From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jan Kara <jack@suse.cz>,
Theodore Tso <tytso@mit.edu>, Zheng Liu <wenqing.lz@taobao.com>
Subject: [ 31/38] ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
Date: Thu, 18 Jul 2013 22:21:47 -0700 [thread overview]
Message-ID: <20130719052050.008903462@linuxfoundation.org> (raw)
In-Reply-To: <20130719052047.858393825@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit e7293fd146846e2a44d29e0477e0860c60fb856b upstream.
ext4_lblk_t is just u32 so multiplying it by blocksize can easily
overflow for files larger than 4 GB. Fix that by properly typing the
block offsets before shifting.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/file.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(str
blkbits = inode->i_sb->s_blocksize_bits;
startoff = *offset;
lastoff = startoff;
- endoff = (map->m_lblk + map->m_len) << blkbits;
+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
index = startoff >> PAGE_CACHE_SHIFT;
end = endoff >> PAGE_CACHE_SHIFT;
@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file
ext4_es_find_delayed_extent(inode, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file
}
last++;
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
} while (last <= end);
mutex_unlock(&inode->i_mutex);
@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file
ext4_es_find_delayed_extent(inode, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
last = es.es_lblk + es.es_len;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file
&map, &holeoff);
if (!unwritten) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
}
next prev parent reply other threads:[~2013-07-19 5:48 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-19 5:21 [ 00/38] 3.9.11-stable review Greg Kroah-Hartman
2013-07-19 5:21 ` [ 01/38] CIFS use sensible file nlink values if unprovided Greg Kroah-Hartman
2013-07-19 5:21 ` [ 02/38] CIFS: Fix a deadlock when a file is reopened Greg Kroah-Hartman
2013-07-19 5:21 ` [ 03/38] rtlwifi: rtl8723ae: Fix typo in firmware names Greg Kroah-Hartman
2013-07-19 5:21 ` [ 04/38] rtlwifi: rtl8192cu: Fix duplicate if test Greg Kroah-Hartman
2013-07-19 5:21 ` [ 05/38] jbd2: move superblock checksum calculation to jbd2_write_superblock() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 06/38] jbd2: fix theoretical race in jbd2__journal_restart Greg Kroah-Hartman
2013-07-19 5:21 ` [ 07/38] ext4: fix corruption when online resizing a fs with 1K block size Greg Kroah-Hartman
2013-07-19 5:21 ` [ 08/38] ext3,ext4: dont mess with dir_file->f_pos in htree_dirblock_to_tree() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 09/38] usb: gadget: f_mass_storage: add missing memory barrier for thread_wakeup_needed Greg Kroah-Hartman
2013-07-19 5:21 ` [ 10/38] xhci: check for failed dma pool allocation Greg Kroah-Hartman
2013-07-19 5:21 ` [ 11/38] usb: host: xhci-plat: release mem region while removing module Greg Kroah-Hartman
2013-07-19 5:21 ` [ 12/38] drivers: hv: switch to use mb() instead of smp_mb() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 13/38] pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status Greg Kroah-Hartman
2013-07-19 5:21 ` [ 14/38] cgroup: fix umount vs cgroup_event_remove() race Greg Kroah-Hartman
2013-07-19 5:21 ` [ 15/38] xen/time: remove blocked time accounting from xen "clockchip" Greg Kroah-Hartman
2013-07-19 5:21 ` [ 16/38] xen/pcifront: Deal with toolstack missing XenbusStateClosing state Greg Kroah-Hartman
2013-07-19 5:21 ` [ 17/38] genirq: Fix can_request_irq() for IRQs without an action Greg Kroah-Hartman
2013-07-19 5:21 ` [ 18/38] drivers/rtc/rtc-rv3029c2.c: fix disabling AIE irq Greg Kroah-Hartman
2013-07-19 5:21 ` [ 19/38] ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan Greg Kroah-Hartman
2013-07-19 5:21 ` [ 20/38] ACPICA: Do not use extended sleep registers unless HW-reduced bit is set Greg Kroah-Hartman
2013-07-19 5:21 ` [ 21/38] ACPI / PM: Fix corner case in acpi_bus_update_power() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 22/38] ocfs2: xattr: fix inlined xattr reflink Greg Kroah-Hartman
2013-07-19 5:21 ` [ 23/38] nbd: correct disconnect behavior Greg Kroah-Hartman
2013-07-19 5:21 ` [ 24/38] PCI: Finish SR-IOV VF setup before adding the device Greg Kroah-Hartman
2013-07-19 5:21 ` [ 25/38] PCI: Fix refcount issue in pci_create_root_bus() error recovery path Greg Kroah-Hartman
2013-07-19 5:21 ` [ 26/38] ahci: remove pmp link online check in FBS EH Greg Kroah-Hartman
2013-07-19 5:21 ` [ 27/38] timer: Fix jiffies wrap behavior of round_jiffies_common() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 28/38] Btrfs: fix estale with btrfs send Greg Kroah-Hartman
2013-07-19 5:21 ` [ 29/38] Btrfs: only do the tree_mod_log_free_eb if this is our last ref Greg Kroah-Hartman
2013-07-19 5:21 ` [ 30/38] ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap() Greg Kroah-Hartman
2013-07-19 5:21 ` Greg Kroah-Hartman [this message]
2013-07-19 5:21 ` [ 32/38] ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs Greg Kroah-Hartman
2013-07-19 5:21 ` [ 33/38] ext4: fix overflow when counting used blocks on 32-bit architectures Greg Kroah-Hartman
2013-07-19 5:21 ` [ 34/38] ext4: dont allow ext4_free_blocks() to fail due to ENOMEM Greg Kroah-Hartman
2013-07-19 5:21 ` [ 35/38] drivers/dma/pl330.c: fix locking in pl330_free_chan_resources() Greg Kroah-Hartman
2013-07-19 5:21 ` [ 36/38] memcg, kmem: fix reference count handling on the error path Greg Kroah-Hartman
2013-07-19 5:21 ` [ 37/38] mm/memory-hotplug: fix lowmem count overflow when offline pages Greg Kroah-Hartman
2013-07-19 5:21 ` [ 38/38] Handle big endianness in NTLM (ntlmv2) authentication Greg Kroah-Hartman
2013-07-19 16:45 ` [ 00/38] 3.9.11-stable review Shuah Khan
2013-07-19 19:25 ` Greg Kroah-Hartman
2013-07-19 23:47 ` Greg Kroah-Hartman
2013-07-20 0:10 ` Shuah Khan
2013-07-20 16:34 ` Shuah Khan
2013-07-20 16:50 ` Greg Kroah-Hartman
2013-07-21 0:37 ` Satoru Takeuchi
2013-07-21 1:34 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130719052050.008903462@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=wenqing.lz@taobao.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox