On Fri, Nov 22, 2019 at 09:53:20AM +0100, Carlos Maiolino wrote: > FIBMAP receives an integer from userspace which is then implicitly converted > into sector_t to be passed to bmap(). No check is made to ensure userspace > didn't send a negative block number, which can end up in an underflow, and > returning to userspace a corrupted block address. > > As a side-effect, the underflow caused by a negative block here, will > trigger the WARN() in iomap_bmap_actor(), which is how this issue was > first discovered. > > This is essentially a V2 of a patch I sent a while ago, reworded and > refactored to fit into this patchset. That last sentence should probably be removed. Otherwise: Reviewed-by: Christoph Hellwig <hch@xxxxxx>
