houtao1@huawei.com> X-Mailer: git-send-email 2.25.0.4.g0ad7144999 In-Reply-To: <20200630130438.141649-1-houtao1@huawei.com> References: <20200630130438.141649-1-houtao1@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [45.249.212.190 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [45.249.212.190 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: houtao1@huawei.com Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When there are concurrent xattr list and xattr write operations, it is possible xattr_names + xattr_cnt has been increased a lot by xattr write op since its last read in the begin of ubifs_listxattr(). So ubifs_listxattr() may find these newly updated or added xattrs, try to copy these xattr names regardless of the remaing buffer size, and lead to the corruption of buffer and assertion failure. Simply fixing it by checking the remaining size of name buffer before copying the xattr name. Signed-off-by: Hou Tao --- fs/ubifs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 9aefbb60074f..5591b9fa1d86 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -429,6 +429,12 @@ ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size) fname_len(&nm) = le16_to_cpu(xent->nlen); if (xattr_visible(xent->name)) { + if (size - written < fname_len(&nm) + 1) { + kfree(pxent); + kfree(xent); + return -ERANGE; + } + memcpy(buffer + written, fname_name(&nm), fname_len(&nm) + 1); written += fname_len(&nm) + 1; } From patchwork Tue Jun 30 13:04:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hou Tao X-Patchwork-Id: 1319869 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=rmUZvRbe; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49x4Dt2nbWz9sQx for ; Tue, 30 Jun 2020 22:59:10 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=nw1/kwMNV2TVIdw70Thwsqo7LlWdUJ8r3WawkQyNjv8=; b=rmUZvRbehTXwoWrKS4VQ7KAfG HKbufMUDaoMifCpe2GtXhpl7OlLIyUD1wJYlFy5Fr4Yc33CXFH/5hpkFvCa86jkDrcHwIKs3gVMWo fWi+/dMiRJfBxHOPsTaMmH39qpYWeNaRzOPOwAWZ5q+NPEYF3u5Zl4sbyT9qIP4HB+1/xPXhuK1xN JcyJlrBHWad6ZhEwoUC1AO+L9HwBBpmTWJ/aJZYkeLRlWwYLP3hgeHY2cMFt0CwbLMDJUeAfxbbIl fPbjtspHuMmoAVs9v4s8A+hm2vvBcp1O280eDhDolJDfZj8RrK95mv4sGyehnp+S0ap9R+b40mI5Z Uxg+H0w6g==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpp-0008Ab-PL; Tue, 30 Jun 2020 12:58:01 +0000 Received: from szxga06-in.huawei.com ([45.249.212.32] helo=huawei.com) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpj-000885-5l for linux-mtd@lists.infradead.org; Tue, 30 Jun 2020 12:57:56 +0000 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id EA381AB42D7CF840EEC5; Tue, 30 Jun 2020 20:57:46 +0800 (CST) Received: from huawei.com (10.90.53.225) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Tue, 30 Jun 2020 20:57:36 +0800 From: Hou Tao To: Richard Weinberger , Subject: [PATCH 2/3] ubifs: protect assertion of xattr value size by ui_mutex during xattr get Date: Tue, 30 Jun 2020 21:04:37 +0800 Message-ID: <20200630130438.141649-3-houtao1@huawei.com> X-Mailer: git-send-email 2.25.0.4.g0ad7144999 In-Reply-To: <20200630130438.141649-1-houtao1@huawei.com> References: <20200630130438.141649-1-houtao1@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [45.249.212.32 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [45.249.212.32 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: houtao1@huawei.com Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org ubifs_xattr_get() may race with change_xattr() which will update inode->i_size and ui->data_len accordingly, and it will fail the assertion: inode->i_size == ui->data_len, so protect the assertion by ui_mutex. For assertion: host_ui->xattr_size > ui->data_len, it can not been ensured even both host_ui->ui_mutex and ui->ui_mutex are acquired, because the xattr value may has been removed by remove_xattr() and xattr_size has already been decreased, so just remove it. Signed-off-by: Hou Tao --- fs/ubifs/xattr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 5591b9fa1d86..82be2c2d2db5 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -356,10 +356,9 @@ ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf, } ui = ubifs_inode(inode); - ubifs_assert(c, inode->i_size == ui->data_len); - ubifs_assert(c, ubifs_inode(host)->xattr_size > ui->data_len); mutex_lock(&ui->ui_mutex); + ubifs_assert(c, inode->i_size == ui->data_len); if (buf) { /* If @buf is %NULL we are supposed to return the length */ if (ui->data_len > size) { From patchwork Tue Jun 30 13:04:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hou Tao X-Patchwork-Id: 1319863 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=oEOlRJKs; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49x4DQ4k2Rz9sRW for ; Tue, 30 Jun 2020 22:58:46 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-ID:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=4f2ye/UtesFtIBnR/eA/h72C11yC0NkhOdt8MFSX7zk=; b=oEOlRJKsMa8ubxW2dAv/tz55l WI+PiE4sLEH1CvuTjD/VlDwDtaLN9mlpyV0L+SxmygKsuX7MsVzF+wP48Hmppfya3V+d9nx4uVVz+ 9qdd+mgoXN3KdRNUVK7o1zrcs+oKhx51QI6q9WwrNgKMn0VSYxjUUqIzyRBX/NQwgS8e7gSCkxERm NVOwwpbOS8382cJUQRfwCdeb3oF73U8xjWIpAgy7+9/Cssn63L5mtKBHjcWM//nozyEaRW5LWYVMe N9ZfoxEKwyN2uK48HftaDIztlnncOv6iHfRmAFEpPI7rXxUDn6xhTFZXoK5CNfZZLra1JMBAW9qYg nQcvVAm6A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpt-0008BW-47; Tue, 30 Jun 2020 12:58:05 +0000 Received: from szxga06-in.huawei.com ([45.249.212.32] helo=huawei.com) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jqFpj-000886-BC for linux-mtd@lists.infradead.org; Tue, 30 Jun 2020 12:57:56 +0000 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id EDF25D4331963481D348; Tue, 30 Jun 2020 20:57:46 +0800 (CST) Received: from huawei.com (10.90.53.225) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Tue, 30 Jun 2020 20:57:36 +0800 From: Hou Tao To: Richard Weinberger , Subject: [PATCH 3/3] ubifs: ensure only one in-memory xattr inode is created Date: Tue, 30 Jun 2020 21:04:38 +0800 Message-ID: <20200630130438.141649-4-houtao1@huawei.com> X-Mailer: git-send-email 2.25.0.4.g0ad7144999 In-Reply-To: <20200630130438.141649-1-houtao1@huawei.com> References: <20200630130438.141649-1-houtao1@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [45.249.212.32 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [45.249.212.32 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: houtao1@huawei.com Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org ubifs may create two in-memory inodes for one xattr if there are concurrent ubifs_xattr_get() and ubifs_xattr_set(), as show in the following case: ubifs_xattr_get() ubifs_xattr_set() // the first created inode A // fill inode A ubifs_new_inode() ubifs_jnl_update() // mapping xattr name to inum ubifs_tnc_add_nm() // add xattr inode node ubifs_tnc_add() // find inum through xattr name ubifs_tnc_lookup_nm() iget_xattr() ubifs_iget() // not found in hash table // so create a new inode B // and keep it in hash table iget_locked() // find xattr inode node // fill inode B ubifs_tnc_lookup unlock_new_inode // inode A is also inserted into // hash table If we update the xattr value afterwards, only the values in inode A will be updated. So when we ty to remove the xattr name, and in the same time get the xattr name, ubifs_xattr_get() may return the stale value in inode B, as show in the following case: ubifs_xattr_get() ubifs_xattr_remove() // get xattr inum ubifs_tnc_lookup_nm() // return inode A iget_xattr() clear_nlink() remove_xattr() iput() evict() ubifs_evict_inode() remove_inode_hash() // return inode B // return a stale xattr value iget_xattr() Fix it by moving insert_inode_hash() before ubifs_jnl_update(), but after the initialization of inode is completed, so only one inode is created for xattr value. Signed-off-by: Hou Tao --- fs/ubifs/xattr.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 82be2c2d2db5..10fcb454bb01 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -133,6 +133,15 @@ static int create_xattr(struct ubifs_info *c, struct inode *host, inode->i_size = ui->ui_size = size; ui->data_len = size; + /* + * Ensure iget_xattr() in ubifs_xattr_get() will find the inode + * instead of creating a new one. + * The initialization of xattr inode is completed here, so using + * insert_inode_hash() instead of insert_inode_locked(). The + * latter can lead to iget_xattr() return -ESTALE. + */ + insert_inode_hash(inode); + mutex_lock(&host_ui->ui_mutex); host->i_ctime = current_time(host); host_ui->xattr_cnt += 1; @@ -156,7 +165,6 @@ static int create_xattr(struct ubifs_info *c, struct inode *host, mutex_unlock(&host_ui->ui_mutex); ubifs_release_budget(c, &req); - insert_inode_hash(inode); iput(inode); return 0;