The patch titled
Subject: nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
has been removed from the -mm tree. Its filename was
nilfs2-avoid-overflowing-segment-numbers-in-nilfs_ioctl_clean_segments.patch
This patch was dropped because it was merged into mainline or a subsystem tree
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
From: Xi Wang <xi.wang@xxxxxxxxx>
Subject: nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()
nsegs is read from userspace. Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().
This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").
Signed-off-by: Xi Wang <xi.wang@xxxxxxxxx>
Cc: Haogang Chen <haogangchen@xxxxxxxxx>
Acked-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/nilfs2/ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff -puN fs/nilfs2/ioctl.c~nilfs2-avoid-overflowing-segment-numbers-in-nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c
--- a/fs/nilfs2/ioctl.c~nilfs2-avoid-overflowing-segment-numbers-in-nilfs_ioctl_clean_segments
+++ a/fs/nilfs2/ioctl.c
@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(st
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
+ if (nsegs > UINT_MAX / sizeof(__u64))
+ goto out;
/*
* argv[4] points to segment numbers this ioctl cleans. We
_
Patches currently in -mm which might be from xi.wang@xxxxxxxxx are
origin.patch
linux-next.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
