tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'jfs-6.16' of github.com:kleikamp/linux-shaggy

Pull jfs updates from David Kleikamp:
"A few small fixes for jfs"

* tag 'jfs-6.16' of github.com:kleikamp/linux-shaggy:
jfs: fix array-index-out-of-bounds read in add_missing_indices
jfs: Fix null-ptr-deref in jfs_ioc_trim
jfs: validate AG parameters in dbMount() to prevent crashes

Linus Torvalds 1cbf99e4 b1fd8bd0

+22 -5
+2 -1
fs/jfs/jfs_discard.c
··· 86 86 down_read(&sb->s_umount); 87 87 bmp = JFS_SBI(ip->i_sb)->bmap; 88 88 89 - if (minlen > bmp->db_agsize || 89 + if (bmp == NULL || 90 + minlen > bmp->db_agsize || 90 91 start >= bmp->db_mapsize || 91 92 range->len < sb->s_blocksize) { 92 93 up_read(&sb->s_umount);
+5 -1
fs/jfs/jfs_dmap.c
··· 194 194 !bmp->db_numag || (bmp->db_numag > MAXAG) || 195 195 (bmp->db_maxag >= MAXAG) || (bmp->db_maxag < 0) || 196 196 (bmp->db_agpref >= MAXAG) || (bmp->db_agpref < 0) || 197 - !bmp->db_agwidth || 197 + (bmp->db_agheight < 0) || (bmp->db_agheight > (L2LPERCTL >> 1)) || 198 + (bmp->db_agwidth < 1) || (bmp->db_agwidth > (LPERCTL / MAXAG)) || 199 + (bmp->db_agwidth > (1 << (L2LPERCTL - (bmp->db_agheight << 1)))) || 200 + (bmp->db_agstart < 0) || 201 + (bmp->db_agstart > (CTLTREESIZE - 1 - bmp->db_agwidth * (MAXAG - 1))) || 198 202 (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) || 199 203 (bmp->db_agl2size < 0) || 200 204 ((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
+15 -3
fs/jfs/jfs_dtree.c
··· 2613 2613 * fsck.jfs should really fix this, but it currently does not. 2614 2614 * Called from jfs_readdir when bad index is detected. 2615 2615 */ 2616 - static void add_missing_indices(struct inode *inode, s64 bn) 2616 + static int add_missing_indices(struct inode *inode, s64 bn) 2617 2617 { 2618 2618 struct ldtentry *d; 2619 2619 struct dt_lock *dtlck; ··· 2622 2622 struct lv *lv; 2623 2623 struct metapage *mp; 2624 2624 dtpage_t *p; 2625 - int rc; 2625 + int rc = 0; 2626 2626 s8 *stbl; 2627 2627 tid_t tid; 2628 2628 struct tlock *tlck; ··· 2647 2647 2648 2648 stbl = DT_GETSTBL(p); 2649 2649 for (i = 0; i < p->header.nextindex; i++) { 2650 + if (stbl[i] < 0) { 2651 + jfs_err("jfs: add_missing_indices: Invalid stbl[%d] = %d for inode %ld, block = %lld", 2652 + i, stbl[i], (long)inode->i_ino, (long long)bn); 2653 + rc = -EIO; 2654 + 2655 + DT_PUTPAGE(mp); 2656 + txAbort(tid, 0); 2657 + goto end; 2658 + } 2659 + 2650 2660 d = (struct ldtentry *) &p->slot[stbl[i]]; 2651 2661 index = le32_to_cpu(d->index); 2652 2662 if ((index < 2) || (index >= JFS_IP(inode)->next_index)) { ··· 2674 2664 (void) txCommit(tid, 1, &inode, 0); 2675 2665 end: 2676 2666 txEnd(tid); 2667 + return rc; 2677 2668 } 2678 2669 2679 2670 /* ··· 3028 3017 } 3029 3018 3030 3019 if (fix_page) { 3031 - add_missing_indices(ip, bn); 3020 + if ((rc = add_missing_indices(ip, bn))) 3021 + goto out; 3032 3022 page_fixed = 1; 3033 3023 } 3034 3024