From: Arpith Kalaginanavoor <arpithk@nvidia.com>
To: <viro@zeniv.linux.org.uk>
Cc: <brauner@kernel.org>, <stable@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>,
Arpith Kalaginanavoor <arpithk@nvidia.com>
Subject: [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration
Date: Tue, 10 Mar 2026 03:22:33 -0700 [thread overview]
Message-ID: <20260310102233.391113-1-arpithk@nvidia.com> (raw)
The conversion to qnx6_get_folio() in commit b2aa61556fcf
("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
introduced a regression in directory iteration. The pointer 'de'
and the 'limit' address were calculated using byte offsets from
a char pointer without scaling by the size of a QNX6 directory
entry.
This causes the driver to read from incorrect memory offsets,
leading to "invalid direntry size" errors and premature
termination of directory scans.
Fix this by explicitly scaling the offset and limit calculations
by QNX6_DIR_ENTRY_SIZE to ensure the directory entry pointers
align with the intended 32-byte structures.
Fixes: b2aa61556fcf ("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
Cc: stable@vger.kernel.org
Signed-off-by: Arpith Kalaginanavoor <arpithk@nvidia.com>
---
fs/qnx6/dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/qnx6/dir.c b/fs/qnx6/dir.c
index ae0c9846833d..ba5cae49ad1d 100644
--- a/fs/qnx6/dir.c
+++ b/fs/qnx6/dir.c
@@ -139,8 +139,8 @@ static int qnx6_readdir(struct file *file, struct dir_context *ctx)
ctx->pos = (n + 1) << PAGE_SHIFT;
return PTR_ERR(kaddr);
}
- de = (struct qnx6_dir_entry *)(kaddr + offset);
- limit = kaddr + last_entry(inode, n);
+ de = (struct qnx6_dir_entry *)(kaddr + (offset * QNX6_DIR_ENTRY_SIZE));
+ limit = kaddr + (last_entry(inode, n) * QNX6_DIR_ENTRY_SIZE);
for (; (char *)de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
int size = de->de_size;
u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
--
2.43.0
next reply other threads:[~2026-03-10 10:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 10:22 Arpith Kalaginanavoor [this message]
2026-04-08 17:35 ` [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310102233.391113-1-arpithk@nvidia.com \
--to=arpithk@nvidia.com \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox