lustre/kernel_patches/patches/ext3-extents-bug11324.patch

   1 Index: linux-stage/fs/ext3/extents.c
   2 ===================================================================
   3 --- linux-stage.orig/fs/ext3/extents.c  2007-04-17 22:09:19.000000000 -0700
   4 +++ linux-stage/fs/ext3/extents.c       2007-04-17 22:12:05.000000000 -0700
   5 @@ -44,26 +44,49 @@
   6  #include <asm/uaccess.h>
   7
   8
   9 -static inline int ext3_ext_check_header(struct ext3_extent_header *eh)
  10 -{
  11 -       if (eh->eh_magic != EXT3_EXT_MAGIC) {
  12 -               printk(KERN_ERR "EXT3-fs: invalid magic = 0x%x\n",
  13 -                      (unsigned)eh->eh_magic);
  14 -               return -EIO;
  15 -       }
  16 -       if (eh->eh_max == 0) {
  17 -               printk(KERN_ERR "EXT3-fs: invalid eh_max = %u\n",
  18 -                      (unsigned)eh->eh_max);
  19 -               return -EIO;
  20 -       }
  21 -       if (eh->eh_entries > eh->eh_max) {
  22 -               printk(KERN_ERR "EXT3-fs: invalid eh_entries = %u\n",
  23 -                      (unsigned)eh->eh_entries);
  24 -               return -EIO;
  25 +static int __ext3_ext_check_header(const char *function, struct inode *inode,
  26 +                               struct ext3_extent_header *eh, int depth,
  27 +                               int max)
  28 +{
  29 +       const char *error_msg = NULL;
  30 +
  31 +       if (unlikely(eh->eh_magic != EXT3_EXT_MAGIC)) {
  32 +               error_msg = "invalid magic";
  33 +               goto corrupted;
  34 +       }
  35 +       if (unlikely(eh->eh_depth != depth)) {
  36 +               error_msg = "unexpected eh_depth";
  37 +               goto corrupted;
  38 +       }
  39 +       if (unlikely(eh->eh_max == 0)) {
  40 +               error_msg = "too small eh_max";
  41 +               goto corrupted;
  42 +       }
  43 +       if (unlikely(eh->eh_max > max)) {
  44 +               error_msg = "too large eh_max";
  45 +               goto corrupted;
  46 +       }
  47 +       if (unlikely(eh->eh_entries > eh->eh_max)) {
  48 +               error_msg = "invalid eh_entries";
  49 +               goto corrupted;
  50         }
  51         return 0;
  52 +
  53 +corrupted:
  54 +       ext3_error(inode->i_sb, function,
  55 +                       "bad header in inode #%lu: %s - magic %x, "
  56 +                       "entries %u, max %u(%u), depth %u(%u)",
  57 +                       inode->i_ino, error_msg, eh->eh_magic,
  58 +                       eh->eh_entries, eh->eh_max, max,
  59 +                       eh->eh_depth, depth);
  60 +
  61 +       return -EIO;
  62  }
  63
  64 +#define ext3_ext_check_header(inode,eh,depth,max)      \
  65 +       __ext3_ext_check_header(__FUNCTION__,inode,eh,depth,max)
  66 +
  67 +
  68  static handle_t *ext3_ext_journal_restart(handle_t *handle, int needed)
  69  {
  70         int err;
  71 @@ -226,6 +249,26 @@
  72         return size;
  73  }
  74
  75 +static inline int
  76 +ext3_ext_max_entries(struct ext3_extents_tree *tree, int root, int depth)
  77 +{
  78 +       int max;
  79 +
  80 +       if (root) {
  81 +               if (depth == 0)
  82 +                       max = ext3_ext_space_root(tree);
  83 +               else
  84 +                       max = ext3_ext_space_root_idx(tree);
  85 +       } else {
  86 +               if (depth == 0)
  87 +                       max = ext3_ext_space_block(tree);
  88 +               else
  89 +                       max = ext3_ext_space_block_idx(tree);
  90 +       }
  91 +
  92 +       return max;
  93 +}
  94 +
  95  static void ext3_ext_show_path(struct ext3_extents_tree *tree,
  96                                struct ext3_ext_path *path)
  97  {
  98 @@ -296,10 +339,6 @@
  99         struct ext3_extent_idx *ix;
 100         int l = 0, k, r;
 101
 102 -       EXT_ASSERT(eh->eh_magic == EXT3_EXT_MAGIC);
 103 -       EXT_ASSERT(eh->eh_entries <= eh->eh_max);
 104 -       EXT_ASSERT(eh->eh_entries > 0);
 105 -
 106         ext_debug(tree, "binsearch for %d(idx):  ", block);
 107
 108         path->p_idx = ix = EXT_FIRST_INDEX(eh);
 109 @@ -359,9 +398,6 @@
 110         struct ext3_extent *ex;
 111         int l = 0, k, r;
 112
 113 -       EXT_ASSERT(eh->eh_magic == EXT3_EXT_MAGIC);
 114 -       EXT_ASSERT(eh->eh_entries <= eh->eh_max);
 115 -
 116         if (eh->eh_entries == 0) {
 117                 /*
 118                  * this leaf is empty yet:
 119 @@ -436,6 +472,7 @@
 120         struct ext3_extent_header *eh;
 121         struct buffer_head *bh;
 122         int depth, i, ppos = 0;
 123 +       int max;
 124
 125         EXT_ASSERT(tree);
 126         EXT_ASSERT(tree->inode);
 127 @@ -443,17 +480,15 @@
 128
 129         eh = EXT_ROOT_HDR(tree);
 130         EXT_ASSERT(eh);
 131 -       if (ext3_ext_check_header(eh)) {
 132 +       i = depth = EXT_DEPTH(tree);
 133 +       max = ext3_ext_max_entries(tree, 1, i);
 134 +       if (ext3_ext_check_header(tree->inode, eh, i, max)) {
 135                 /* don't free previously allocated path
 136                  * -- caller should take care */
 137                 path = NULL;
 138                 goto err;
 139         }
 140
 141 -       i = depth = EXT_DEPTH(tree);
 142 -       EXT_ASSERT(eh->eh_max);
 143 -       EXT_ASSERT(eh->eh_magic == EXT3_EXT_MAGIC);
 144 -
 145         /* account possible depth increase */
 146         if (!path) {
 147                 path = kmalloc(sizeof(struct ext3_ext_path) * (depth + 2),
 148 @@ -484,8 +519,10 @@
 149                 path[ppos].p_hdr = eh;
 150                 i--;
 151
 152 -               if (ext3_ext_check_header(eh))
 153 +               max = ext3_ext_max_entries(tree, 0, i);
 154 +               if (ext3_ext_check_header(tree->inode, eh, i, max))
 155                         goto err;
 156 +
 157         }
 158
 159         path[ppos].p_depth = i;
 160 @@ -493,9 +530,6 @@
 161         path[ppos].p_ext = NULL;
 162         path[ppos].p_idx = NULL;
 163
 164 -       if (ext3_ext_check_header(eh))
 165 -               goto err;
 166 -
 167         /* find extent */
 168         ext3_ext_binsearch(tree, path + ppos, block);
 169
 170 @@ -1545,6 +1579,8 @@
 171         ext_debug(tree, "remove [%lu:%lu] in leaf\n", start, end);
 172         if (!path[depth].p_hdr)
 173                 path[depth].p_hdr = EXT_BLOCK_HDR(path[depth].p_bh);
 174 +
 175 +       /* the header must be checked already in ext3_ext_remove_space() */
 176         eh = path[depth].p_hdr;
 177         EXT_ASSERT(eh);
 178         EXT_ASSERT(eh->eh_entries <= eh->eh_max);
 179 @@ -1707,7 +1743,7 @@
 180         int depth = EXT_DEPTH(tree);
 181         struct ext3_ext_path *path;
 182         handle_t *handle;
 183 -       int i = 0, err = 0;
 184 +       int i = 0, err = 0, max;
 185
 186         ext_debug(tree, "space to be removed: %lu:%lu\n", start, end);
 187
 188 @@ -1730,7 +1766,13 @@
 189         }
 190         memset(path, 0, sizeof(struct ext3_ext_path) * (depth + 1));
 191         path[i].p_hdr = EXT_ROOT_HDR(tree);
 192 -
 193 +
 194 +       max = ext3_ext_max_entries(tree, 1, depth);
 195 +       if (ext3_ext_check_header(inode, path[i].p_hdr, depth, max)) {
 196 +               err = -EIO;
 197 +               goto out;
 198 +       }
 199 +
 200         while (i >= 0 && err == 0) {
 201                 if (i == depth) {
 202                         /* this is leaf block */
 203 @@ -1740,16 +1782,13 @@
 204                         i--;
 205                         continue;
 206                 }
 207 -
 208 +
 209                 /* this is index block */
 210                 if (!path[i].p_hdr) {
 211                         ext_debug(tree, "initialize header\n");
 212                         path[i].p_hdr = EXT_BLOCK_HDR(path[i].p_bh);
 213                 }
 214
 215 -               EXT_ASSERT(path[i].p_hdr->eh_entries <= path[i].p_hdr->eh_max);
 216 -               EXT_ASSERT(path[i].p_hdr->eh_magic == EXT3_EXT_MAGIC);
 217 -
 218                 if (!path[i].p_idx) {
 219                         /* this level hasn't touched yet */
 220                         path[i].p_idx =
 221 @@ -1776,6 +1815,14 @@
 222                                 err = -EIO;
 223                                 break;
 224                         }
 225 +                       BUG_ON(i + 1 > depth);
 226 +                       max = ext3_ext_max_entries(tree, 0, depth - i - 1);
 227 +                       if (ext3_ext_check_header(inode,
 228 +                                               EXT_BLOCK_HDR(path[i+1].p_bh),
 229 +                                               depth - i - 1, max)) {
 230 +                               err = -EIO;
 231 +                               break;
 232 +                       }
 233                         /* put actual number of indexes to know is this
 234                          * number got changed at the next iteration */
 235                         path[i].p_block = path[i].p_hdr->eh_entries;
 236 @@ -1796,7 +1843,7 @@
 237         }
 238
 239         /* TODO: flexible tree reduction should be here */
 240 -       if (path->p_hdr->eh_entries == 0) {
 241 +       if (err == 0 && path->p_hdr->eh_entries == 0) {
 242                 /*
 243                  * truncate to zero freed all the tree
 244                  * so, we need to correct eh_depth
 245 @@ -1810,6 +1857,7 @@
 246         }
 247         ext3_ext_tree_changed(tree);
 248
 249 +out:
 250         kfree(path);
 251         ext3_journal_stop(handle);
 252