linux-next/fs/xfs/xfs_itable.c
Darrick J. Wong 2e616d9f9c xfs: fix stack contents leakage in the v1 inumber ioctls
Explicitly initialize the onstack structures to zero so we don't leak
kernel memory into userspace when converting the in-core inumbers
structure to the v1 inogrp ioctl structure.  Add a comment about why we
have to use memset to ensure that the padding holes in the structures
are set to zero.

Fixes: 5f19c7fc6873351 ("xfs: introduce v5 inode group structure")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
2019-07-28 21:12:32 -07:00

398 lines
10 KiB
C

// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (c) 2000-2002,2005 Silicon Graphics, Inc.
* All Rights Reserved.
*/
#include "xfs.h"
#include "xfs_fs.h"
#include "xfs_shared.h"
#include "xfs_format.h"
#include "xfs_log_format.h"
#include "xfs_trans_resv.h"
#include "xfs_mount.h"
#include "xfs_inode.h"
#include "xfs_btree.h"
#include "xfs_ialloc.h"
#include "xfs_ialloc_btree.h"
#include "xfs_iwalk.h"
#include "xfs_itable.h"
#include "xfs_error.h"
#include "xfs_icache.h"
#include "xfs_health.h"
/*
* Bulk Stat
* =========
*
* Use the inode walking functions to fill out struct xfs_bulkstat for every
* allocated inode, then pass the stat information to some externally provided
* iteration function.
*/
struct xfs_bstat_chunk {
bulkstat_one_fmt_pf formatter;
struct xfs_ibulk *breq;
struct xfs_bulkstat *buf;
};
/*
* Fill out the bulkstat info for a single inode and report it somewhere.
*
* bc->breq->lastino is effectively the inode cursor as we walk through the
* filesystem. Therefore, we update it any time we need to move the cursor
* forward, regardless of whether or not we're sending any bstat information
* back to userspace. If the inode is internal metadata or, has been freed
* out from under us, we just simply keep going.
*
* However, if any other type of error happens we want to stop right where we
* are so that userspace will call back with exact number of the bad inode and
* we can send back an error code.
*
* Note that if the formatter tells us there's no space left in the buffer we
* move the cursor forward and abort the walk.
*/
STATIC int
xfs_bulkstat_one_int(
struct xfs_mount *mp,
struct xfs_trans *tp,
xfs_ino_t ino,
struct xfs_bstat_chunk *bc)
{
struct xfs_icdinode *dic; /* dinode core info pointer */
struct xfs_inode *ip; /* incore inode pointer */
struct inode *inode;
struct xfs_bulkstat *buf = bc->buf;
int error = -EINVAL;
if (xfs_internal_inum(mp, ino))
goto out_advance;
error = xfs_iget(mp, tp, ino,
(XFS_IGET_DONTCACHE | XFS_IGET_UNTRUSTED),
XFS_ILOCK_SHARED, &ip);
if (error == -ENOENT || error == -EINVAL)
goto out_advance;
if (error)
goto out;
ASSERT(ip != NULL);
ASSERT(ip->i_imap.im_blkno != 0);
inode = VFS_I(ip);
dic = &ip->i_d;
/* xfs_iget returns the following without needing
* further change.
*/
buf->bs_projectid = xfs_get_projid(ip);
buf->bs_ino = ino;
buf->bs_uid = dic->di_uid;
buf->bs_gid = dic->di_gid;
buf->bs_size = dic->di_size;
buf->bs_nlink = inode->i_nlink;
buf->bs_atime = inode->i_atime.tv_sec;
buf->bs_atime_nsec = inode->i_atime.tv_nsec;
buf->bs_mtime = inode->i_mtime.tv_sec;
buf->bs_mtime_nsec = inode->i_mtime.tv_nsec;
buf->bs_ctime = inode->i_ctime.tv_sec;
buf->bs_ctime_nsec = inode->i_ctime.tv_nsec;
buf->bs_btime = dic->di_crtime.t_sec;
buf->bs_btime_nsec = dic->di_crtime.t_nsec;
buf->bs_gen = inode->i_generation;
buf->bs_mode = inode->i_mode;
buf->bs_xflags = xfs_ip2xflags(ip);
buf->bs_extsize_blks = dic->di_extsize;
buf->bs_extents = dic->di_nextents;
xfs_bulkstat_health(ip, buf);
buf->bs_aextents = dic->di_anextents;
buf->bs_forkoff = XFS_IFORK_BOFF(ip);
buf->bs_version = XFS_BULKSTAT_VERSION_V5;
if (dic->di_version == 3) {
if (dic->di_flags2 & XFS_DIFLAG2_COWEXTSIZE)
buf->bs_cowextsize_blks = dic->di_cowextsize;
}
switch (dic->di_format) {
case XFS_DINODE_FMT_DEV:
buf->bs_rdev = sysv_encode_dev(inode->i_rdev);
buf->bs_blksize = BLKDEV_IOSIZE;
buf->bs_blocks = 0;
break;
case XFS_DINODE_FMT_LOCAL:
buf->bs_rdev = 0;
buf->bs_blksize = mp->m_sb.sb_blocksize;
buf->bs_blocks = 0;
break;
case XFS_DINODE_FMT_EXTENTS:
case XFS_DINODE_FMT_BTREE:
buf->bs_rdev = 0;
buf->bs_blksize = mp->m_sb.sb_blocksize;
buf->bs_blocks = dic->di_nblocks + ip->i_delayed_blks;
break;
}
xfs_iunlock(ip, XFS_ILOCK_SHARED);
xfs_irele(ip);
error = bc->formatter(bc->breq, buf);
if (error == XFS_IBULK_ABORT)
goto out_advance;
if (error)
goto out;
out_advance:
/*
* Advance the cursor to the inode that comes after the one we just
* looked at. We want the caller to move along if the bulkstat
* information was copied successfully; if we tried to grab the inode
* but it's no longer allocated; or if it's internal metadata.
*/
bc->breq->startino = ino + 1;
out:
return error;
}
/* Bulkstat a single inode. */
int
xfs_bulkstat_one(
struct xfs_ibulk *breq,
bulkstat_one_fmt_pf formatter)
{
struct xfs_bstat_chunk bc = {
.formatter = formatter,
.breq = breq,
};
int error;
ASSERT(breq->icount == 1);
bc.buf = kmem_zalloc(sizeof(struct xfs_bulkstat),
KM_SLEEP | KM_MAYFAIL);
if (!bc.buf)
return -ENOMEM;
error = xfs_bulkstat_one_int(breq->mp, NULL, breq->startino, &bc);
kmem_free(bc.buf);
/*
* If we reported one inode to userspace then we abort because we hit
* the end of the buffer. Don't leak that back to userspace.
*/
if (error == XFS_IWALK_ABORT)
error = 0;
return error;
}
static int
xfs_bulkstat_iwalk(
struct xfs_mount *mp,
struct xfs_trans *tp,
xfs_ino_t ino,
void *data)
{
int error;
error = xfs_bulkstat_one_int(mp, tp, ino, data);
/* bulkstat just skips over missing inodes */
if (error == -ENOENT || error == -EINVAL)
return 0;
return error;
}
/*
* Check the incoming lastino parameter.
*
* We allow any inode value that could map to physical space inside the
* filesystem because if there are no inodes there, bulkstat moves on to the
* next chunk. In other words, the magic agino value of zero takes us to the
* first chunk in the AG, and an agino value past the end of the AG takes us to
* the first chunk in the next AG.
*
* Therefore we can end early if the requested inode is beyond the end of the
* filesystem or doesn't map properly.
*/
static inline bool
xfs_bulkstat_already_done(
struct xfs_mount *mp,
xfs_ino_t startino)
{
xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, startino);
xfs_agino_t agino = XFS_INO_TO_AGINO(mp, startino);
return agno >= mp->m_sb.sb_agcount ||
startino != XFS_AGINO_TO_INO(mp, agno, agino);
}
/* Return stat information in bulk (by-inode) for the filesystem. */
int
xfs_bulkstat(
struct xfs_ibulk *breq,
bulkstat_one_fmt_pf formatter)
{
struct xfs_bstat_chunk bc = {
.formatter = formatter,
.breq = breq,
};
int error;
if (xfs_bulkstat_already_done(breq->mp, breq->startino))
return 0;
bc.buf = kmem_zalloc(sizeof(struct xfs_bulkstat),
KM_SLEEP | KM_MAYFAIL);
if (!bc.buf)
return -ENOMEM;
error = xfs_iwalk(breq->mp, NULL, breq->startino, breq->flags,
xfs_bulkstat_iwalk, breq->icount, &bc);
kmem_free(bc.buf);
/*
* We found some inodes, so clear the error status and return them.
* The lastino pointer will point directly at the inode that triggered
* any error that occurred, so on the next call the error will be
* triggered again and propagated to userspace as there will be no
* formatted inodes in the buffer.
*/
if (breq->ocount > 0)
error = 0;
return error;
}
/* Convert bulkstat (v5) to bstat (v1). */
void
xfs_bulkstat_to_bstat(
struct xfs_mount *mp,
struct xfs_bstat *bs1,
const struct xfs_bulkstat *bstat)
{
/* memset is needed here because of padding holes in the structure. */
memset(bs1, 0, sizeof(struct xfs_bstat));
bs1->bs_ino = bstat->bs_ino;
bs1->bs_mode = bstat->bs_mode;
bs1->bs_nlink = bstat->bs_nlink;
bs1->bs_uid = bstat->bs_uid;
bs1->bs_gid = bstat->bs_gid;
bs1->bs_rdev = bstat->bs_rdev;
bs1->bs_blksize = bstat->bs_blksize;
bs1->bs_size = bstat->bs_size;
bs1->bs_atime.tv_sec = bstat->bs_atime;
bs1->bs_mtime.tv_sec = bstat->bs_mtime;
bs1->bs_ctime.tv_sec = bstat->bs_ctime;
bs1->bs_atime.tv_nsec = bstat->bs_atime_nsec;
bs1->bs_mtime.tv_nsec = bstat->bs_mtime_nsec;
bs1->bs_ctime.tv_nsec = bstat->bs_ctime_nsec;
bs1->bs_blocks = bstat->bs_blocks;
bs1->bs_xflags = bstat->bs_xflags;
bs1->bs_extsize = XFS_FSB_TO_B(mp, bstat->bs_extsize_blks);
bs1->bs_extents = bstat->bs_extents;
bs1->bs_gen = bstat->bs_gen;
bs1->bs_projid_lo = bstat->bs_projectid & 0xFFFF;
bs1->bs_forkoff = bstat->bs_forkoff;
bs1->bs_projid_hi = bstat->bs_projectid >> 16;
bs1->bs_sick = bstat->bs_sick;
bs1->bs_checked = bstat->bs_checked;
bs1->bs_cowextsize = XFS_FSB_TO_B(mp, bstat->bs_cowextsize_blks);
bs1->bs_dmevmask = 0;
bs1->bs_dmstate = 0;
bs1->bs_aextents = bstat->bs_aextents;
}
struct xfs_inumbers_chunk {
inumbers_fmt_pf formatter;
struct xfs_ibulk *breq;
};
/*
* INUMBERS
* ========
* This is how we export inode btree records to userspace, so that XFS tools
* can figure out where inodes are allocated.
*/
/*
* Format the inode group structure and report it somewhere.
*
* Similar to xfs_bulkstat_one_int, lastino is the inode cursor as we walk
* through the filesystem so we move it forward unless there was a runtime
* error. If the formatter tells us the buffer is now full we also move the
* cursor forward and abort the walk.
*/
STATIC int
xfs_inumbers_walk(
struct xfs_mount *mp,
struct xfs_trans *tp,
xfs_agnumber_t agno,
const struct xfs_inobt_rec_incore *irec,
void *data)
{
struct xfs_inumbers inogrp = {
.xi_startino = XFS_AGINO_TO_INO(mp, agno, irec->ir_startino),
.xi_alloccount = irec->ir_count - irec->ir_freecount,
.xi_allocmask = ~irec->ir_free,
.xi_version = XFS_INUMBERS_VERSION_V5,
};
struct xfs_inumbers_chunk *ic = data;
int error;
error = ic->formatter(ic->breq, &inogrp);
if (error && error != XFS_IBULK_ABORT)
return error;
ic->breq->startino = XFS_AGINO_TO_INO(mp, agno, irec->ir_startino) +
XFS_INODES_PER_CHUNK;
return error;
}
/*
* Return inode number table for the filesystem.
*/
int
xfs_inumbers(
struct xfs_ibulk *breq,
inumbers_fmt_pf formatter)
{
struct xfs_inumbers_chunk ic = {
.formatter = formatter,
.breq = breq,
};
int error = 0;
if (xfs_bulkstat_already_done(breq->mp, breq->startino))
return 0;
error = xfs_inobt_walk(breq->mp, NULL, breq->startino, breq->flags,
xfs_inumbers_walk, breq->icount, &ic);
/*
* We found some inode groups, so clear the error status and return
* them. The lastino pointer will point directly at the inode that
* triggered any error that occurred, so on the next call the error
* will be triggered again and propagated to userspace as there will be
* no formatted inode groups in the buffer.
*/
if (breq->ocount > 0)
error = 0;
return error;
}
/* Convert an inumbers (v5) struct to a inogrp (v1) struct. */
void
xfs_inumbers_to_inogrp(
struct xfs_inogrp *ig1,
const struct xfs_inumbers *ig)
{
/* memset is needed here because of padding holes in the structure. */
memset(ig1, 0, sizeof(struct xfs_inogrp));
ig1->xi_startino = ig->xi_startino;
ig1->xi_alloccount = ig->xi_alloccount;
ig1->xi_allocmask = ig->xi_allocmask;
}