| Message ID | 156685613618.2853532.3571584792178437139.stgit@magnolia (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | xfs: fixes for 5.4 | expand |
On Mon, Aug 26, 2019 at 02:48:56PM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > In xfs_ialloc_setup_geometry, it's possible for a malicious/corrupt fs > image to set an unreasonably large value for sb_inopblog which will > cause ialloc_blks to be zero. If sb_imax_pct is also set, this results > in a division by zero error in the second do_div call. Therefore, force > maxicount to zero if ialloc_blks is zero. > > Note that the kernel metadata verifiers will catch the garbage inopblog > value and abort the fs mount long before it tries to set up the inode > geometry; this is needed to avoid a crash in xfs_db while setting up the > xfs_mount structure. > > Found by fuzzing sb_inopblog to 122 in xfs/350. Harmless for the kernel, makes sense for shared code. Reviewed-by: Dave Chinner <dchinner@redhat.com>
diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c index 04377ab75863..aa190a502326 100644 --- a/fs/xfs/libxfs/xfs_ialloc.c +++ b/fs/xfs/libxfs/xfs_ialloc.c @@ -2788,7 +2788,7 @@ xfs_ialloc_setup_geometry( inodes); /* Set the maximum inode count for this filesystem. */ - if (sbp->sb_imax_pct) { + if (sbp->sb_imax_pct && igeo->ialloc_blks) { /* * Make sure the maximum inode count is a multiple * of the units we allocate inodes in.