* [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration
@ 2026-03-10 10:22 Arpith Kalaginanavoor
2026-04-08 17:35 ` Al Viro
0 siblings, 1 reply; 2+ messages in thread
From: Arpith Kalaginanavoor @ 2026-03-10 10:22 UTC (permalink / raw)
To: viro; +Cc: brauner, stable, linux-fsdevel, Arpith Kalaginanavoor
The conversion to qnx6_get_folio() in commit b2aa61556fcf
("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
introduced a regression in directory iteration. The pointer 'de'
and the 'limit' address were calculated using byte offsets from
a char pointer without scaling by the size of a QNX6 directory
entry.
This causes the driver to read from incorrect memory offsets,
leading to "invalid direntry size" errors and premature
termination of directory scans.
Fix this by explicitly scaling the offset and limit calculations
by QNX6_DIR_ENTRY_SIZE to ensure the directory entry pointers
align with the intended 32-byte structures.
Fixes: b2aa61556fcf ("qnx6: Convert qnx6_get_page() to qnx6_get_folio()")
Cc: stable@vger.kernel.org
Signed-off-by: Arpith Kalaginanavoor <arpithk@nvidia.com>
---
fs/qnx6/dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/qnx6/dir.c b/fs/qnx6/dir.c
index ae0c9846833d..ba5cae49ad1d 100644
--- a/fs/qnx6/dir.c
+++ b/fs/qnx6/dir.c
@@ -139,8 +139,8 @@ static int qnx6_readdir(struct file *file, struct dir_context *ctx)
ctx->pos = (n + 1) << PAGE_SHIFT;
return PTR_ERR(kaddr);
}
- de = (struct qnx6_dir_entry *)(kaddr + offset);
- limit = kaddr + last_entry(inode, n);
+ de = (struct qnx6_dir_entry *)(kaddr + (offset * QNX6_DIR_ENTRY_SIZE));
+ limit = kaddr + (last_entry(inode, n) * QNX6_DIR_ENTRY_SIZE);
for (; (char *)de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) {
int size = de->de_size;
u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration
2026-03-10 10:22 [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration Arpith Kalaginanavoor
@ 2026-04-08 17:35 ` Al Viro
0 siblings, 0 replies; 2+ messages in thread
From: Al Viro @ 2026-04-08 17:35 UTC (permalink / raw)
To: Arpith Kalaginanavoor; +Cc: brauner, stable, linux-fsdevel
On Tue, Mar 10, 2026 at 03:22:33AM -0700, Arpith Kalaginanavoor wrote:
> diff --git a/fs/qnx6/dir.c b/fs/qnx6/dir.c
> index ae0c9846833d..ba5cae49ad1d 100644
> --- a/fs/qnx6/dir.c
> +++ b/fs/qnx6/dir.c
> @@ -139,8 +139,8 @@ static int qnx6_readdir(struct file *file, struct dir_context *ctx)
> ctx->pos = (n + 1) << PAGE_SHIFT;
> return PTR_ERR(kaddr);
> }
> - de = (struct qnx6_dir_entry *)(kaddr + offset);
> - limit = kaddr + last_entry(inode, n);
> + de = (struct qnx6_dir_entry *)(kaddr + (offset * QNX6_DIR_ENTRY_SIZE));
> + limit = kaddr + (last_entry(inode, n) * QNX6_DIR_ENTRY_SIZE);
Why not simply
de = (struct qnx6_dir_entry *)kaddr + offset;
limit = (struct qnx6_dir_entry *)kaddr + last_entry(inode, n);
instead of open-coding the multiplication?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-08 17:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-10 10:22 [PATCH] fs/qnx6: fix pointer arithmetic in directory iteration Arpith Kalaginanavoor
2026-04-08 17:35 ` Al Viro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox