Patchwork [v2] ext4: fix possible overflow in ext4_trim_fs()

login
register
mail settings
Submitter Lukas Czerner
Date Sept. 6, 2011, 6:42 a.m.
Message ID <1315291324-6864-1-git-send-email-lczerner@redhat.com>
Download mbox | patch
Permalink /patch/113486/
State Superseded
Headers show

Comments

Lukas Czerner - Sept. 6, 2011, 6:42 a.m.
The overflow can happen when we are calling get_group_no_and_offset()
which stores the result of do_div() in 32 bit long type. However the
result might be bigger than that if big blocknr is passed in. This will
most likely happen when calling FITRIM with the default argument len =
ULLONG_MAX.

Fix it by decrementing the len so that start+len equals to the file system
size in the worst case.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
---
v2 - Change commit description to better describe the problem

 fs/ext4/mballoc.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

Patch

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 17a5a57..d86dc14 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -4952,14 +4952,18 @@  int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
 	uint64_t start, len, minlen, trimmed = 0;
 	ext4_fsblk_t first_data_blk =
 			le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block);
+	ext4_fsblk_t max_blks = ext4_blocks_count(EXT4_SB(sb)->s_es);
 	int ret = 0;
 
 	start = range->start >> sb->s_blocksize_bits;
 	len = range->len >> sb->s_blocksize_bits;
 	minlen = range->minlen >> sb->s_blocksize_bits;
 
-	if (unlikely(minlen > EXT4_BLOCKS_PER_GROUP(sb)))
+	if (unlikely(minlen > EXT4_BLOCKS_PER_GROUP(sb)) ||
+	    unlikely(start > max_blks))
 		return -EINVAL;
+	if (unlikely(len > max_blks))
+		len = max_blks - start;
 	if (start + len <= first_data_blk)
 		goto out;
 	if (start < first_data_blk) {