From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Gabriel de Perthuis <g2p.code+btrfs@gmail.com>,
Josef Bacik <jbacik@fusionio.com>
Subject: [ 03/21] btrfs: dont stop searching after encountering the wrong item
Date: Wed, 22 May 2013 15:10:21 -0700 [thread overview]
Message-ID: <20130522205233.040345329@linuxfoundation.org> (raw)
In-Reply-To: <20130522205232.597066680@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel de Perthuis <g2p.code@gmail.com>
commit 03b71c6ca6286625d8f1ed44aabab9b5bf5dac10 upstream.
The search ioctl skips items that are too large for a result buffer, but
inline items of a certain size occuring before any search result is
found would trigger an overflow and stop the search entirely.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=57641
Signed-off-by: Gabriel de Perthuis <g2p.code+btrfs@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1796,7 +1796,11 @@ static noinline int copy_to_sk(struct bt
item_off = btrfs_item_ptr_offset(leaf, i);
item_len = btrfs_item_size_nr(leaf, i);
- if (item_len > BTRFS_SEARCH_ARGS_BUFSIZE)
+ btrfs_item_key_to_cpu(leaf, key, i);
+ if (!key_in_sk(key, sk))
+ continue;
+
+ if (sizeof(sh) + item_len > BTRFS_SEARCH_ARGS_BUFSIZE)
item_len = 0;
if (sizeof(sh) + item_len + *sk_offset >
@@ -1805,10 +1809,6 @@ static noinline int copy_to_sk(struct bt
goto overflow;
}
- btrfs_item_key_to_cpu(leaf, key, i);
- if (!key_in_sk(key, sk))
- continue;
-
sh.objectid = key->objectid;
sh.offset = key->offset;
sh.type = key->type;
next prev parent reply other threads:[~2013-05-22 22:10 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-22 22:10 [ 00/21] 3.9.4-stable review Greg Kroah-Hartman
2013-05-22 22:10 ` [ 01/21] arm64: debug: clear mdscr_el1 instead of taking the OS lock Greg Kroah-Hartman
2013-05-22 22:10 ` [ 02/21] arm64: mm: Fix operands of clz in __flush_dcache_all Greg Kroah-Hartman
2013-05-22 22:10 ` Greg Kroah-Hartman [this message]
2013-05-22 22:10 ` [ 04/21] hwmon: fix error return code in abituguru_probe() Greg Kroah-Hartman
2013-05-22 22:10 ` [ 05/21] i2c: designware: fix RX FIFO overrun Greg Kroah-Hartman
2013-05-22 22:10 ` [ 06/21] i2c: designware: always clear interrupts before enabling them Greg Kroah-Hartman
2013-05-22 22:10 ` [ 07/21] x86: Fix bit corruption at CPU resume time Greg Kroah-Hartman
2013-05-22 22:10 ` [ 08/21] drm/nouveau/bios: fix thinko in ZM_MASK_ADD opcode Greg Kroah-Hartman
2013-05-22 22:10 ` [ 09/21] drm/radeon: Fix VRAM size calculation for VRAM >= 4GB Greg Kroah-Hartman
2013-05-22 22:10 ` [ 10/21] virtio_console: fix uapi header Greg Kroah-Hartman
2013-05-22 22:10 ` [ 11/21] NTB: variable dereferenced before check Greg Kroah-Hartman
2013-05-22 22:10 ` [ 12/21] ntb: off by one sanity checks Greg Kroah-Hartman
2013-05-22 22:10 ` [ 13/21] NTB: fix pointer math issues Greg Kroah-Hartman
2013-05-22 22:10 ` [ 14/21] NTB: Handle 64bit BAR sizes Greg Kroah-Hartman
2013-05-22 22:10 ` [ 15/21] NTB: Link toggle memory leak Greg Kroah-Hartman
2013-05-22 22:10 ` [ 16/21] NTB: reset tx_index on link toggle Greg Kroah-Hartman
2013-05-22 22:10 ` [ 17/21] NTB: Correctly handle receive buffers of the minimal size Greg Kroah-Hartman
2013-05-22 22:10 ` [ 18/21] NTB: memcpy lockup workaround Greg Kroah-Hartman
2013-05-22 22:10 ` [ 19/21] ntb_netdev: remove from list on exit Greg Kroah-Hartman
2013-05-22 22:10 ` [ 20/21] NTB: Multiple NTB client fix Greg Kroah-Hartman
2013-05-22 22:10 ` [ 21/21] x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...) Greg Kroah-Hartman
2013-05-24 11:13 ` Satoru Takeuchi
2013-05-23 16:52 ` [ 00/21] 3.9.4-stable review Shuah Khan
2013-05-23 16:57 ` Greg Kroah-Hartman
2013-05-24 11:46 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130522205233.040345329@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=g2p.code+btrfs@gmail.com \
--cc=jbacik@fusionio.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).