From patchwork Sun Jun 28 06:08:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629919 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC23F138C for ; Sun, 28 Jun 2020 06:10:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BFBA42076C for ; Sun, 28 Jun 2020 06:10:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324652; bh=zRFRnZHsu8UqKgRipuT2ilTa85dm6dD+2rTnXyb6J/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=rW9NhhIr6nq3s3Aqmdet6HZRwTaGXGUZ5zYG4jxRTFORKY2EUk//Arr1weK9xgID2 TN2XCetibd9SXNRv4TD1cNGb7dhstpHMU5mwCkufVW2pDyGNFXnWxHd+Hhmm1VPupu 61qFVbA0S22t/SPo8S3HMjYYt1UF3GpEoDch7OBo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726079AbgF1GKg (ORCPT ); Sun, 28 Jun 2020 02:10:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:41966 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbgF1GKf (ORCPT ); Sun, 28 Jun 2020 02:10:35 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6CD5F2070A; Sun, 28 Jun 2020 06:10:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324634; bh=zRFRnZHsu8UqKgRipuT2ilTa85dm6dD+2rTnXyb6J/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IhPGksD6L55r+If240YgFFLbucUtAzcblC42feZjzCgBSuYQQghPP7TKTErsMy/c/ zkanAXQ9DltLswIK0Fbm/iXN46gIb2uy5KWTvp3Lc4ihLuvGmB219OY7jlnW1TjQGq 43BtsGf8QPG/F9nHU3LbCSUEjKXR2fFrrqvrmic8= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang , stable@vger.kernel.org, syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com Subject: [PATCH 1/6] fs/minix: check return value of sb_getblk() Date: Sat, 27 Jun 2020 23:08:40 -0700 Message-Id: <20200628060846.682158-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers sb_getblk() can fail, so check its return value. This fixes a NULL pointer dereference. Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Originally-from: Qiujun Huang Signed-off-by: Eric Biggers signed-off-by:? --- fs/minix/itree_common.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/minix/itree_common.c b/fs/minix/itree_common.c index 043c3fdbc8e7..446148792f41 100644 --- a/fs/minix/itree_common.c +++ b/fs/minix/itree_common.c @@ -75,6 +75,7 @@ static int alloc_branch(struct inode *inode, int n = 0; int i; int parent = minix_new_block(inode); + int err = -ENOSPC; branch[0].key = cpu_to_block(parent); if (parent) for (n = 1; n < num; n++) { @@ -85,6 +86,11 @@ static int alloc_branch(struct inode *inode, break; branch[n].key = cpu_to_block(nr); bh = sb_getblk(inode->i_sb, parent); + if (!bh) { + minix_free_block(inode, nr); + err = -ENOMEM; + break; + } lock_buffer(bh); memset(bh->b_data, 0, bh->b_size); branch[n].bh = bh; @@ -103,7 +109,7 @@ static int alloc_branch(struct inode *inode, bforget(branch[i].bh); for (i = 0; i < n; i++) minix_free_block(inode, block_to_cpu(branch[i].key)); - return -ENOSPC; + return err; } static inline int splice_branch(struct inode *inode, From patchwork Sun Jun 28 06:08:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629925 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1AD66618 for ; Sun, 28 Jun 2020 06:11:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E960D20702 for ; Sun, 28 Jun 2020 06:11:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324666; bh=4KTwlwAS3yf9rIisW3dStoZMc/64VWd7yIvASpVgF40=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=2FF1iceHwv7qu6mv71Qye0jfoO67FwKaASyBzCEd/dIz0sO9XuS03fiXjiGpyWEkM dzGsKT7h25qmWzNaFwecKPdTIpeNzCvnFtFGKwJYYSEfmTrl3iqwPJ1XYLxSr/c4yw stE6wjfXUlQbnOTUIRa1pSaC+/+O0H4/QQBKKxs4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726060AbgF1GKg (ORCPT ); Sun, 28 Jun 2020 02:10:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:41978 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725913AbgF1GKf (ORCPT ); Sun, 28 Jun 2020 02:10:35 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C8CF22071A; Sun, 28 Jun 2020 06:10:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324635; bh=4KTwlwAS3yf9rIisW3dStoZMc/64VWd7yIvASpVgF40=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tys1hkuGTt37lRSXE/p9UQUesp1Q878EE0/Bh+8Rr1uBrMOLeeQuoHS07uJ9+Xejn wYzY1rOxJEaJkR0jPswIE1d2ygau1oCcvrZmR+CFkKwaAVtvmmpffNjjxCM98vYE4/ BmDoz86MXWDaSEKqc70KxAswCR9MLwvR4r7SRS2g= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang , stable@vger.kernel.org, syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com, syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com Subject: [PATCH 2/6] fs/minix: don't allow getting deleted inodes Date: Sat, 27 Jun 2020 23:08:41 -0700 Message-Id: <20200628060846.682158-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers If an inode has no links, we need to mark it bad rather than allowing it to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when doing directory operations on a fuzzed filesystem. Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- fs/minix/inode.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index 7cb5fd38eb14..2bca95abe8f4 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -468,6 +468,13 @@ static struct inode *V1_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-EIO); } + if (raw_inode->i_nlinks == 0) { + printk("MINIX-fs: deleted inode referenced: %lu\n", + inode->i_ino); + brelse(bh); + iget_failed(inode); + return ERR_PTR(-ESTALE); + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); @@ -501,6 +508,13 @@ static struct inode *V2_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-EIO); } + if (raw_inode->i_nlinks == 0) { + printk("MINIX-fs: deleted inode referenced: %lu\n", + inode->i_ino); + brelse(bh); + iget_failed(inode); + return ERR_PTR(-ESTALE); + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); From patchwork Sun Jun 28 06:08:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629921 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4D092618 for ; Sun, 28 Jun 2020 06:10:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3473D2076C for ; Sun, 28 Jun 2020 06:10:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324653; bh=eQb+Fz3rRAzfKslIoQDAR5opE1JytzPdjZ4dAMCRjCE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=O/H/wqyHVf6XzF2qEOjBSLYI1hGB8FMUB0e1wzjOzBDJDHmoaeJXFfwkX6vKNZt5j vVHKBFrCvIZjLGpoClajtm0LdV+tsPieXOEo9kLNb1PaoqksvYT+9fqv3eeQq3ktin zCheeC0pIqCBTbWjXAvXwsErYOlYTLry+pI6XdAE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726141AbgF1GKw (ORCPT ); Sun, 28 Jun 2020 02:10:52 -0400 Received: from mail.kernel.org ([198.145.29.99]:41986 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726027AbgF1GKg (ORCPT ); Sun, 28 Jun 2020 02:10:36 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 33EFA2076C; Sun, 28 Jun 2020 06:10:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324635; bh=eQb+Fz3rRAzfKslIoQDAR5opE1JytzPdjZ4dAMCRjCE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Qu4KmCXffqy3QlBCH9YucJ8xWAVejd8vUslbePuJeGh/h55TvRjA4NQIgyjK+AWc eGNAvIM27aGihdMrP3nWit1dL8d2Nc3W7zZ7ACIySQVTuNpjROj3zE9nAhUOXlykP2 vkCtu9CvpTPOg97slGXqbOxUyRGP+asygqOqEDFU= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang , stable@vger.kernel.org, syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com, syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com, syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Subject: [PATCH 3/6] fs/minix: reject too-large maximum file size Date: Sat, 27 Jun 2020 23:08:42 -0700 Message-Id: <20200628060846.682158-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index blocks. This should be prevented by the check against the maximum file size, but this doesn't work because the maximum file size is read directly from the on-disk superblock and isn't validated itself. Fix this by validating the maximum file size at mount time. Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- fs/minix/inode.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index 2bca95abe8f4..0dd929346f3f 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -150,6 +150,23 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) return 0; } +static bool minix_check_superblock(struct minix_sb_info *sbi) +{ + if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) + return false; + + /* + * s_max_size must not exceed the block mapping limitation. This check + * is only needed for V1 filesystems, since V2/V3 support an extra level + * of indirect blocks which places the limit well above U32_MAX. + */ + if (sbi->s_version == MINIX_V1 && + sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) + return false; + + return true; +} + static int minix_fill_super(struct super_block *s, void *data, int silent) { struct buffer_head *bh; @@ -228,11 +245,12 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) } else goto out_no_fs; + if (!minix_check_superblock(sbi)) + goto out_illegal_sb; + /* * Allocate the buffer map to keep the superblock small. */ - if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) - goto out_illegal_sb; i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh); map = kzalloc(i, GFP_KERNEL); if (!map) From patchwork Sun Jun 28 06:08:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629917 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BEF30138C for ; Sun, 28 Jun 2020 06:10:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A486D2076C for ; Sun, 28 Jun 2020 06:10:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324651; bh=bnp+eCD5Gi7nbCry4mjWrBi8MESGj+FmNcYNdBjKM5s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=CHCanf9zTa96tnoQOdycOEy0HAy5Us4KSd0EjJZcGqbmrGGO4bhueiclIN6sC5mpZ ZZVao9NJ47EqqbimWLSwKr8ePPIWchKpEKEZ6Y+CYz5WgmWo6YPBLeRZ7y0qaLQen6 zsPS++2S+LW2BN+QIrAjY+L26LxRevVDwq8oZmKc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726071AbgF1GKr (ORCPT ); Sun, 28 Jun 2020 02:10:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:42002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726032AbgF1GKg (ORCPT ); Sun, 28 Jun 2020 02:10:36 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A572212CC; Sun, 28 Jun 2020 06:10:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324635; bh=bnp+eCD5Gi7nbCry4mjWrBi8MESGj+FmNcYNdBjKM5s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LQKCt3cGJZ0QdodNb4/Q0KOHutI+GqY7Jh91UAaVoJU//3NMXtNTbEqatg26eagoW lhsA9NkXA0QfgPI6Yq5F9hHTGSwRUy+qiCdGQPtBsGURzVLDqW/rX29Wi5NvLP/K3M yASw0LCQzJhtfkACRbvpNE3gpxL9kMK7Ux8UJiIE= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang Subject: [PATCH 4/6] fs/minix: set s_maxbytes correctly Date: Sat, 27 Jun 2020 23:08:43 -0700 Message-Id: <20200628060846.682158-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers The minix filesystem leaves super_block::s_maxbytes at MAX_NON_LFS rather than setting it to the actual filesystem-specific limit. This is broken because it means userspace doesn't see the standard behavior like getting EFBIG and SIGXFSZ when exceeding the maximum file size. Fix this by setting s_maxbytes correctly. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers --- fs/minix/inode.c | 12 +++++++----- fs/minix/itree_v1.c | 2 +- fs/minix/itree_v2.c | 3 +-- fs/minix/minix.h | 1 - 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index 0dd929346f3f..7b09a9158e40 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -150,8 +150,10 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) return 0; } -static bool minix_check_superblock(struct minix_sb_info *sbi) +static bool minix_check_superblock(struct super_block *sb) { + struct minix_sb_info *sbi = minix_sb(sb); + if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) return false; @@ -161,7 +163,7 @@ static bool minix_check_superblock(struct minix_sb_info *sbi) * of indirect blocks which places the limit well above U32_MAX. */ if (sbi->s_version == MINIX_V1 && - sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) + sb->s_maxbytes > (7 + 512 + 512*512) * BLOCK_SIZE) return false; return true; @@ -202,7 +204,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) sbi->s_zmap_blocks = ms->s_zmap_blocks; sbi->s_firstdatazone = ms->s_firstdatazone; sbi->s_log_zone_size = ms->s_log_zone_size; - sbi->s_max_size = ms->s_max_size; + s->s_maxbytes = ms->s_max_size; s->s_magic = ms->s_magic; if (s->s_magic == MINIX_SUPER_MAGIC) { sbi->s_version = MINIX_V1; @@ -233,7 +235,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) sbi->s_zmap_blocks = m3s->s_zmap_blocks; sbi->s_firstdatazone = m3s->s_firstdatazone; sbi->s_log_zone_size = m3s->s_log_zone_size; - sbi->s_max_size = m3s->s_max_size; + s->s_maxbytes = m3s->s_max_size; sbi->s_ninodes = m3s->s_ninodes; sbi->s_nzones = m3s->s_zones; sbi->s_dirsize = 64; @@ -245,7 +247,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) } else goto out_no_fs; - if (!minix_check_superblock(sbi)) + if (!minix_check_superblock(s)) goto out_illegal_sb; /* diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c index 046cc96ee7ad..c0d418209ead 100644 --- a/fs/minix/itree_v1.c +++ b/fs/minix/itree_v1.c @@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) if (block < 0) { printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", block, inode->i_sb->s_bdev); - } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { + } else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) { if (printk_ratelimit()) printk("MINIX-fs: block_to_path: " "block %ld too big on dev %pg\n", diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c index f7fc7ecccccc..ee8af2f9e282 100644 --- a/fs/minix/itree_v2.c +++ b/fs/minix/itree_v2.c @@ -32,8 +32,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) if (block < 0) { printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", block, sb->s_bdev); - } else if ((u64)block * (u64)sb->s_blocksize >= - minix_sb(sb)->s_max_size) { + } else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) { if (printk_ratelimit()) printk("MINIX-fs: block_to_path: " "block %ld too big on dev %pg\n", diff --git a/fs/minix/minix.h b/fs/minix/minix.h index df081e8afcc3..168d45d3de73 100644 --- a/fs/minix/minix.h +++ b/fs/minix/minix.h @@ -32,7 +32,6 @@ struct minix_sb_info { unsigned long s_zmap_blocks; unsigned long s_firstdatazone; unsigned long s_log_zone_size; - unsigned long s_max_size; int s_dirsize; int s_namelen; struct buffer_head ** s_imap; From patchwork Sun Jun 28 06:08:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629923 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 38B8D138C for ; Sun, 28 Jun 2020 06:11:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0B1292145D for ; Sun, 28 Jun 2020 06:11:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324660; bh=Wb34f6YaEsfsLzZc+19skL3TFpPrVgSg64xcmo1mMfI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Jui71rvuu0IQymutiK9vjOS3A8+z+8RFWTEIElYpCGAcVitb0GafQTIDY1TGwFDbR diZVLu7W3MZqFlbCe299r/39vLtli0fgABpTxugzmxP+TtQ3Gkn5amZqSULPi0MD/7 Cm6tVQHYNZKFVhU0RMwtXBh79FG7H1yCMeS3otyY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726154AbgF1GK6 (ORCPT ); Sun, 28 Jun 2020 02:10:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:41978 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726047AbgF1GKg (ORCPT ); Sun, 28 Jun 2020 02:10:36 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E8E662145D; Sun, 28 Jun 2020 06:10:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324636; bh=Wb34f6YaEsfsLzZc+19skL3TFpPrVgSg64xcmo1mMfI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=08ZhrHK/MNWDqDnSW9PXmSFzOsc+jrVDUK3HWQENJUNUghQ3EhJtcw4k2laTwRsZO j/7R02nkigf4TCGqqrcLGoaQP13qnj4XZuIVVYobwiRlU7+wuaSHZISsp7wMKc8Qs/ ZOSC1vPLDXdA69pAl4qVamYNdOnVFZN6tREsTT4A= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang Subject: [PATCH 5/6] fs/minix: fix block limit check for V1 filesystems Date: Sat, 27 Jun 2020 23:08:44 -0700 Message-Id: <20200628060846.682158-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers The minix filesystem reads its maximum file size from its on-disk superblock. This value isn't necessarily a multiple of the block size. When it's not, the V1 block mapping code doesn't allow mapping the last possible block. Commit 6ed6a722f9ab ("minixfs: fix block limit check") fixed this in the V2 mapping code. Fix it in the V1 mapping code too. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers --- fs/minix/itree_v1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c index c0d418209ead..405573a79aab 100644 --- a/fs/minix/itree_v1.c +++ b/fs/minix/itree_v1.c @@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) if (block < 0) { printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", block, inode->i_sb->s_bdev); - } else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) { + } else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) { if (printk_ratelimit()) printk("MINIX-fs: block_to_path: " "block %ld too big on dev %pg\n", From patchwork Sun Jun 28 06:08:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 11629915 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C609138C for ; Sun, 28 Jun 2020 06:10:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6F76921789 for ; Sun, 28 Jun 2020 06:10:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324640; bh=gRgayTRJ5OsbWbGZUwN7yGHPV5KREu495tZWeMC74TA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=V7hh0QnAUla6LeOBg1zAGKu4JRABjre/cwvXyKrJRVbmNfoGHZ+9fhFVb+Bf6JX9f hDMXZTO+oFvn3MWXBImS8AggdECKPrp4sLEY6XBG3yKA2B3QL6grOnyUnx9BX/qy1T nDROwSH7jBNLYl3vToVlsMqffUwFXCMWjV3+V2eQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726104AbgF1GKj (ORCPT ); Sun, 28 Jun 2020 02:10:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:42012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726074AbgF1GKh (ORCPT ); Sun, 28 Jun 2020 02:10:37 -0400 Received: from sol.hsd1.ca.comcast.net (c-107-3-166-239.hsd1.ca.comcast.net [107.3.166.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 409EA21473; Sun, 28 Jun 2020 06:10:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593324636; bh=gRgayTRJ5OsbWbGZUwN7yGHPV5KREu495tZWeMC74TA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zf0XYX/yluiK6jnfRAwQTfK0H6Q/6R2ffPmSOEqjlG0KTZ7XikFpBgOouRaKWwO6i XMhEE0gcSCUXQ9+9acAe/3ttDf2giYHf5KOP12rC8Sz/6rauwJf0ZBfFohn8Lemhhk Y51kAoRxecVoGjttLOVq15oMRncgrccHp5JJ/EuA= From: Eric Biggers To: linux-fsdevel@vger.kernel.org, Alexander Viro , Andrew Morton Cc: linux-kernel@vger.kernel.org, Qiujun Huang Subject: [PATCH 6/6] fs/minix: remove expected error message in block_to_path() Date: Sat, 27 Jun 2020 23:08:45 -0700 Message-Id: <20200628060846.682158-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200628060846.682158-1-ebiggers@kernel.org> References: <20200628060846.682158-1-ebiggers@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Eric Biggers When truncating a file to a size within the last allowed logical block, block_to_path() is called with the *next* block. This exceeds the limit, causing the "block %ld too big" error message to be printed. This case isn't actually an error; there are just no more blocks past that point. So, remove this error message. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers --- fs/minix/itree_v1.c | 12 ++++++------ fs/minix/itree_v2.c | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c index 405573a79aab..1fed906042aa 100644 --- a/fs/minix/itree_v1.c +++ b/fs/minix/itree_v1.c @@ -29,12 +29,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) if (block < 0) { printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", block, inode->i_sb->s_bdev); - } else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) { - if (printk_ratelimit()) - printk("MINIX-fs: block_to_path: " - "block %ld too big on dev %pg\n", - block, inode->i_sb->s_bdev); - } else if (block < 7) { + return 0; + } + if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) + return 0; + + if (block < 7) { offsets[n++] = block; } else if ((block -= 7) < 512) { offsets[n++] = 7; diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c index ee8af2f9e282..9d00f31a2d9d 100644 --- a/fs/minix/itree_v2.c +++ b/fs/minix/itree_v2.c @@ -32,12 +32,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) if (block < 0) { printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", block, sb->s_bdev); - } else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) { - if (printk_ratelimit()) - printk("MINIX-fs: block_to_path: " - "block %ld too big on dev %pg\n", - block, sb->s_bdev); - } else if (block < DIRCOUNT) { + return 0; + } + if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) + return 0; + + if (block < DIRCOUNT) { offsets[n++] = block; } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) { offsets[n++] = DIRCOUNT;