Commit c3d5f0c2 authored by Darrick J. Wong's avatar Darrick J. Wong

xfs: complain if anyone tries to create a too-large buffer log item

Complain if someone calls xfs_buf_item_init on a buffer that is larger
than the dirty bitmap can handle, or tries to log a region that's past
the end of the dirty bitmap.
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
parent c64dd49b
...@@ -763,6 +763,15 @@ xfs_buf_item_init( ...@@ -763,6 +763,15 @@ xfs_buf_item_init(
XFS_BLF_CHUNK); XFS_BLF_CHUNK);
map_size = DIV_ROUND_UP(chunks, NBWORD); map_size = DIV_ROUND_UP(chunks, NBWORD);
if (map_size > XFS_BLF_DATAMAP_SIZE) {
kmem_cache_free(xfs_buf_item_zone, bip);
xfs_err(mp,
"buffer item dirty bitmap (%u uints) too small to reflect %u bytes!",
map_size,
BBTOB(bp->b_maps[i].bm_len));
return -EFSCORRUPTED;
}
bip->bli_formats[i].blf_type = XFS_LI_BUF; bip->bli_formats[i].blf_type = XFS_LI_BUF;
bip->bli_formats[i].blf_blkno = bp->b_maps[i].bm_bn; bip->bli_formats[i].blf_blkno = bp->b_maps[i].bm_bn;
bip->bli_formats[i].blf_len = bp->b_maps[i].bm_len; bip->bli_formats[i].blf_len = bp->b_maps[i].bm_len;
...@@ -795,6 +804,9 @@ xfs_buf_item_log_segment( ...@@ -795,6 +804,9 @@ xfs_buf_item_log_segment(
uint end_bit; uint end_bit;
uint mask; uint mask;
ASSERT(first < XFS_BLF_DATAMAP_SIZE * XFS_BLF_CHUNK * NBWORD);
ASSERT(last < XFS_BLF_DATAMAP_SIZE * XFS_BLF_CHUNK * NBWORD);
/* /*
* Convert byte offsets to bit numbers. * Convert byte offsets to bit numbers.
*/ */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment