Commit 85b0027e authored by Dave Chinner's avatar Dave Chinner Committed by Long Li
Browse files

xfs: fix bounds check in xfs_defer_agfl_block() 

mainline inclusion
from mainline-v6.4-rc6
commit 2bed0d82
category: bugfix
bugzilla: 188883, https://gitee.com/openeuler/kernel/issues/I76JSK
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bed0d82c2f78b91a0a9a5a73da57ee883a0c070



--------------------------------

Need to happen before we allocate and then leak the xefi. Found by
coverity via an xfsprogs libxfs scan.

[djwong: This also fixes the type of the @agbno argument.]

Fixes: 7dfee17b ("xfs: validate block number being freed before adding to xefi")
Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Reviewed-by: default avatarDarrick J. Wong <djwong@kernel.org>
Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
Signed-off-by: default avatarLong Li <leo.lilong@huawei.com>

Conflicts:
	fs/xfs/libxfs/xfs_alloc.c
parent e9b69fdb

fs/xfs/libxfs/xfs_alloc.c

+6 −5
Original line number Diff line number Diff line
@@ -2488,25 +2488,26 @@ static int 
xfs_defer_agfl_block(

	struct xfs_trans		*tp,

	xfs_agnumber_t			agno,

	xfs_fsblock_t			agbno,

	xfs_agblock_t			agbno,

	struct xfs_owner_info		*oinfo)

{

	struct xfs_mount		*mp = tp->t_mountp;

	struct xfs_extent_free_item	*new;		/* new element */

	xfs_fsblock_t			fsbno = XFS_AGB_TO_FSB(mp, agno, agbno);



	ASSERT(xfs_extfree_item_cache != NULL);

	ASSERT(oinfo != NULL);



	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, fsbno)))

		return -EFSCORRUPTED;



	new = kmem_cache_zalloc(xfs_extfree_item_cache,

			       GFP_KERNEL | __GFP_NOFAIL);

	new->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno);

	new->xefi_startblock = fsbno;

	new->xefi_blockcount = 1;

	new->xefi_owner = oinfo->oi_owner;

	new->xefi_agresv = XFS_AG_RESV_AGFL;



	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, new->xefi_startblock)))

		return -EFSCORRUPTED;



	trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);



	xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_AGFL_FREE, &new->xefi_list);