Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'jfs-6.12' of github.com:kleikamp/linux-shaggy
Pull jfs updates from David Kleikamp:
"A few fixes for jfs"
* tag 'jfs-6.12' of github.com:kleikamp/linux-shaggy:
jfs: Fix uninit-value access of new_ea in ea_buffer
jfs: check if leafidx greater than num leaves per dmap tree
jfs: Fix uaf in dbFreeBits
jfs: fix out-of-bounds in dbNextAG() and diAlloc()
jfs: UBSAN: shift-out-of-bounds in dbFindBits
+19
-7
+9
-2
fs/jfs/jfs_discard.c
+9
-2
fs/jfs/jfs_discard.c
···
65
65
int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)
66
66
{
67
67
struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap;
68
-
struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap;
68
+
struct bmap *bmp;
69
69
struct super_block *sb = ipbmap->i_sb;
70
70
int agno, agno_end;
71
71
u64 start, end, minlen;
···
83
83
if (minlen == 0)
84
84
minlen = 1;
85
85
86
+
down_read(&sb->s_umount);
87
+
bmp = JFS_SBI(ip->i_sb)->bmap;
88
+
86
89
if (minlen > bmp->db_agsize ||
87
90
start >= bmp->db_mapsize ||
88
-
range->len < sb->s_blocksize)
91
+
range->len < sb->s_blocksize) {
92
+
up_read(&sb->s_umount);
89
93
return -EINVAL;
94
+
}
90
95
91
96
if (end >= bmp->db_mapsize)
92
97
end = bmp->db_mapsize - 1;
···
105
100
trimmed += dbDiscardAG(ip, agno, minlen);
106
101
agno++;
107
102
}
103
+
104
+
up_read(&sb->s_umount);
108
105
range->len = trimmed << sb->s_blocksize_bits;
109
106
110
107
return 0;
+7
-4
fs/jfs/jfs_dmap.c
+7
-4
fs/jfs/jfs_dmap.c
···
187
187
}
188
188
189
189
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
190
-
if (!bmp->db_numag) {
190
+
if (!bmp->db_numag || bmp->db_numag >= MAXAG) {
191
191
err = -EINVAL;
192
192
goto err_release_metapage;
193
193
}
···
652
652
* average free space.
653
653
*/
654
654
for (i = 0 ; i < bmp->db_numag; i++, agpref++) {
655
-
if (agpref == bmp->db_numag)
655
+
if (agpref >= bmp->db_numag)
656
656
agpref = 0;
657
657
658
658
if (atomic_read(&bmp->db_active[agpref]))
···
2944
2944
static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
2945
2945
{
2946
2946
int ti, n = 0, k, x = 0;
2947
-
int max_size;
2947
+
int max_size, max_idx;
2948
2948
2949
2949
max_size = is_ctl ? CTLTREESIZE : TREESIZE;
2950
+
max_idx = is_ctl ? LPERCTL : LPERDMAP;
2950
2951
2951
2952
/* first check the root of the tree to see if there is
2952
2953
* sufficient free space.
···
2979
2978
*/
2980
2979
assert(n < 4);
2981
2980
}
2981
+
if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
2982
+
return -ENOSPC;
2982
2983
2983
2984
/* set the return to the leftmost leaf describing sufficient
2984
2985
* free space.
···
3025
3022
3026
3023
/* scan the word for nb free bits at nb alignments.
3027
3024
*/
3028
-
for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) {
3025
+
for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) {
3029
3026
if ((mask & word) == mask)
3030
3027
break;
3031
3028
}
+1
-1
fs/jfs/jfs_imap.c
+1
-1
fs/jfs/jfs_imap.c
···
1360
1360
/* get the ag number of this iag */
1361
1361
agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
1362
1362
dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;
1363
-
if (agno < 0 || agno > dn_numag)
1363
+
if (agno < 0 || agno > dn_numag || agno >= MAXAG)
1364
1364
return -EIO;
1365
1365
1366
1366
if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {