From bba719b5004234e55737e7074b81b337210c511d Mon Sep 17 00:00:00 2001 From: Jie Liu Date: Wed, 1 Jan 2014 19:28:03 +0800 Subject: [PATCH 1/2] xfs: fix off-by-one error in xfs_attr3_rmt_verify With CRC check is enabled, if trying to set an attributes value just equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote attr write verification procedure failure, which would yield the back trace like below: XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c Call Trace: [] dump_stack+0x45/0x56 [] xfs_error_report+0x3b/0x40 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] xfs_corruption_error+0x55/0x80 [xfs] [] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? vm_map_ram+0x31a/0x460 [] ? wake_up_state+0x20/0x20 [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_buf_iorequest+0x6b/0xc0 [xfs] [] xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_bwrite+0x46/0x80 [xfs] [] xfs_attr_rmtval_set+0x334/0x490 [xfs] [] xfs_attr_leaf_addname+0x24a/0x410 [xfs] [] xfs_attr_set_int+0x223/0x470 [xfs] [] xfs_attr_set+0x96/0xb0 [xfs] [] xfs_xattr_set+0x42/0x70 [xfs] [] generic_setxattr+0x62/0x80 [] __vfs_setxattr_noperm+0x63/0x1b0 [] ? evm_inode_setxattr+0xe/0x10 [] vfs_setxattr+0xb5/0xc0 [] setxattr+0x12e/0x1c0 [] ? final_putname+0x22/0x50 [] ? putname+0x2b/0x40 [] ? user_path_at_empty+0x5f/0x90 [] ? __sb_start_write+0x49/0xe0 [] ? vm_mmap_pgoff+0x99/0xc0 [] SyS_setxattr+0x8f/0xe0 [] system_call_fastpath+0x1a/0x1f Tests: setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile This patch fix it to check the remote EA size is greater than the XATTR_SIZE_MAX rather than more than or equal to it, because it's valid if the specified EA value size is equal to the limitation as per VFS setxattr interface. Signed-off-by: Jie Liu Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7) --- fs/xfs/xfs_attr_remote.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xfs/xfs_attr_remote.c b/fs/xfs/xfs_attr_remote.c index 739e0a52deda..5549d69ddb45 100644 --- a/fs/xfs/xfs_attr_remote.c +++ b/fs/xfs/xfs_attr_remote.c @@ -110,7 +110,7 @@ xfs_attr3_rmt_verify( if (be32_to_cpu(rmt->rm_bytes) > fsbsize - sizeof(*rmt)) return false; if (be32_to_cpu(rmt->rm_offset) + - be32_to_cpu(rmt->rm_bytes) >= XATTR_SIZE_MAX) + be32_to_cpu(rmt->rm_bytes) > XATTR_SIZE_MAX) return false; if (rmt->rm_owner == 0) return false; From 1f4a63bf019524c96e79f088cd717b96ef00a249 Mon Sep 17 00:00:00 2001 From: Chuansheng Liu Date: Tue, 7 Jan 2014 16:53:34 +0800 Subject: [PATCH 2/2] xfs: Calling destroy_work_on_stack() to pair with INIT_WORK_ONSTACK() In case CONFIG_DEBUG_OBJECTS_WORK is defined, it is needed to call destroy_work_on_stack() which frees the debug object to pair with INIT_WORK_ONSTACK(). Signed-off-by: Liu, Chuansheng Reviewed-by: Ben Myers Signed-off-by: Ben Myers (cherry picked from commit 6f96b3063cdd473c68664a190524ed966ac0cd92) --- fs/xfs/xfs_bmap_util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c index 1394106ed22d..82e0dab46ee5 100644 --- a/fs/xfs/xfs_bmap_util.c +++ b/fs/xfs/xfs_bmap_util.c @@ -287,6 +287,7 @@ xfs_bmapi_allocate( INIT_WORK_ONSTACK(&args->work, xfs_bmapi_allocate_worker); queue_work(xfs_alloc_wq, &args->work); wait_for_completion(&done); + destroy_work_on_stack(&args->work); return args->result; }