Commit 503358ae fixed a division by zero, but groups_per_flex still
overflows due to an oversized shift, given a large s_log_groups_per_flex
like 36. (1 << 36) is undefined in C; the result may vary depending
on the architecture, e.g., 16 on x86, thus bypassing the sanity check
(groups_per_flex < 2).
Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
---
fs/ext4/super.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 3e1329e..6deaf41 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2010,14 +2010,15 @@ static int ext4_fill_flex_info(struct super_block *sb)
size_t size;
int i;
- sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
- groups_per_flex = 1 << sbi->s_log_groups_per_flex;
-
- if (groups_per_flex < 2) {
+ if (sbi->s_es->s_log_groups_per_flex == 0 ||
+ sbi->s_es->s_log_groups_per_flex >= 32) {
sbi->s_log_groups_per_flex = 0;
return 1;
}
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
/* We allocate both existing and potentially added groups */
flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
((le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) + 1) <<
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
