Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 80eb68d23897126e7f25e2b3689bc27fb8cdde17

Authored by Lepton Wu
Committed by Linus Torvalds
1 parent a6cd6bf9f8
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

reiserfs: fix kernel panic on corrupted directory 

When reading corrupted reiserfs directory data, d_reclen could be a
negative number or a big positive number, this can lead to kernel panic or
oop.  The following patch adds a sanity check.

Signed-off-by: Lepton Wu <ytht.net@gmail.com>
Cc: Chris Mason <chris.mason@oracle.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: "Vladimir V. Saveliev" <vs@namesys.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Showing 1 changed file with 10 additions and 0 deletions Inline Diff

1 /* 1 /*
2 * Copyright 2000 by Hans Reiser, licensing governed by reiserfs/README 2 * Copyright 2000 by Hans Reiser, licensing governed by reiserfs/README
3 */ 3 */
4 4
5 #include <linux/string.h> 5 #include <linux/string.h>
6 #include <linux/errno.h> 6 #include <linux/errno.h>
7 #include <linux/fs.h> 7 #include <linux/fs.h>
8 #include <linux/reiserfs_fs.h> 8 #include <linux/reiserfs_fs.h>
9 #include <linux/stat.h> 9 #include <linux/stat.h>
10 #include <linux/buffer_head.h> 10 #include <linux/buffer_head.h>
11 #include <asm/uaccess.h> 11 #include <asm/uaccess.h>
12 12
13 extern const struct reiserfs_key MIN_KEY; 13 extern const struct reiserfs_key MIN_KEY;
14 14
15 static int reiserfs_readdir(struct file *, void *, filldir_t); 15 static int reiserfs_readdir(struct file *, void *, filldir_t);
16 static int reiserfs_dir_fsync(struct file *filp, struct dentry *dentry, 16 static int reiserfs_dir_fsync(struct file *filp, struct dentry *dentry,
17 int datasync); 17 int datasync);
18 18
19 const struct file_operations reiserfs_dir_operations = { 19 const struct file_operations reiserfs_dir_operations = {
20 .read = generic_read_dir, 20 .read = generic_read_dir,
21 .readdir = reiserfs_readdir, 21 .readdir = reiserfs_readdir,
22 .fsync = reiserfs_dir_fsync, 22 .fsync = reiserfs_dir_fsync,
23 .ioctl = reiserfs_ioctl, 23 .ioctl = reiserfs_ioctl,
24 #ifdef CONFIG_COMPAT 24 #ifdef CONFIG_COMPAT
25 .compat_ioctl = reiserfs_compat_ioctl, 25 .compat_ioctl = reiserfs_compat_ioctl,
26 #endif 26 #endif
27 }; 27 };
28 28
29 static int reiserfs_dir_fsync(struct file *filp, struct dentry *dentry, 29 static int reiserfs_dir_fsync(struct file *filp, struct dentry *dentry,
30 int datasync) 30 int datasync)
31 { 31 {
32 struct inode *inode = dentry->d_inode; 32 struct inode *inode = dentry->d_inode;
33 int err; 33 int err;
34 reiserfs_write_lock(inode->i_sb); 34 reiserfs_write_lock(inode->i_sb);
35 err = reiserfs_commit_for_inode(inode); 35 err = reiserfs_commit_for_inode(inode);
36 reiserfs_write_unlock(inode->i_sb); 36 reiserfs_write_unlock(inode->i_sb);
37 if (err < 0) 37 if (err < 0)
38 return err; 38 return err;
39 return 0; 39 return 0;
40 } 40 }
41 41
42 #define store_ih(where,what) copy_item_head (where, what) 42 #define store_ih(where,what) copy_item_head (where, what)
43 43
44 // 44 //
45 static int reiserfs_readdir(struct file *filp, void *dirent, filldir_t filldir) 45 static int reiserfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
46 { 46 {
47 struct inode *inode = filp->f_path.dentry->d_inode; 47 struct inode *inode = filp->f_path.dentry->d_inode;
48 struct cpu_key pos_key; /* key of current position in the directory (key of directory entry) */ 48 struct cpu_key pos_key; /* key of current position in the directory (key of directory entry) */
49 INITIALIZE_PATH(path_to_entry); 49 INITIALIZE_PATH(path_to_entry);
50 struct buffer_head *bh; 50 struct buffer_head *bh;
51 int item_num, entry_num; 51 int item_num, entry_num;
52 const struct reiserfs_key *rkey; 52 const struct reiserfs_key *rkey;
53 struct item_head *ih, tmp_ih; 53 struct item_head *ih, tmp_ih;
54 int search_res; 54 int search_res;
55 char *local_buf; 55 char *local_buf;
56 loff_t next_pos; 56 loff_t next_pos;
57 char small_buf[32]; /* avoid kmalloc if we can */ 57 char small_buf[32]; /* avoid kmalloc if we can */
58 struct reiserfs_dir_entry de; 58 struct reiserfs_dir_entry de;
59 int ret = 0; 59 int ret = 0;
60 60
61 reiserfs_write_lock(inode->i_sb); 61 reiserfs_write_lock(inode->i_sb);
62 62
63 reiserfs_check_lock_depth(inode->i_sb, "readdir"); 63 reiserfs_check_lock_depth(inode->i_sb, "readdir");
64 64
65 /* form key for search the next directory entry using f_pos field of 65 /* form key for search the next directory entry using f_pos field of
66 file structure */ 66 file structure */
67 make_cpu_key(&pos_key, inode, 67 make_cpu_key(&pos_key, inode,
68 (filp->f_pos) ? (filp->f_pos) : DOT_OFFSET, TYPE_DIRENTRY, 68 (filp->f_pos) ? (filp->f_pos) : DOT_OFFSET, TYPE_DIRENTRY,
69 3); 69 3);
70 next_pos = cpu_key_k_offset(&pos_key); 70 next_pos = cpu_key_k_offset(&pos_key);
71 71
72 /* reiserfs_warning (inode->i_sb, "reiserfs_readdir 1: f_pos = %Ld", filp->f_pos); */ 72 /* reiserfs_warning (inode->i_sb, "reiserfs_readdir 1: f_pos = %Ld", filp->f_pos); */
73 73
74 path_to_entry.reada = PATH_READA; 74 path_to_entry.reada = PATH_READA;
75 while (1) { 75 while (1) {
76 research: 76 research:
77 /* search the directory item, containing entry with specified key */ 77 /* search the directory item, containing entry with specified key */
78 search_res = 78 search_res =
79 search_by_entry_key(inode->i_sb, &pos_key, &path_to_entry, 79 search_by_entry_key(inode->i_sb, &pos_key, &path_to_entry,
80 &de); 80 &de);
81 if (search_res == IO_ERROR) { 81 if (search_res == IO_ERROR) {
82 // FIXME: we could just skip part of directory which could 82 // FIXME: we could just skip part of directory which could
83 // not be read 83 // not be read
84 ret = -EIO; 84 ret = -EIO;
85 goto out; 85 goto out;
86 } 86 }
87 entry_num = de.de_entry_num; 87 entry_num = de.de_entry_num;
88 bh = de.de_bh; 88 bh = de.de_bh;
89 item_num = de.de_item_num; 89 item_num = de.de_item_num;
90 ih = de.de_ih; 90 ih = de.de_ih;
91 store_ih(&tmp_ih, ih); 91 store_ih(&tmp_ih, ih);
92 92
93 /* we must have found item, that is item of this directory, */ 93 /* we must have found item, that is item of this directory, */
94 RFALSE(COMP_SHORT_KEYS(&(ih->ih_key), &pos_key), 94 RFALSE(COMP_SHORT_KEYS(&(ih->ih_key), &pos_key),
95 "vs-9000: found item %h does not match to dir we readdir %K", 95 "vs-9000: found item %h does not match to dir we readdir %K",
96 ih, &pos_key); 96 ih, &pos_key);
97 RFALSE(item_num > B_NR_ITEMS(bh) - 1, 97 RFALSE(item_num > B_NR_ITEMS(bh) - 1,
98 "vs-9005 item_num == %d, item amount == %d", 98 "vs-9005 item_num == %d, item amount == %d",
99 item_num, B_NR_ITEMS(bh)); 99 item_num, B_NR_ITEMS(bh));
100 100
101 /* and entry must be not more than number of entries in the item */ 101 /* and entry must be not more than number of entries in the item */
102 RFALSE(I_ENTRY_COUNT(ih) < entry_num, 102 RFALSE(I_ENTRY_COUNT(ih) < entry_num,
103 "vs-9010: entry number is too big %d (%d)", 103 "vs-9010: entry number is too big %d (%d)",
104 entry_num, I_ENTRY_COUNT(ih)); 104 entry_num, I_ENTRY_COUNT(ih));
105 105
106 if (search_res == POSITION_FOUND 106 if (search_res == POSITION_FOUND
107 || entry_num < I_ENTRY_COUNT(ih)) { 107 || entry_num < I_ENTRY_COUNT(ih)) {
108 /* go through all entries in the directory item beginning from the entry, that has been found */ 108 /* go through all entries in the directory item beginning from the entry, that has been found */
109 struct reiserfs_de_head *deh = 109 struct reiserfs_de_head *deh =
110 B_I_DEH(bh, ih) + entry_num; 110 B_I_DEH(bh, ih) + entry_num;
111 111
112 for (; entry_num < I_ENTRY_COUNT(ih); 112 for (; entry_num < I_ENTRY_COUNT(ih);
113 entry_num++, deh++) { 113 entry_num++, deh++) {
114 int d_reclen; 114 int d_reclen;
115 char *d_name; 115 char *d_name;
116 off_t d_off; 116 off_t d_off;
117 ino_t d_ino; 117 ino_t d_ino;
118 118
119 if (!de_visible(deh)) 119 if (!de_visible(deh))
120 /* it is hidden entry */ 120 /* it is hidden entry */
121 continue; 121 continue;
122 d_reclen = entry_length(bh, ih, entry_num); 122 d_reclen = entry_length(bh, ih, entry_num);
123 d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh); 123 d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
124
125 if (d_reclen <= 0 ||
126 d_name + d_reclen > bh->b_data + bh->b_size) {
127 /* There is corrupted data in entry,
128 * We'd better stop here */
129 pathrelse(&path_to_entry);
130 ret = -EIO;
131 goto out;
132 }
133
124 if (!d_name[d_reclen - 1]) 134 if (!d_name[d_reclen - 1])
125 d_reclen = strlen(d_name); 135 d_reclen = strlen(d_name);
126 136
127 if (d_reclen > 137 if (d_reclen >
128 REISERFS_MAX_NAME(inode->i_sb-> 138 REISERFS_MAX_NAME(inode->i_sb->
129 s_blocksize)) { 139 s_blocksize)) {
130 /* too big to send back to VFS */ 140 /* too big to send back to VFS */
131 continue; 141 continue;
132 } 142 }
133 143
134 /* Ignore the .reiserfs_priv entry */ 144 /* Ignore the .reiserfs_priv entry */
135 if (reiserfs_xattrs(inode->i_sb) && 145 if (reiserfs_xattrs(inode->i_sb) &&
136 !old_format_only(inode->i_sb) && 146 !old_format_only(inode->i_sb) &&
137 filp->f_path.dentry == inode->i_sb->s_root && 147 filp->f_path.dentry == inode->i_sb->s_root &&
138 REISERFS_SB(inode->i_sb)->priv_root && 148 REISERFS_SB(inode->i_sb)->priv_root &&
139 REISERFS_SB(inode->i_sb)->priv_root->d_inode 149 REISERFS_SB(inode->i_sb)->priv_root->d_inode
140 && deh_objectid(deh) == 150 && deh_objectid(deh) ==
141 le32_to_cpu(INODE_PKEY 151 le32_to_cpu(INODE_PKEY
142 (REISERFS_SB(inode->i_sb)-> 152 (REISERFS_SB(inode->i_sb)->
143 priv_root->d_inode)-> 153 priv_root->d_inode)->
144 k_objectid)) { 154 k_objectid)) {
145 continue; 155 continue;
146 } 156 }
147 157
148 d_off = deh_offset(deh); 158 d_off = deh_offset(deh);
149 filp->f_pos = d_off; 159 filp->f_pos = d_off;
150 d_ino = deh_objectid(deh); 160 d_ino = deh_objectid(deh);
151 if (d_reclen <= 32) { 161 if (d_reclen <= 32) {
152 local_buf = small_buf; 162 local_buf = small_buf;
153 } else { 163 } else {
154 local_buf = kmalloc(d_reclen, 164 local_buf = kmalloc(d_reclen,
155 GFP_NOFS); 165 GFP_NOFS);
156 if (!local_buf) { 166 if (!local_buf) {
157 pathrelse(&path_to_entry); 167 pathrelse(&path_to_entry);
158 ret = -ENOMEM; 168 ret = -ENOMEM;
159 goto out; 169 goto out;
160 } 170 }
161 if (item_moved(&tmp_ih, &path_to_entry)) { 171 if (item_moved(&tmp_ih, &path_to_entry)) {
162 kfree(local_buf); 172 kfree(local_buf);
163 goto research; 173 goto research;
164 } 174 }
165 } 175 }
166 // Note, that we copy name to user space via temporary 176 // Note, that we copy name to user space via temporary
167 // buffer (local_buf) because filldir will block if 177 // buffer (local_buf) because filldir will block if
168 // user space buffer is swapped out. At that time 178 // user space buffer is swapped out. At that time
169 // entry can move to somewhere else 179 // entry can move to somewhere else
170 memcpy(local_buf, d_name, d_reclen); 180 memcpy(local_buf, d_name, d_reclen);
171 if (filldir 181 if (filldir
172 (dirent, local_buf, d_reclen, d_off, d_ino, 182 (dirent, local_buf, d_reclen, d_off, d_ino,
173 DT_UNKNOWN) < 0) { 183 DT_UNKNOWN) < 0) {
174 if (local_buf != small_buf) { 184 if (local_buf != small_buf) {
175 kfree(local_buf); 185 kfree(local_buf);
176 } 186 }
177 goto end; 187 goto end;
178 } 188 }
179 if (local_buf != small_buf) { 189 if (local_buf != small_buf) {
180 kfree(local_buf); 190 kfree(local_buf);
181 } 191 }
182 // next entry should be looked for with such offset 192 // next entry should be looked for with such offset
183 next_pos = deh_offset(deh) + 1; 193 next_pos = deh_offset(deh) + 1;
184 194
185 if (item_moved(&tmp_ih, &path_to_entry)) { 195 if (item_moved(&tmp_ih, &path_to_entry)) {
186 goto research; 196 goto research;
187 } 197 }
188 } /* for */ 198 } /* for */
189 } 199 }
190 200
191 if (item_num != B_NR_ITEMS(bh) - 1) 201 if (item_num != B_NR_ITEMS(bh) - 1)
192 // end of directory has been reached 202 // end of directory has been reached
193 goto end; 203 goto end;
194 204
195 /* item we went through is last item of node. Using right 205 /* item we went through is last item of node. Using right
196 delimiting key check is it directory end */ 206 delimiting key check is it directory end */
197 rkey = get_rkey(&path_to_entry, inode->i_sb); 207 rkey = get_rkey(&path_to_entry, inode->i_sb);
198 if (!comp_le_keys(rkey, &MIN_KEY)) { 208 if (!comp_le_keys(rkey, &MIN_KEY)) {
199 /* set pos_key to key, that is the smallest and greater 209 /* set pos_key to key, that is the smallest and greater
200 that key of the last entry in the item */ 210 that key of the last entry in the item */
201 set_cpu_key_k_offset(&pos_key, next_pos); 211 set_cpu_key_k_offset(&pos_key, next_pos);
202 continue; 212 continue;
203 } 213 }
204 214
205 if (COMP_SHORT_KEYS(rkey, &pos_key)) { 215 if (COMP_SHORT_KEYS(rkey, &pos_key)) {
206 // end of directory has been reached 216 // end of directory has been reached
207 goto end; 217 goto end;
208 } 218 }
209 219
210 /* directory continues in the right neighboring block */ 220 /* directory continues in the right neighboring block */
211 set_cpu_key_k_offset(&pos_key, 221 set_cpu_key_k_offset(&pos_key,
212 le_key_k_offset(KEY_FORMAT_3_5, rkey)); 222 le_key_k_offset(KEY_FORMAT_3_5, rkey));
213 223
214 } /* while */ 224 } /* while */
215 225
216 end: 226 end:
217 filp->f_pos = next_pos; 227 filp->f_pos = next_pos;
218 pathrelse(&path_to_entry); 228 pathrelse(&path_to_entry);
219 reiserfs_check_path(&path_to_entry); 229 reiserfs_check_path(&path_to_entry);
220 out: 230 out:
221 reiserfs_write_unlock(inode->i_sb); 231 reiserfs_write_unlock(inode->i_sb);
222 return ret; 232 return ret;
223 } 233 }
224 234
225 /* compose directory item containing "." and ".." entries (entries are 235 /* compose directory item containing "." and ".." entries (entries are
226 not aligned to 4 byte boundary) */ 236 not aligned to 4 byte boundary) */
227 /* the last four params are LE */ 237 /* the last four params are LE */
228 void make_empty_dir_item_v1(char *body, __le32 dirid, __le32 objid, 238 void make_empty_dir_item_v1(char *body, __le32 dirid, __le32 objid,
229 __le32 par_dirid, __le32 par_objid) 239 __le32 par_dirid, __le32 par_objid)
230 { 240 {
231 struct reiserfs_de_head *deh; 241 struct reiserfs_de_head *deh;
232 242
233 memset(body, 0, EMPTY_DIR_SIZE_V1); 243 memset(body, 0, EMPTY_DIR_SIZE_V1);
234 deh = (struct reiserfs_de_head *)body; 244 deh = (struct reiserfs_de_head *)body;
235 245
236 /* direntry header of "." */ 246 /* direntry header of "." */
237 put_deh_offset(&(deh[0]), DOT_OFFSET); 247 put_deh_offset(&(deh[0]), DOT_OFFSET);
238 /* these two are from make_le_item_head, and are are LE */ 248 /* these two are from make_le_item_head, and are are LE */
239 deh[0].deh_dir_id = dirid; 249 deh[0].deh_dir_id = dirid;
240 deh[0].deh_objectid = objid; 250 deh[0].deh_objectid = objid;
241 deh[0].deh_state = 0; /* Endian safe if 0 */ 251 deh[0].deh_state = 0; /* Endian safe if 0 */
242 put_deh_location(&(deh[0]), EMPTY_DIR_SIZE_V1 - strlen(".")); 252 put_deh_location(&(deh[0]), EMPTY_DIR_SIZE_V1 - strlen("."));
243 mark_de_visible(&(deh[0])); 253 mark_de_visible(&(deh[0]));
244 254
245 /* direntry header of ".." */ 255 /* direntry header of ".." */
246 put_deh_offset(&(deh[1]), DOT_DOT_OFFSET); 256 put_deh_offset(&(deh[1]), DOT_DOT_OFFSET);
247 /* key of ".." for the root directory */ 257 /* key of ".." for the root directory */
248 /* these two are from the inode, and are are LE */ 258 /* these two are from the inode, and are are LE */
249 deh[1].deh_dir_id = par_dirid; 259 deh[1].deh_dir_id = par_dirid;
250 deh[1].deh_objectid = par_objid; 260 deh[1].deh_objectid = par_objid;
251 deh[1].deh_state = 0; /* Endian safe if 0 */ 261 deh[1].deh_state = 0; /* Endian safe if 0 */
252 put_deh_location(&(deh[1]), deh_location(&(deh[0])) - strlen("..")); 262 put_deh_location(&(deh[1]), deh_location(&(deh[0])) - strlen(".."));
253 mark_de_visible(&(deh[1])); 263 mark_de_visible(&(deh[1]));
254 264
255 /* copy ".." and "." */ 265 /* copy ".." and "." */
256 memcpy(body + deh_location(&(deh[0])), ".", 1); 266 memcpy(body + deh_location(&(deh[0])), ".", 1);
257 memcpy(body + deh_location(&(deh[1])), "..", 2); 267 memcpy(body + deh_location(&(deh[1])), "..", 2);
258 } 268 }
259 269
260 /* compose directory item containing "." and ".." entries */ 270 /* compose directory item containing "." and ".." entries */
261 void make_empty_dir_item(char *body, __le32 dirid, __le32 objid, 271 void make_empty_dir_item(char *body, __le32 dirid, __le32 objid,
262 __le32 par_dirid, __le32 par_objid) 272 __le32 par_dirid, __le32 par_objid)
263 { 273 {
264 struct reiserfs_de_head *deh; 274 struct reiserfs_de_head *deh;
265 275
266 memset(body, 0, EMPTY_DIR_SIZE); 276 memset(body, 0, EMPTY_DIR_SIZE);
267 deh = (struct reiserfs_de_head *)body; 277 deh = (struct reiserfs_de_head *)body;
268 278
269 /* direntry header of "." */ 279 /* direntry header of "." */
270 put_deh_offset(&(deh[0]), DOT_OFFSET); 280 put_deh_offset(&(deh[0]), DOT_OFFSET);
271 /* these two are from make_le_item_head, and are are LE */ 281 /* these two are from make_le_item_head, and are are LE */
272 deh[0].deh_dir_id = dirid; 282 deh[0].deh_dir_id = dirid;
273 deh[0].deh_objectid = objid; 283 deh[0].deh_objectid = objid;
274 deh[0].deh_state = 0; /* Endian safe if 0 */ 284 deh[0].deh_state = 0; /* Endian safe if 0 */
275 put_deh_location(&(deh[0]), EMPTY_DIR_SIZE - ROUND_UP(strlen("."))); 285 put_deh_location(&(deh[0]), EMPTY_DIR_SIZE - ROUND_UP(strlen(".")));
276 mark_de_visible(&(deh[0])); 286 mark_de_visible(&(deh[0]));
277 287
278 /* direntry header of ".." */ 288 /* direntry header of ".." */
279 put_deh_offset(&(deh[1]), DOT_DOT_OFFSET); 289 put_deh_offset(&(deh[1]), DOT_DOT_OFFSET);
280 /* key of ".." for the root directory */ 290 /* key of ".." for the root directory */
281 /* these two are from the inode, and are are LE */ 291 /* these two are from the inode, and are are LE */
282 deh[1].deh_dir_id = par_dirid; 292 deh[1].deh_dir_id = par_dirid;
283 deh[1].deh_objectid = par_objid; 293 deh[1].deh_objectid = par_objid;
284 deh[1].deh_state = 0; /* Endian safe if 0 */ 294 deh[1].deh_state = 0; /* Endian safe if 0 */
285 put_deh_location(&(deh[1]), 295 put_deh_location(&(deh[1]),
286 deh_location(&(deh[0])) - ROUND_UP(strlen(".."))); 296 deh_location(&(deh[0])) - ROUND_UP(strlen("..")));
287 mark_de_visible(&(deh[1])); 297 mark_de_visible(&(deh[1]));
288 298
289 /* copy ".." and "." */ 299 /* copy ".." and "." */
290 memcpy(body + deh_location(&(deh[0])), ".", 1); 300 memcpy(body + deh_location(&(deh[0])), ".", 1);
291 memcpy(body + deh_location(&(deh[1])), "..", 2); 301 memcpy(body + deh_location(&(deh[1])), "..", 2);
292 } 302 }
293 303