* [PATCH 0/4] OMFS fixes
@ 2015-05-18 11:34 Bob Copeland
2015-05-18 11:34 ` [PATCH 1/4] fs, omfs: add NULL terminator in the end up the token list Bob Copeland
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Bob Copeland @ 2015-05-18 11:34 UTC (permalink / raw)
To: akpm; +Cc: linux-fsdevel, Bob Copeland
Hi all, this patchset includes fixes for omfs, three by me and
one by Sasha Levin that hasn't been picked up elsewhere. 1 and 3
fix quite nasty crashes. Andrew, you have taken omfs patches
through your tree before, mind taking these?
Bob Copeland (3):
omfs: set error return when d_make_root() fails
omfs: fix sign confusion for bitmap loop counter
omfs: fix potential integer overflow in allocator
Sasha Levin (1):
fs, omfs: add NULL terminator in the end up the token list
fs/omfs/bitmap.c | 2 +-
fs/omfs/inode.c | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
--
2.1.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] fs, omfs: add NULL terminator in the end up the token list
2015-05-18 11:34 [PATCH 0/4] OMFS fixes Bob Copeland
@ 2015-05-18 11:34 ` Bob Copeland
2015-05-18 11:34 ` [PATCH 2/4] omfs: set error return when d_make_root() fails Bob Copeland
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Bob Copeland @ 2015-05-18 11:34 UTC (permalink / raw)
To: akpm; +Cc: linux-fsdevel, Sasha Levin, stable, Bob Copeland
From: Sasha Levin <sasha.levin@oracle.com>
match_token() expects a NULL terminator at the end of the token list so that
it would know where to stop. Not having one causes it to overrun to invalid
memory.
In practice, passing a mount option that omfs didn't recognize would sometimes
panic the system.
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
---
fs/omfs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 138321b0c6c2..70d4191cf33d 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -359,7 +359,7 @@ nomem:
}
enum {
- Opt_uid, Opt_gid, Opt_umask, Opt_dmask, Opt_fmask
+ Opt_uid, Opt_gid, Opt_umask, Opt_dmask, Opt_fmask, Opt_err
};
static const match_table_t tokens = {
@@ -368,6 +368,7 @@ static const match_table_t tokens = {
{Opt_umask, "umask=%o"},
{Opt_dmask, "dmask=%o"},
{Opt_fmask, "fmask=%o"},
+ {Opt_err, NULL},
};
static int parse_options(char *options, struct omfs_sb_info *sbi)
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] omfs: set error return when d_make_root() fails
2015-05-18 11:34 [PATCH 0/4] OMFS fixes Bob Copeland
2015-05-18 11:34 ` [PATCH 1/4] fs, omfs: add NULL terminator in the end up the token list Bob Copeland
@ 2015-05-18 11:34 ` Bob Copeland
2015-05-18 11:34 ` [PATCH 3/4] omfs: fix sign confusion for bitmap loop counter Bob Copeland
2015-05-18 11:34 ` [PATCH 4/4] omfs: fix potential integer overflow in allocator Bob Copeland
3 siblings, 0 replies; 5+ messages in thread
From: Bob Copeland @ 2015-05-18 11:34 UTC (permalink / raw)
To: akpm; +Cc: linux-fsdevel, Bob Copeland
A static checker found the following issue in the error path for
omfs_fill_super:
fs/omfs/inode.c:552 omfs_fill_super()
warn: missing error code here? 'd_make_root()' failed. 'ret' = '0'
Fix by returning -ENOMEM in this case.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
---
fs/omfs/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 70d4191cf33d..6ce542c11f98 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -549,8 +549,10 @@ static int omfs_fill_super(struct super_block *sb, void *data, int silent)
}
sb->s_root = d_make_root(root);
- if (!sb->s_root)
+ if (!sb->s_root) {
+ ret = -ENOMEM;
goto out_brelse_bh2;
+ }
printk(KERN_DEBUG "omfs: Mounted volume %s\n", omfs_rb->r_name);
ret = 0;
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] omfs: fix sign confusion for bitmap loop counter
2015-05-18 11:34 [PATCH 0/4] OMFS fixes Bob Copeland
2015-05-18 11:34 ` [PATCH 1/4] fs, omfs: add NULL terminator in the end up the token list Bob Copeland
2015-05-18 11:34 ` [PATCH 2/4] omfs: set error return when d_make_root() fails Bob Copeland
@ 2015-05-18 11:34 ` Bob Copeland
2015-05-18 11:34 ` [PATCH 4/4] omfs: fix potential integer overflow in allocator Bob Copeland
3 siblings, 0 replies; 5+ messages in thread
From: Bob Copeland @ 2015-05-18 11:34 UTC (permalink / raw)
To: akpm; +Cc: linux-fsdevel, Bob Copeland, stable
The count variable is used to iterate down to (below) zero from the
size of the bitmap and handle the one-filling the remainder of the
last partial bitmap block. The loop conditional expects count to
be signed in order to detect when the final block is processed, after
which count goes negative.
Unfortunately, a recent change made this unsigned along with some other
related fields. The result of is this is that during mount,
omfs_get_imap will overrun the bitmap array and corrupt memory unless
number of blocks happens to be a multiple of 8 * blocksize.
Fix by changing count back to signed: it is guaranteed to fit in an s32
without overflow due to an enforced limit on the number of blocks in the
filesystem.
Cc: stable@vger.kernel.org
Signed-off-by: Bob Copeland <me@bobcopeland.com>
---
fs/omfs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 6ce542c11f98..3d935c81789a 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -306,7 +306,8 @@ static const struct super_operations omfs_sops = {
*/
static int omfs_get_imap(struct super_block *sb)
{
- unsigned int bitmap_size, count, array_size;
+ unsigned int bitmap_size, array_size;
+ int count;
struct omfs_sb_info *sbi = OMFS_SB(sb);
struct buffer_head *bh;
unsigned long **ptr;
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] omfs: fix potential integer overflow in allocator
2015-05-18 11:34 [PATCH 0/4] OMFS fixes Bob Copeland
` (2 preceding siblings ...)
2015-05-18 11:34 ` [PATCH 3/4] omfs: fix sign confusion for bitmap loop counter Bob Copeland
@ 2015-05-18 11:34 ` Bob Copeland
3 siblings, 0 replies; 5+ messages in thread
From: Bob Copeland @ 2015-05-18 11:34 UTC (permalink / raw)
To: akpm; +Cc: linux-fsdevel, Bob Copeland
Both 'i' and 'bits_per_entry' are signed integers but the result
is a u64 block number. Cast i to u64 to avoid truncation on
32-bit targets.
Found by Coverity (CID 200679).
Signed-off-by: Bob Copeland <me@bobcopeland.com>
---
fs/omfs/bitmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/omfs/bitmap.c b/fs/omfs/bitmap.c
index 082234581d05..83f4e76511c2 100644
--- a/fs/omfs/bitmap.c
+++ b/fs/omfs/bitmap.c
@@ -159,7 +159,7 @@ int omfs_allocate_range(struct super_block *sb,
goto out;
found:
- *return_block = i * bits_per_entry + bit;
+ *return_block = (u64) i * bits_per_entry + bit;
*return_size = run;
ret = set_run(sb, i, bits_per_entry, bit, run, 1);
--
2.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-18 11:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-18 11:34 [PATCH 0/4] OMFS fixes Bob Copeland
2015-05-18 11:34 ` [PATCH 1/4] fs, omfs: add NULL terminator in the end up the token list Bob Copeland
2015-05-18 11:34 ` [PATCH 2/4] omfs: set error return when d_make_root() fails Bob Copeland
2015-05-18 11:34 ` [PATCH 3/4] omfs: fix sign confusion for bitmap loop counter Bob Copeland
2015-05-18 11:34 ` [PATCH 4/4] omfs: fix potential integer overflow in allocator Bob Copeland
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).