The patch titled
Subject: bfs: additional sanity checking in bfs_fill_super()
has been removed from the -mm tree. Its filename was
bfs-additional-sanity-checking-in-bfs_fill_super.patch
This patch was dropped because an updated version will be merged
------------------------------------------------------
From: Tigran Aivazian <aivazian.tigran@xxxxxxxxx>
Subject: bfs: additional sanity checking in bfs_fill_super()
Strengthen bfs_fill_super() against artificially (or, highly unlikely,
naturally) corrupted BFS filesystem by checking the values of
bfs_sb->s_start and s_fs_info->si_lasti to be in their valid ranges.
Signed-off-by: Tigran Aivazian <aivazian.tigran@xxxxxxxxx>
Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/bfs/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/bfs/inode.c~bfs-additional-sanity-checking-in-bfs_fill_super
+++ a/fs/bfs/inode.c
@@ -351,7 +351,7 @@ static int bfs_fill_super(struct super_b
s->s_magic = BFS_MAGIC;
if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
- le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ le32_to_cpu(bfs_sb->s_start) < sizeof(struct bfs_super_block) + sizeof(struct bfs_dirent)) {
printf("Superblock is corrupted\n");
goto out1;
}
@@ -359,7 +359,12 @@ static int bfs_fill_super(struct super_b
info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) /
sizeof(struct bfs_inode)
+ BFS_ROOT_INO - 1;
- imap_len = (info->si_lasti / 8) + 1;
+ if (info->si_lasti > 513) { /* Hardcoded: BFS can have up to 512 maximum number of inodes */
+ printf("Impossible number of inodes %lu\n", info->si_lasti);
+ goto out1;
+ }
+ imap_len = round_up((info->si_lasti) / 8,
+ sizeof(unsigned long)) + sizeof(unsigned long);
info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
if (!info->si_imap) {
printf("Cannot allocate %u bytes\n", imap_len);
_
Patches currently in -mm which might be from aivazian.tigran@xxxxxxxxx are
