xfs: fix inode number overflow in ifree cluster helper

Brian Foster · djwong · commit d9fdd0adf932 · 2020-04-02T08:19:25.000-07:00
Qian Cai reports seemingly random buffer read verifier errors during filesystem writeback. This was isolated to a recent patch that factored out some inode cluster freeing code and happened to cast an unsigned inode number type to a signed value. If the inode number value overflows, we can skip marking in-core inodes associated with the underlying buffer stale at the time the physical inodes are freed. If such an inode happens to be dirty, xfsaild will eventually attempt to write it back over non-inode blocks. The invalidation of the underlying inode buffer causes writeback to read the buffer from disk. This fails the read verifier (preventing eventual corruption) if the buffer no longer looks like an inode cluster. Analysis by Dave Chinner. Fix up the helper to use the proper type for inode number values. Fixes: 5806165 ("xfs: factor inode lookup from xfs_ifree_cluster") Reported-by: Qian Cai <cai@lca.pw> Signed-off-by: Brian Foster <bfoster@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
@@ -2511,7 +2511,7 @@ static struct xfs_inode *
 xfs_ifree_get_one_inode(
 	struct xfs_perag	*pag,
 	struct xfs_inode	*free_ip,
-	int			inum)
+	xfs_ino_t		inum)
 {
 	struct xfs_mount	*mp = pag->pag_mount;
 	struct xfs_inode	*ip;

Original file line number	Diff line number	Diff line change
`@@ -2511,7 +2511,7 @@ static struct xfs_inode *`
`2511`	`2511`	`xfs_ifree_get_one_inode(`
`2512`	`2512`	`struct xfs_perag *pag,`
`2513`	`2513`	`struct xfs_inode *free_ip,`
`2514`		`- int inum)`
	`2514`	`+ xfs_ino_t inum)`
`2515`	`2515`	`{`
`2516`	`2516`	`struct xfs_mount *mp = pag->pag_mount;`
`2517`	`2517`	`struct xfs_inode *ip;`