On Thu, Aug 15, 2013 at 09:37:06AM -0500, Ben Myers wrote: > Hey Dan & Jeff, > > On Thu, Aug 15, 2013 at 06:10:43PM +0800, Jeff Liu wrote: > > On 08/15/2013 01:53 PM, Dan Carpenter wrote: > > > > > The "di_size" variable comes from the disk and it's a signed 64 bit. > > > We check the upper limit but we should check for negative numbers as > > > well. > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > > > diff --git a/fs/xfs/xfs_inode_fork.c b/fs/xfs/xfs_inode_fork.c > > > index 123971b..849fc70 100644 > > > --- a/fs/xfs/xfs_inode_fork.c > > > +++ b/fs/xfs/xfs_inode_fork.c > > > @@ -167,7 +167,8 @@ xfs_iformat_fork( > > > } > > > > > > di_size = be64_to_cpu(dip->di_size); > > > - if (unlikely(di_size > XFS_DFORK_DSIZE(dip, ip->i_mount))) { > > > + if (unlikely(di_size < 0 || > > > > But the di_size is initialized to ZERO while allocating a new inode on disk. > > I wonder if that is better to ASSERT in this case because the current check > > is used to make sure that the item is inlined, or we don't need it at all. > > Hmm. Dan's additional check looks good to me. In this case I'd say the forced > shutdown is more appropriate than an assert, because here we're reading the > inode from disk, as opposed to looking at a structure that is already incore > which we think we've initialized. We want to handle unexpected inputs from > disk without crashing even if we are CONFIG_XFS_DEBUG. There are lots of places where we only check di_size to be greater than some value, and don't check for it being less than zero. Hence I think that a better solution might be to di_size unsigned as that will catch "negative" sizes for all types of situations. We've got the same problem in the userspace code as well and so treating the size as unsigned will stop such validation problems everywhere.... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs