Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge tag 'xfs-for-linus-v3.13-rc4' of git://oss.sgi.com/xfs/xfs

Pull xfs bugfixes from Ben Myers:

 - fix for buffer overrun in agfl with growfs on v4 superblock

 - return EINVAL if requested discard length is less than a block

 - fix possible memory corruption in xfs_attrlist_by_handle()

* tag 'xfs-for-linus-v3.13-rc4' of git://oss.sgi.com/xfs/xfs:
  xfs: growfs overruns AGFL buffer on V4 filesystems
  xfs: don't perform discard if the given range length is less than block size
  xfs: underflow bug in xfs_attrlist_by_handle()
Linus Torvalds 11 years ago
parent
5cdec2d833 f94c44573e
commit
48a2f0b272
4 changed files with 12 additions and 5 deletions
Split View Show Diff Stats
  1. 3 2
      fs/xfs/xfs_discard.c
  2. 5 1
      fs/xfs/xfs_fsops.c
  3. 2 1
      fs/xfs/xfs_ioctl.c
  4. 2 1
      fs/xfs/xfs_ioctl32.c

+ 3 - 2
fs/xfs/xfs_discard.c
View File 

@@ -157,7 +157,7 @@ xfs_ioc_trim(
 
 	struct xfs_mount		*mp,
 
 	struct fstrim_range __user	*urange)
 
 {
 
-	struct request_queue	*q = mp->m_ddev_targp->bt_bdev->bd_disk->queue;
 
+	struct request_queue	*q = bdev_get_queue(mp->m_ddev_targp->bt_bdev);
 
 	unsigned int		granularity = q->limits.discard_granularity;
 
 	struct fstrim_range	range;
 
 	xfs_daddr_t		start, end, minlen;
 
@@ -180,7 +180,8 @@ xfs_ioc_trim(
 
 	 * matter as trimming blocks is an advisory interface.
 
 	 */
 
 	if (range.start >= XFS_FSB_TO_B(mp, mp->m_sb.sb_dblocks) ||
 
-	    range.minlen > XFS_FSB_TO_B(mp, XFS_ALLOC_AG_MAX_USABLE(mp)))
 
+	    range.minlen > XFS_FSB_TO_B(mp, XFS_ALLOC_AG_MAX_USABLE(mp)) ||
 
+	    range.len < mp->m_sb.sb_blocksize)
 
 		return -XFS_ERROR(EINVAL);
 
 
 	start = BTOBB(range.start);

+ 5 - 1
fs/xfs/xfs_fsops.c
View File 

@@ -220,6 +220,8 @@ xfs_growfs_data_private(
 
 	 */
 
 	nfree = 0;
 
 	for (agno = nagcount - 1; agno >= oagcount; agno--, new -= agsize) {
 
+		__be32	*agfl_bno;
 
+
 
 		/*
 
 		 * AG freespace header block
 
 		 */
 
@@ -279,8 +281,10 @@ xfs_growfs_data_private(
 
 			agfl->agfl_seqno = cpu_to_be32(agno);
 
 			uuid_copy(&agfl->agfl_uuid, &mp->m_sb.sb_uuid);
 
 		}
 
+
 
+		agfl_bno = XFS_BUF_TO_AGFL_BNO(mp, bp);
 
 		for (bucket = 0; bucket < XFS_AGFL_SIZE(mp); bucket++)
 
-			agfl->agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);
 
+			agfl_bno[bucket] = cpu_to_be32(NULLAGBLOCK);
 
 
 		error = xfs_bwrite(bp);
 
 		xfs_buf_relse(bp);

+ 2 - 1
fs/xfs/xfs_ioctl.c
View File 

@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
 
 		return -XFS_ERROR(EPERM);
 
 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
 
 		return -XFS_ERROR(EFAULT);
 
-	if (al_hreq.buflen > XATTR_LIST_MAX)
 
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
 
+	    al_hreq.buflen > XATTR_LIST_MAX)
 
 		return -XFS_ERROR(EINVAL);
 
 
 	/*

+ 2 - 1
fs/xfs/xfs_ioctl32.c
View File 

@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
 
 	if (copy_from_user(&al_hreq, arg,
 
 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
 
 		return -XFS_ERROR(EFAULT);
 
-	if (al_hreq.buflen > XATTR_LIST_MAX)
 
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
 
+	    al_hreq.buflen > XATTR_LIST_MAX)
 
 		return -XFS_ERROR(EINVAL);
 
 
 	/*