Skip to content

Commit

Permalink
nilfs2: fix incorrect inode allocation from reserved inodes
Browse files Browse the repository at this point in the history
If the bitmap block that manages the inode allocation status is corrupted,
nilfs_ifile_create_inode() may allocate a new inode from the reserved
inode area where it should not be allocated.

Previous fix commit d325dc6 ("nilfs2: fix use-after-free bug of
struct nilfs_root"), fixed the problem that reserved inodes with inode
numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to
bitmap corruption, but since the start number of non-reserved inodes is
read from the super block and may change, in which case inode allocation
may occur from the extended reserved inode area.

If that happens, access to that inode will cause an IO error, causing the
file system to degrade to an error state.

Fix this potential issue by adding a wraparound option to the common
metadata object allocation routine and by modifying
nilfs_ifile_create_inode() to disable the option so that it only allocates
inodes with inode numbers greater than or equal to the inode number read
in "nilfs->ns_first_ino", regardless of the bitmap status of reserved
inodes.

Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Ryusuke Konishi <[email protected]>
Cc: Hillf Danton <[email protected]>
Cc: Jan Kara <[email protected]>
Cc: Matthew Wilcox (Oracle) <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
  • Loading branch information
konis authored and akpm00 committed Jul 3, 2024
1 parent bb76c6c commit 93aef9e
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 12 deletions.
19 changes: 15 additions & 4 deletions fs/nilfs2/alloc.c
Original file line number Diff line number Diff line change
Expand Up @@ -377,11 +377,12 @@ void *nilfs_palloc_block_get_entry(const struct inode *inode, __u64 nr,
* @target: offset number of an entry in the group (start point)
* @bsize: size in bits
* @lock: spin lock protecting @bitmap
* @wrap: whether to wrap around
*/
static int nilfs_palloc_find_available_slot(unsigned char *bitmap,
unsigned long target,
unsigned int bsize,
spinlock_t *lock)
spinlock_t *lock, bool wrap)
{
int pos, end = bsize;

Expand All @@ -397,6 +398,8 @@ static int nilfs_palloc_find_available_slot(unsigned char *bitmap,

end = target;
}
if (!wrap)
return -ENOSPC;

/* wrap around */
for (pos = 0; pos < end; pos++) {
Expand Down Expand Up @@ -495,9 +498,10 @@ int nilfs_palloc_count_max_entries(struct inode *inode, u64 nused, u64 *nmaxp)
* nilfs_palloc_prepare_alloc_entry - prepare to allocate a persistent object
* @inode: inode of metadata file using this allocator
* @req: nilfs_palloc_req structure exchanged for the allocation
* @wrap: whether to wrap around
*/
int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
struct nilfs_palloc_req *req)
struct nilfs_palloc_req *req, bool wrap)
{
struct buffer_head *desc_bh, *bitmap_bh;
struct nilfs_palloc_group_desc *desc;
Expand All @@ -516,7 +520,7 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
entries_per_group = nilfs_palloc_entries_per_group(inode);

for (i = 0; i < ngroups; i += n) {
if (group >= ngroups) {
if (group >= ngroups && wrap) {
/* wrap around */
group = 0;
maxgroup = nilfs_palloc_group(inode, req->pr_entry_nr,
Expand Down Expand Up @@ -550,7 +554,14 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
bitmap_kaddr = kmap_local_page(bitmap_bh->b_page);
bitmap = bitmap_kaddr + bh_offset(bitmap_bh);
pos = nilfs_palloc_find_available_slot(
bitmap, group_offset, entries_per_group, lock);
bitmap, group_offset, entries_per_group, lock,
wrap);
/*
* Since the search for a free slot in the second and
* subsequent bitmap blocks always starts from the
* beginning, the wrap flag only has an effect on the
* first search.
*/
kunmap_local(bitmap_kaddr);
if (pos >= 0)
goto found;
Expand Down
4 changes: 2 additions & 2 deletions fs/nilfs2/alloc.h
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ struct nilfs_palloc_req {
struct buffer_head *pr_entry_bh;
};

int nilfs_palloc_prepare_alloc_entry(struct inode *,
struct nilfs_palloc_req *);
int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
struct nilfs_palloc_req *req, bool wrap);
void nilfs_palloc_commit_alloc_entry(struct inode *,
struct nilfs_palloc_req *);
void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *);
Expand Down
2 changes: 1 addition & 1 deletion fs/nilfs2/dat.c
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ int nilfs_dat_prepare_alloc(struct inode *dat, struct nilfs_palloc_req *req)
{
int ret;

ret = nilfs_palloc_prepare_alloc_entry(dat, req);
ret = nilfs_palloc_prepare_alloc_entry(dat, req, true);
if (ret < 0)
return ret;

Expand Down
7 changes: 2 additions & 5 deletions fs/nilfs2/ifile.c
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,10 @@ int nilfs_ifile_create_inode(struct inode *ifile, ino_t *out_ino,
struct nilfs_palloc_req req;
int ret;

req.pr_entry_nr = 0; /*
* 0 says find free inode from beginning
* of a group. dull code!!
*/
req.pr_entry_nr = NILFS_FIRST_INO(ifile->i_sb);
req.pr_entry_bh = NULL;

ret = nilfs_palloc_prepare_alloc_entry(ifile, &req);
ret = nilfs_palloc_prepare_alloc_entry(ifile, &req, false);
if (!ret) {
ret = nilfs_palloc_get_entry_block(ifile, req.pr_entry_nr, 1,
&req.pr_entry_bh);
Expand Down

0 comments on commit 93aef9e

Please sign in to comment.