Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
jfs: Fix array-index-out-of-bounds in diFree
Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
authored by Jeongjun Park and committed by Dave Kleikamp f73f969b ce6dede9
+4
-1
fs/jfs/jfs_imap.c
+4
-1
fs/jfs/jfs_imap.c
···
290
int diRead(struct inode *ip)
291
{
292
struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
293
-
int iagno, ino, extno, rc;
294
struct inode *ipimap;
295
struct dinode *dp;
296
struct iag *iagp;
···
339
340
/* get the ag for the iag */
341
agstart = le64_to_cpu(iagp->agstart);
342
343
release_metapage(mp);
344
345
rel_inode = (ino & (INOSPERPAGE - 1));
346
pageno = blkno >> sbi->l2nbperpage;
···
290
int diRead(struct inode *ip)
291
{
292
struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
293
+
int iagno, ino, extno, rc, agno;
294
struct inode *ipimap;
295
struct dinode *dp;
296
struct iag *iagp;
···
339
340
/* get the ag for the iag */
341
agstart = le64_to_cpu(iagp->agstart);
342
+
agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb));
343
344
release_metapage(mp);
345
+
if (agno >= MAXAG || agno < 0)
346
+
return -EIO;
347
348
rel_inode = (ino & (INOSPERPAGE - 1));
349
pageno = blkno >> sbi->l2nbperpage;