ext4: fix unaligned memory access in ext4_fc_reserve_space()

As is done elsewhere in the file, build the struct ext4_fc_tl on the
stack and memcpy() it into the buffer, rather than directly writing it
to a potentially-unaligned location in the buffer.

Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Cc: <stable@vger.kernel.org> # v5.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221106224841.279231-6-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index d5ad4b2..892fa7c 100644 (file)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -675,6 +675,15 @@ static void ext4_fc_submit_bh(struct super_block *sb, bool is_tail)
 
 /* Ext4 commit path routines */
 
+/* memcpy to fc reserved space and update CRC */
+static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src,
+                               int len, u32 *crc)
+{
+       if (crc)
+               *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len);
+       return memcpy(dst, src, len);
+}
+
 /* memzero and update CRC */
 static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len,
                                u32 *crc)
@@ -700,12 +709,13 @@ static void *ext4_fc_memzero(struct super_block *sb, void *dst, int len,
  */
 static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
 {
-       struct ext4_fc_tl *tl;
+       struct ext4_fc_tl tl;
        struct ext4_sb_info *sbi = EXT4_SB(sb);
        struct buffer_head *bh;
        int bsize = sbi->s_journal->j_blocksize;
        int ret, off = sbi->s_fc_bytes % bsize;
        int pad_len;
+       u8 *dst;
 
        /*
         * After allocating len, we should have space at least for a 0 byte
@@ -729,16 +739,18 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
                return sbi->s_fc_bh->b_data + off;
        }
        /* Need to add PAD tag */
-       tl = (struct ext4_fc_tl *)(sbi->s_fc_bh->b_data + off);
-       tl->fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD);
+       dst = sbi->s_fc_bh->b_data + off;
+       tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_PAD);
        pad_len = bsize - off - 1 - EXT4_FC_TAG_BASE_LEN;
-       tl->fc_len = cpu_to_le16(pad_len);
-       if (crc)
-               *crc = ext4_chksum(sbi, *crc, tl, EXT4_FC_TAG_BASE_LEN);
-       if (pad_len > 0)
-               ext4_fc_memzero(sb, tl + 1, pad_len, crc);
+       tl.fc_len = cpu_to_le16(pad_len);
+       ext4_fc_memcpy(sb, dst, &tl, EXT4_FC_TAG_BASE_LEN, crc);
+       dst += EXT4_FC_TAG_BASE_LEN;
+       if (pad_len > 0) {
+               ext4_fc_memzero(sb, dst, pad_len, crc);
+               dst += pad_len;
+       }
        /* Don't leak uninitialized memory in the unused last byte. */
-       *((u8 *)(tl + 1) + pad_len) = 0;
+       *dst = 0;
 
        ext4_fc_submit_bh(sb, false);
 
@@ -750,15 +762,6 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
        return sbi->s_fc_bh->b_data;
 }
 
-/* memcpy to fc reserved space and update CRC */
-static void *ext4_fc_memcpy(struct super_block *sb, void *dst, const void *src,
-                               int len, u32 *crc)
-{
-       if (crc)
-               *crc = ext4_chksum(EXT4_SB(sb), *crc, src, len);
-       return memcpy(dst, src, len);
-}
-
 /*
  * Complete a fast commit by writing tail tag.
  *