Merge tag 'fs_for_v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull quota, isofs, and reiserfs updates from Jan Kara:
"Fixes for handling of corrupted quota files, fix for handling of
corrupted isofs filesystem, and a small cleanup for reiserfs"

* tag 'fs_for_v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
fs: reiserfs: remove useless new_opts in reiserfs_remount
isofs: Fix out of bound access for corrupted isofs image
quota: correct error number in free_dqentry()
quota: check block number when reading the block in quota file

Linus Torvalds 4 years ago d8b4e5bd 00f178e1

+17 -6

3 changed files

expand all

isofs

inode.c

quota

quota_tree.c

reiserfs

super.c

fs/isofs/inode.c

··· 1322 1322 1323 1323 de = (struct iso_directory_record *) (bh->b_data + offset); 1324 1324 de_len = *(unsigned char *) de; 1325 + if (de_len < sizeof(struct iso_directory_record)) 1326 + goto fail; 1325 1327 1326 1328 if (offset + de_len > bufsize) { 1327 1329 int frag1 = bufsize - offset;

+15

fs/quota/quota_tree.c

··· 414 414 quota_error(dquot->dq_sb, "Quota structure has offset to " 415 415 "other block (%u) than it should (%u)", blk, 416 416 (uint)(dquot->dq_off >> info->dqi_blocksize_bits)); 417 + ret = -EIO; 417 418 goto out_buf; 418 419 } 419 420 ret = read_blk(info, blk, buf); ··· 480 479 goto out_buf; 481 480 } 482 481 newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); 482 + if (newblk < QT_TREEOFF || newblk >= info->dqi_blocks) { 483 + quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", 484 + newblk, info->dqi_blocks); 485 + ret = -EUCLEAN; 486 + goto out_buf; 487 + } 488 + 483 489 if (depth == info->dqi_qtree_depth - 1) { 484 490 ret = free_dqentry(info, dquot, newblk); 485 491 newblk = 0; ··· 586 578 blk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); 587 579 if (!blk) /* No reference? */ 588 580 goto out_buf; 581 + if (blk < QT_TREEOFF || blk >= info->dqi_blocks) { 582 + quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", 583 + blk, info->dqi_blocks); 584 + ret = -EUCLEAN; 585 + goto out_buf; 586 + } 587 + 589 588 if (depth < info->dqi_qtree_depth - 1) 590 589 ret = find_tree_dqentry(info, dquot, blk, depth+1); 591 590 else

-6

fs/reiserfs/super.c

··· 1435 1435 unsigned long safe_mask = 0; 1436 1436 unsigned int commit_max_age = (unsigned int)-1; 1437 1437 struct reiserfs_journal *journal = SB_JOURNAL(s); 1438 - char *new_opts; 1439 1438 int err; 1440 1439 char *qf_names[REISERFS_MAXQUOTAS]; 1441 1440 unsigned int qfmt = 0; 1442 1441 #ifdef CONFIG_QUOTA 1443 1442 int i; 1444 1443 #endif 1445 - 1446 - new_opts = kstrdup(arg, GFP_KERNEL); 1447 - if (arg && !new_opts) 1448 - return -ENOMEM; 1449 1444 1450 1445 sync_filesystem(s); 1451 1446 reiserfs_write_lock(s); ··· 1592 1597 out_err_unlock: 1593 1598 reiserfs_write_unlock(s); 1594 1599 out_err: 1595 - kfree(new_opts); 1596 1600 return err; 1597 1601 } 1598 1602