Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'jfs-6.14' of github.com:kleikamp/linux-shaggy
Pull jfs updates from David Kleikamp:
"Various bug fixes and cleanups for JFS"
* tag 'jfs-6.14' of github.com:kleikamp/linux-shaggy:
jfs: add index corruption check to DT_GETPAGE()
fs/jfs: consolidate sanity checking in dbMount
jfs: add sanity check for agwidth in dbMount
jfs: Prevent copying of nlink with value 0 from disk inode
fs/jfs: Prevent integer overflow in AG size calculation
fs/jfs: cast inactags to s64 to prevent potential overflow
jfs: Fix uninit-value access of imap allocated in the diMount() function
jfs: fix slab-out-of-bounds read in ea_get()
jfs: add check read-only before truncation in jfs_truncate_nolock()
jfs: add check read-only before txBeginAnon() call
jfs: reject on-disk inodes of an unsupported type
jfs: Remove reference to bh->b_page
jfs: Delete a couple tabs in jfs_reconfigure()
+50
-40
+1
-1
fs/jfs/inode.c
+1
-1
fs/jfs/inode.c
+12
-27
fs/jfs/jfs_dmap.c
+12
-27
fs/jfs/jfs_dmap.c
···
178
178
dbmp_le = (struct dbmap_disk *) mp->data;
179
179
bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
180
180
bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
181
-
182
181
bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
183
-
if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE ||
184
-
bmp->db_l2nbperpage < 0) {
185
-
err = -EINVAL;
186
-
goto err_release_metapage;
187
-
}
188
-
189
182
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
190
-
if (!bmp->db_numag || bmp->db_numag > MAXAG) {
191
-
err = -EINVAL;
192
-
goto err_release_metapage;
193
-
}
194
-
195
183
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
196
184
bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
197
185
bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
198
-
if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 ||
199
-
bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) {
200
-
err = -EINVAL;
201
-
goto err_release_metapage;
202
-
}
203
-
204
186
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
205
187
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
206
188
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
207
189
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
208
190
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
209
-
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
210
-
bmp->db_agl2size < 0) {
211
-
err = -EINVAL;
212
-
goto err_release_metapage;
213
-
}
214
191
215
-
if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
192
+
if ((bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) ||
193
+
(bmp->db_l2nbperpage < 0) ||
194
+
!bmp->db_numag || (bmp->db_numag > MAXAG) ||
195
+
(bmp->db_maxag >= MAXAG) || (bmp->db_maxag < 0) ||
196
+
(bmp->db_agpref >= MAXAG) || (bmp->db_agpref < 0) ||
197
+
!bmp->db_agwidth ||
198
+
(bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) ||
199
+
(bmp->db_agl2size < 0) ||
200
+
((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
216
201
err = -EINVAL;
217
202
goto err_release_metapage;
218
203
}
···
3388
3403
oldl2agsize = bmp->db_agl2size;
3389
3404
3390
3405
bmp->db_agl2size = l2agsize;
3391
-
bmp->db_agsize = 1 << l2agsize;
3406
+
bmp->db_agsize = (s64)1 << l2agsize;
3392
3407
3393
3408
/* compute new number of AG */
3394
3409
agno = bmp->db_numag;
···
3651
3666
* system size is not a multiple of the group size).
3652
3667
*/
3653
3668
inactfree = (inactags && ag_rem) ?
3654
-
((inactags - 1) << bmp->db_agl2size) + ag_rem
3655
-
: inactags << bmp->db_agl2size;
3669
+
(((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
3670
+
: ((s64)inactags << bmp->db_agl2size);
3656
3671
3657
3672
/* determine how many free blocks are in the active
3658
3673
* allocation groups plus the average number of free blocks
+2
-1
fs/jfs/jfs_dtree.c
+2
-1
fs/jfs/jfs_dtree.c
···
117
117
if (!(RC)) { \
118
118
if (((P)->header.nextindex > \
119
119
(((BN) == 0) ? DTROOTMAXSLOT : (P)->header.maxslot)) || \
120
-
((BN) && ((P)->header.maxslot > DTPAGEMAXSLOT))) { \
120
+
((BN) && (((P)->header.maxslot > DTPAGEMAXSLOT) || \
121
+
((P)->header.stblindex >= DTPAGEMAXSLOT)))) { \
121
122
BT_PUTPAGE(MP); \
122
123
jfs_error((IP)->i_sb, \
123
124
"DT_GETPAGE: dtree page corrupt\n"); \
+10
fs/jfs/jfs_extent.c
+10
fs/jfs/jfs_extent.c
···
74
74
int rc;
75
75
int xflag;
76
76
77
+
if (isReadOnly(ip)) {
78
+
jfs_error(ip->i_sb, "read-only filesystem\n");
79
+
return -EIO;
80
+
}
81
+
77
82
/* This blocks if we are low on resources */
78
83
txBeginAnon(ip->i_sb);
79
84
···
257
252
int extRecord(struct inode *ip, xad_t * xp)
258
253
{
259
254
int rc;
255
+
256
+
if (isReadOnly(ip)) {
257
+
jfs_error(ip->i_sb, "read-only filesystem\n");
258
+
return -EIO;
259
+
}
260
260
261
261
txBeginAnon(ip->i_sb);
262
262
+13
-4
fs/jfs/jfs_imap.c
+13
-4
fs/jfs/jfs_imap.c
···
102
102
* allocate/initialize the in-memory inode map control structure
103
103
*/
104
104
/* allocate the in-memory inode map control structure. */
105
-
imap = kmalloc(sizeof(struct inomap), GFP_KERNEL);
105
+
imap = kzalloc(sizeof(struct inomap), GFP_KERNEL);
106
106
if (imap == NULL)
107
107
return -ENOMEM;
108
108
···
456
456
dp += inum % 8; /* 8 inodes per 4K page */
457
457
458
458
/* copy on-disk inode to in-memory inode */
459
-
if ((copy_from_dinode(dp, ip)) != 0) {
459
+
if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) {
460
460
/* handle bad return by returning NULL for ip */
461
461
set_nlink(ip, 1); /* Don't want iput() deleting it */
462
462
iput(ip);
···
3029
3029
*
3030
3030
* RETURN VALUES:
3031
3031
* 0 - success
3032
-
* -ENOMEM - insufficient memory
3032
+
* -EINVAL - unexpected inode type
3033
3033
*/
3034
3034
static int copy_from_dinode(struct dinode * dip, struct inode *ip)
3035
3035
{
3036
3036
struct jfs_inode_info *jfs_ip = JFS_IP(ip);
3037
3037
struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
3038
+
int fileset = le32_to_cpu(dip->di_fileset);
3038
3039
3039
-
jfs_ip->fileset = le32_to_cpu(dip->di_fileset);
3040
+
switch (fileset) {
3041
+
case AGGR_RESERVED_I: case AGGREGATE_I: case BMAP_I:
3042
+
case LOG_I: case BADBLOCK_I: case FILESYSTEM_I:
3043
+
break;
3044
+
default:
3045
+
return -EINVAL;
3046
+
}
3047
+
3048
+
jfs_ip->fileset = fileset;
3040
3049
jfs_ip->mode2 = le32_to_cpu(dip->di_mode);
3041
3050
jfs_set_inode_flags(ip);
3042
3051
+3
-3
fs/jfs/super.c
+3
-3
fs/jfs/super.c
···
389
389
390
390
if (!ctx->newLVSize) {
391
391
ctx->newLVSize = sb_bdev_nr_blocks(sb);
392
-
if (ctx->newLVSize == 0)
393
-
pr_err("JFS: Cannot determine volume size\n");
392
+
if (ctx->newLVSize == 0)
393
+
pr_err("JFS: Cannot determine volume size\n");
394
394
}
395
395
396
396
rc = jfs_extendfs(sb, ctx->newLVSize, 0);
···
766
766
}
767
767
lock_buffer(bh);
768
768
memcpy(bh->b_data+offset, data, tocopy);
769
-
flush_dcache_page(bh->b_page);
769
+
flush_dcache_folio(bh->b_folio);
770
770
set_buffer_uptodate(bh);
771
771
mark_buffer_dirty(bh);
772
772
unlock_buffer(bh);
+9
-4
fs/jfs/xattr.c
+9
-4
fs/jfs/xattr.c
···
559
559
560
560
size_check:
561
561
if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
562
-
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
562
+
if (unlikely(EALIST_SIZE(ea_buf->xattr) > INT_MAX)) {
563
+
printk(KERN_ERR "ea_get: extended attribute size too large: %u > INT_MAX\n",
564
+
EALIST_SIZE(ea_buf->xattr));
565
+
} else {
566
+
int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
563
567
564
-
printk(KERN_ERR "ea_get: invalid extended attribute\n");
565
-
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
566
-
ea_buf->xattr, size, 1);
568
+
printk(KERN_ERR "ea_get: invalid extended attribute\n");
569
+
print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
570
+
ea_buf->xattr, size, 1);
571
+
}
567
572
ea_release(inode, ea_buf);
568
573
rc = -EIO;
569
574
goto clean_up;