Commit cc380444 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'jfs-6.12' of github.com:kleikamp/linux-shaggy 

Pull jfs updates from David Kleikamp:
 "A few fixes for jfs"

* tag 'jfs-6.12' of github.com:kleikamp/linux-shaggy:
  jfs: Fix uninit-value access of new_ea in ea_buffer
  jfs: check if leafidx greater than num leaves per dmap tree
  jfs: Fix uaf in dbFreeBits
  jfs: fix out-of-bounds in dbNextAG() and diAlloc()
  jfs: UBSAN: shift-out-of-bounds in dbFindBits
parents 45d986d1 2b59ffad

fs/jfs/jfs_discard.c

+9 −2
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks) 
int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)

{

	struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap;

	struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap;

	struct bmap *bmp;

	struct super_block *sb = ipbmap->i_sb;

	int agno, agno_end;

	u64 start, end, minlen;
@@ -83,10 +83,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) 
	if (minlen == 0)

		minlen = 1;



	down_read(&sb->s_umount);

	bmp = JFS_SBI(ip->i_sb)->bmap;



	if (minlen > bmp->db_agsize ||

	    start >= bmp->db_mapsize ||

	    range->len < sb->s_blocksize)

	    range->len < sb->s_blocksize) {

		up_read(&sb->s_umount);

		return -EINVAL;

	}



	if (end >= bmp->db_mapsize)

		end = bmp->db_mapsize - 1;
@@ -100,6 +105,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) 
		trimmed += dbDiscardAG(ip, agno, minlen);

		agno++;

	}



	up_read(&sb->s_umount);

	range->len = trimmed << sb->s_blocksize_bits;



	return 0;

fs/jfs/jfs_dmap.c

+7 −4
Original line number Diff line number Diff line
@@ -187,7 +187,7 @@ int dbMount(struct inode *ipbmap) 
	}



	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);

	if (!bmp->db_numag) {

	if (!bmp->db_numag || bmp->db_numag >= MAXAG) {

		err = -EINVAL;

		goto err_release_metapage;

	}
@@ -652,7 +652,7 @@ int dbNextAG(struct inode *ipbmap) 
	 * average free space.

	 */

	for (i = 0 ; i < bmp->db_numag; i++, agpref++) {

		if (agpref == bmp->db_numag)

		if (agpref >= bmp->db_numag)

			agpref = 0;



		if (atomic_read(&bmp->db_active[agpref]))
@@ -2944,9 +2944,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) 
static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)

{

	int ti, n = 0, k, x = 0;

	int max_size;

	int max_size, max_idx;



	max_size = is_ctl ? CTLTREESIZE : TREESIZE;

	max_idx = is_ctl ? LPERCTL : LPERDMAP;



	/* first check the root of the tree to see if there is

	 * sufficient free space.
@@ -2978,6 +2979,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl) 
		 */

		assert(n < 4);

	}

	if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)

		return -ENOSPC;



	/* set the return to the leftmost leaf describing sufficient

	 * free space.
@@ -3022,7 +3025,7 @@ static int dbFindBits(u32 word, int l2nb) 


	/* scan the word for nb free bits at nb alignments.

	 */

	for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) {

	for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) {

		if ((mask & word) == mask)

			break;

	}

fs/jfs/jfs_imap.c

+1 −1
Original line number Diff line number Diff line
@@ -1360,7 +1360,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip) 
	/* get the ag number of this iag */

	agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));

	dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;

	if (agno < 0 || agno > dn_numag)

	if (agno < 0 || agno > dn_numag || agno >= MAXAG)

		return -EIO;



	if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {

fs/jfs/xattr.c

+2 −0
Original line number Diff line number Diff line
@@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size) 
	int rc;

	int quota_allocation = 0;



	memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea));



	/* When fsck.jfs clears a bad ea, it doesn't clear the size */

	if (ji->ea.flag == 0)

		ea_size = 0;