WSL2-Linux-Kernel/fs/xfs
Richard Wareing b31ff3cdf5 xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
a directory in a filesystem that does not have a realtime device and
create a new file in that directory, it gets marked as a real time file.
When data is written and a fsync is issued, the filesystem attempts to
flush a non-existent rt device during the fsync process.

This results in a crash dereferencing a null buftarg pointer in
xfs_blkdev_issue_flush():

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: xfs_blkdev_issue_flush+0xd/0x20
  .....
  Call Trace:
    xfs_file_fsync+0x188/0x1c0
    vfs_fsync_range+0x3b/0xa0
    do_fsync+0x3d/0x70
    SyS_fsync+0x10/0x20
    do_syscall_64+0x4d/0xb0
    entry_SYSCALL64_slow_path+0x25/0x25

Setting RT inode flags does not require special privileges so any
unprivileged user can cause this oops to occur.  To reproduce, confirm
kernel is compiled with CONFIG_XFS_RT=y and run:

  # mkfs.xfs -f /dev/pmem0
  # mount /dev/pmem0 /mnt/test
  # mkdir /mnt/test/foo
  # xfs_io -c 'chattr +t' /mnt/test/foo
  # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar

Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.

Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.

Fixes: f538d4da8d ("[XFS] write barrier support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Richard Wareing <rwareing@fb.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-12 20:02:22 -07:00
..
libxfs xfs: fix compiler warnings 2017-09-02 08:22:19 -07:00
Kconfig xfs: define fatal assert build time tunable 2017-06-19 08:59:10 -07:00
Makefile xfs: use the common helper uuid_is_null() 2017-06-05 16:59:08 +02:00
kmem.c mm, vmalloc: use __GFP_HIGHMEM implicitly 2017-05-08 17:15:13 -07:00
kmem.h xfs: map KM_MAYFAIL to __GFP_RETRY_MAYFAIL 2017-07-12 16:26:03 -07:00
mrlock.h
xfs.h xfs: define fatal assert build time tunable 2017-06-19 08:59:10 -07:00
xfs_acl.c xfs: Don't clear SGID when inheriting ACLs 2017-06-27 18:23:21 -07:00
xfs_acl.h xfs: Don't clear SGID when inheriting ACLs 2017-06-27 18:23:21 -07:00
xfs_aops.c libnvdimm for 4.14 2017-09-11 13:10:57 -07:00
xfs_aops.h xfs: perform dax_device lookup at mount 2017-08-31 09:31:47 -07:00
xfs_attr.h xfs: pass along transaction context when reading xattr block buffers 2017-06-20 10:45:22 -07:00
xfs_attr_inactive.c xfs: refactor xfs_trans_roll 2017-09-01 10:55:30 -07:00
xfs_attr_list.c xfs: assert locking precondіtion in xfs_attr_list_int_ilocked 2017-07-13 14:55:05 -07:00
xfs_bmap_item.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_bmap_item.h
xfs_bmap_util.c xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent 2017-09-01 13:08:26 -07:00
xfs_bmap_util.h xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent 2017-09-01 13:08:26 -07:00
xfs_buf.c libnvdimm for 4.14 2017-09-11 13:10:57 -07:00
xfs_buf.h xfs: perform dax_device lookup at mount 2017-08-31 09:31:47 -07:00
xfs_buf_item.c xfs: fix compiler warnings 2017-09-02 08:22:19 -07:00
xfs_buf_item.h xfs: remove unnecessary dirty bli format check for ordered bufs 2017-09-01 10:55:30 -07:00
xfs_dir2_readdir.c xfs: pass along transaction context when reading directory block buffers 2017-06-20 10:45:22 -07:00
xfs_discard.c xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_discard.h xfs: don't block the log commit handler for discards 2017-02-09 11:36:40 -08:00
xfs_dquot.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_dquot.h
xfs_dquot_item.c
xfs_dquot_item.h
xfs_error.c xfs: add log item pinning error injection tag 2017-08-22 09:22:24 -07:00
xfs_error.h xfs: add log item pinning error injection tag 2017-08-22 09:22:24 -07:00
xfs_export.c
xfs_export.h
xfs_extent_busy.c xfs: fix len comparison in xfs_extent_busy_trim 2017-02-16 17:20:12 -08:00
xfs_extent_busy.h xfs: improve handling of busy extents in the low-level allocator 2017-02-09 10:50:25 -08:00
xfs_extfree_item.c xfs: better log intent item refcount checking 2017-04-25 09:40:42 -07:00
xfs_extfree_item.h
xfs_file.c Merge branch 'akpm' (patches from Andrew) 2017-09-06 20:49:49 -07:00
xfs_filestream.c
xfs_filestream.h
xfs_fsmap.c xfs: only return detailed fsmap info if the caller has CAP_SYS_ADMIN 2017-05-16 12:26:16 -07:00
xfs_fsmap.h xfs: implement the GETFSMAP ioctl 2017-04-03 15:18:17 -07:00
xfs_fsops.c xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_fsops.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_globals.c xfs: define fatal assert build time tunable 2017-06-19 08:59:10 -07:00
xfs_icache.c xfs: check for race with xfs_reclaim_inode() in xfs_ifree_cluster() 2017-09-01 10:55:30 -07:00
xfs_icache.h xfs: check if an inode is cached and allocated 2017-06-19 14:11:34 -07:00
xfs_icreate_item.c fs: xfs: xfs_icreate_item: constify xfs_item_ops structure 2016-11-28 14:57:42 +11:00
xfs_icreate_item.h
xfs_inode.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_inode.h xfs: Switch to iomap for SEEK_HOLE / SEEK_DATA 2017-07-02 22:46:13 -07:00
xfs_inode_item.c xfs: Properly retry failed inode items in case of error during buffer writeback 2017-08-22 09:22:23 -07:00
xfs_inode_item.h
xfs_ioctl.c xfs: don't set v3 xflags for v2 inodes 2017-09-02 08:22:19 -07:00
xfs_ioctl.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_ioctl32.c xfs: implement the GETFSMAP ioctl 2017-04-03 15:18:17 -07:00
xfs_ioctl32.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_iomap.c libnvdimm for 4.14 2017-09-11 13:10:57 -07:00
xfs_iomap.h xfs: introduce xfs_aligned_fsb_count 2017-02-06 17:47:46 -08:00
xfs_iops.c xfs: fix compiler warnings 2017-09-02 08:22:19 -07:00
xfs_iops.h
xfs_itable.c xfs: export various function for the online scrubber 2017-06-19 14:11:34 -07:00
xfs_itable.h xfs: export various function for the online scrubber 2017-06-19 14:11:34 -07:00
xfs_linux.h xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present 2017-09-12 20:02:22 -07:00
xfs_log.c xfs: fix incorrect log_flushed on fsync 2017-09-01 13:08:26 -07:00
xfs_log.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_log_cil.c xfs: Fix leak of discard bio 2017-08-04 13:43:36 -07:00
xfs_log_priv.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_log_recover.c xfs: fix compiler warnings 2017-09-02 08:22:19 -07:00
xfs_message.c xfs: define bug_on_assert debug mode sysfs tunable 2017-06-19 08:59:10 -07:00
xfs_message.h
xfs_mount.c xfs: don't leak quotacheck dquots when cow recovery 2017-08-17 12:40:33 -07:00
xfs_mount.h xfs: convert drop_writes to use the errortag mechanism 2017-06-27 18:23:20 -07:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h
xfs_pnfs.c xfs: remove i_iolock and use i_rwsem in the VFS inode instead 2016-11-30 14:33:25 +11:00
xfs_pnfs.h xfs: remove i_iolock and use i_rwsem in the VFS inode instead 2016-11-30 14:33:25 +11:00
xfs_qm.c xfs: replace xfs_qm_get_rtblks with a direct call to xfs_bmap_count_leaves 2017-09-01 13:08:26 -07:00
xfs_qm.h
xfs_qm_bhv.c xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_qm_syscalls.c xfs: wait on new inodes during quotaoff dquot release 2017-04-28 08:11:08 -07:00
xfs_quota.h
xfs_quotaops.c xfs: remove a whitespace-only line from xfs_fs_get_nextdqblk 2017-07-01 21:09:33 -07:00
xfs_refcount_item.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_refcount_item.h
xfs_reflink.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_reflink.h xfs: separate function to check if inode shares extents 2017-06-19 14:11:35 -07:00
xfs_rmap_item.c xfs: better log intent item refcount checking 2017-04-25 09:40:42 -07:00
xfs_rmap_item.h
xfs_rtalloc.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_rtalloc.h xfs: export various function for the online scrubber 2017-06-19 14:11:34 -07:00
xfs_stats.c xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_stats.h xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_super.c libnvdimm for 4.14 2017-09-11 13:10:57 -07:00
xfs_super.h xfs: don't block the log commit handler for discards 2017-02-09 11:36:40 -08:00
xfs_symlink.c xfs: remove the ip argument to xfs_defer_finish 2017-09-01 10:55:30 -07:00
xfs_symlink.h xfs: allow reading of already-locked remote symbolic link 2017-06-20 10:45:22 -07:00
xfs_sysctl.c
xfs_sysctl.h xfs: define bug_on_assert debug mode sysfs tunable 2017-06-19 08:59:10 -07:00
xfs_sysfs.c xfs: replace log_badcrc_factor knob with error injection tag 2017-06-27 18:23:21 -07:00
xfs_sysfs.h
xfs_trace.c xfs: implement the GETFSMAP ioctl 2017-04-03 15:18:17 -07:00
xfs_trace.h xfs: consolidate the various page fault handlers 2017-09-01 10:55:30 -07:00
xfs_trans.c xfs: refactor xfs_trans_roll 2017-09-01 10:55:30 -07:00
xfs_trans.h xfs: disallow marking previously dirty buffers as ordered 2017-09-01 10:55:30 -07:00
xfs_trans_ail.c xfs: add log item pinning error injection tag 2017-08-22 09:22:24 -07:00
xfs_trans_bmap.c xfs: try to avoid blowing out the transaction reservation when bunmaping a shared extent 2017-06-19 08:59:10 -07:00
xfs_trans_buf.c xfs: disallow marking previously dirty buffers as ordered 2017-09-01 10:55:30 -07:00
xfs_trans_dquot.c
xfs_trans_extfree.c
xfs_trans_inode.c xfs: refactor xfs_trans_roll 2017-09-01 10:55:30 -07:00
xfs_trans_priv.h xfs: Properly retry failed inode items in case of error during buffer writeback 2017-08-22 09:22:23 -07:00
xfs_trans_refcount.c
xfs_trans_rmap.c xfs: remove double-underscore integer types 2017-06-19 14:11:33 -07:00
xfs_xattr.c xfs: several xattr functions can be void 2016-12-05 12:32:14 +11:00