Commit efab3ae2 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Greg Kroah-Hartman

xfs: filter out obviously bad btree pointers

commit d5a91bae upstream.

Don't let anybody load an obviously bad btree pointer.  Since the values
come from disk, we must return an error, not just ASSERT.
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7e2dd1fb
...@@ -1278,7 +1278,6 @@ xfs_bmap_read_extents( ...@@ -1278,7 +1278,6 @@ xfs_bmap_read_extents(
/* REFERENCED */ /* REFERENCED */
xfs_extnum_t room; /* number of entries there's room for */ xfs_extnum_t room; /* number of entries there's room for */
bno = NULLFSBLOCK;
mp = ip->i_mount; mp = ip->i_mount;
ifp = XFS_IFORK_PTR(ip, whichfork); ifp = XFS_IFORK_PTR(ip, whichfork);
exntf = (whichfork != XFS_DATA_FORK) ? XFS_EXTFMT_NOSTATE : exntf = (whichfork != XFS_DATA_FORK) ? XFS_EXTFMT_NOSTATE :
...@@ -1291,9 +1290,7 @@ xfs_bmap_read_extents( ...@@ -1291,9 +1290,7 @@ xfs_bmap_read_extents(
ASSERT(level > 0); ASSERT(level > 0);
pp = XFS_BMAP_BROOT_PTR_ADDR(mp, block, 1, ifp->if_broot_bytes); pp = XFS_BMAP_BROOT_PTR_ADDR(mp, block, 1, ifp->if_broot_bytes);
bno = be64_to_cpu(*pp); bno = be64_to_cpu(*pp);
ASSERT(bno != NULLFSBLOCK);
ASSERT(XFS_FSB_TO_AGNO(mp, bno) < mp->m_sb.sb_agcount);
ASSERT(XFS_FSB_TO_AGBNO(mp, bno) < mp->m_sb.sb_agblocks);
/* /*
* Go down the tree until leaf level is reached, following the first * Go down the tree until leaf level is reached, following the first
* pointer (leftmost) at each level. * pointer (leftmost) at each level.
......
...@@ -810,7 +810,8 @@ xfs_btree_read_bufl( ...@@ -810,7 +810,8 @@ xfs_btree_read_bufl(
xfs_daddr_t d; /* real disk block address */ xfs_daddr_t d; /* real disk block address */
int error; int error;
ASSERT(fsbno != NULLFSBLOCK); if (!XFS_FSB_SANITY_CHECK(mp, fsbno))
return -EFSCORRUPTED;
d = XFS_FSB_TO_DADDR(mp, fsbno); d = XFS_FSB_TO_DADDR(mp, fsbno);
error = xfs_trans_read_buf(mp, tp, mp->m_ddev_targp, d, error = xfs_trans_read_buf(mp, tp, mp->m_ddev_targp, d,
mp->m_bsize, lock, &bp, ops); mp->m_bsize, lock, &bp, ops);
......
...@@ -491,7 +491,7 @@ static inline int xfs_btree_get_level(struct xfs_btree_block *block) ...@@ -491,7 +491,7 @@ static inline int xfs_btree_get_level(struct xfs_btree_block *block)
#define XFS_FILBLKS_MAX(a,b) max_t(xfs_filblks_t, (a), (b)) #define XFS_FILBLKS_MAX(a,b) max_t(xfs_filblks_t, (a), (b))
#define XFS_FSB_SANITY_CHECK(mp,fsb) \ #define XFS_FSB_SANITY_CHECK(mp,fsb) \
(XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \ (fsb && XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \
XFS_FSB_TO_AGBNO(mp, fsb) < mp->m_sb.sb_agblocks) XFS_FSB_TO_AGBNO(mp, fsb) < mp->m_sb.sb_agblocks)
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment