xfs: growfs overruns AGFL buffer on V4 filesystems
authorDave Chinner <dchinner@redhat.com>
Thu, 21 Nov 2013 04:41:06 +0000 (15:41 +1100)
committerBen Myers <bpm@sgi.com>
Tue, 10 Dec 2013 16:04:27 +0000 (10:04 -0600)
commitf94c44573e7c22860e2c3dfe349c45f72ba35ad3
tree088e5c2e9cab8439e088fbabc6d6831a8570602f
parent2f42d612e7d4c4fb1819ea7b2b6e18938714ae7a
xfs: growfs overruns AGFL buffer on V4 filesystems

This loop in xfs_growfs_data_private() is incorrect for V4
superblocks filesystems:

for (bucket = 0; bucket < XFS_AGFL_SIZE(mp); bucket++)
agfl->agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);

For V4 filesystems, we don't have a agfl header structure, and so
XFS_AGFL_SIZE() returns an entire sector's worth of entries, which
we then index from an offset into the sector. Hence: buffer overrun.

This problem was introduced in 3.10 by commit 77c95bba ("xfs: add
CRC checks to the AGFL") which changed the AGFL structure but failed
to update the growfs code to handle the different structures.

Fix it by using the correct offset into the buffer for both V4 and
V5 filesystems.

Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Jie Liu <jeff.liu@oracle.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
(cherry picked from commit b7d961b35b3ab69609aeea93f870269cb6e7ba4d)
fs/xfs/xfs_fsops.c