fs/minix: Verify bitmap block counts before mounting

Newer versions of MINIX can create filesystems that allocate an extra
bitmap block.  Mounting of this succeeds, but doing a statfs call will
result in an oops in count_free because of a negative number being used
for the bh index.

Avoid this by verifying the number of allocated blocks at mount time,
erroring out if there are not enough and make statfs ignore the extras
if there are too many.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792

Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

3 files changed, 42 insertions, 10 deletions

diff --git a/fs/minix/bitmap.c b/fs/minix/bitmap.c
index 3f32bcb0d9b..7c82c29429d 100644
--- a/fs/minix/bitmap.c
+++ b/fs/minix/bitmap.c
@@ -20,10 +20,11 @@ static const int nibblemap[] = { 4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 };
 
 static DEFINE_SPINLOCK(bitmap_lock);
 
-static unsigned long count_free(struct buffer_head *map[], unsigned numblocks, __u32 numbits)
+static unsigned long count_free(struct buffer_head *map[], unsigned blocksize, __u32 numbits)
 {
         unsigned i, j, sum = 0;
         struct buffer_head *bh;
+        unsigned numblocks = minix_blocks_needed(numbits, blocksize);
   
         for (i=0; i<numblocks-1; i++) {
                 if (!(bh=map[i])) 
@@ -105,10 +106,12 @@ int minix_new_block(struct inode * inode)
         return 0;
 }
 
-unsigned long minix_count_free_blocks(struct minix_sb_info *sbi)
+unsigned long minix_count_free_blocks(struct super_block *sb)
 {
-        return (count_free(sbi->s_zmap, sbi->s_zmap_blocks,
-                sbi->s_nzones - sbi->s_firstdatazone + 1)
+        struct minix_sb_info *sbi = minix_sb(sb);
+        u32 bits = sbi->s_nzones - (sbi->s_firstdatazone + 1);
+
+        return (count_free(sbi->s_zmap, sb->s_blocksize, bits)
                 << sbi->s_log_zone_size);
 }
 
@@ -273,7 +276,10 @@ struct inode *minix_new_inode(const struct inode *dir, int mode, int *error)
         return inode;
 }
 
-unsigned long minix_count_free_inodes(struct minix_sb_info *sbi)
+unsigned long minix_count_free_inodes(struct super_block *sb)
 {
-        return count_free(sbi->s_imap, sbi->s_imap_blocks, sbi->s_ninodes + 1);
+        struct minix_sb_info *sbi = minix_sb(sb);
+        u32 bits = sbi->s_ninodes + 1;
+
+        return count_free(sbi->s_imap, sb->s_blocksize, bits);
 }
diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 64cdcd662ff..1d9e33966db 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -279,6 +279,27 @@ static int minix_fill_super(struct super_block *s, void *data, int silent)
         else if (sbi->s_mount_state & MINIX_ERROR_FS)
                 printk("MINIX-fs: mounting file system with errors, "
                         "running fsck is recommended\n");
+
+        /* Apparently minix can create filesystems that allocate more blocks for
+         * the bitmaps than needed.  We simply ignore that, but verify it didn't
+         * create one with not enough blocks and bail out if so.
+         */
+        block = minix_blocks_needed(sbi->s_ninodes, s->s_blocksize);
+        if (sbi->s_imap_blocks < block) {
+                printk("MINIX-fs: file system does not have enough "
+                                "imap blocks allocated.  Refusing to mount\n");
+                goto out_iput;
+        }
+
+        block = minix_blocks_needed(
+                        (sbi->s_nzones - (sbi->s_firstdatazone + 1)),
+                        s->s_blocksize);
+        if (sbi->s_zmap_blocks < block) {
+                printk("MINIX-fs: file system does not have enough "
+                                "zmap blocks allocated.  Refusing to mount.\n");
+                goto out_iput;
+        }
+
         return 0;
 
 out_iput:
@@ -339,10 +360,10 @@ static int minix_statfs(struct dentry *dentry, struct kstatfs *buf)
         buf->f_type = sb->s_magic;
         buf->f_bsize = sb->s_blocksize;
         buf->f_blocks = (sbi->s_nzones - sbi->s_firstdatazone) << sbi->s_log_zone_size;
-        buf->f_bfree = minix_count_free_blocks(sbi);
+        buf->f_bfree = minix_count_free_blocks(sb);
         buf->f_bavail = buf->f_bfree;
         buf->f_files = sbi->s_ninodes;
-        buf->f_ffree = minix_count_free_inodes(sbi);
+        buf->f_ffree = minix_count_free_inodes(sb);
         buf->f_namelen = sbi->s_namelen;
         buf->f_fsid.val[0] = (u32)id;
         buf->f_fsid.val[1] = (u32)(id >> 32);
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index 341e2122879..6415fe0d238 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -48,10 +48,10 @@ extern struct minix_inode * minix_V1_raw_inode(struct super_block *, ino_t, stru
 extern struct minix2_inode * minix_V2_raw_inode(struct super_block *, ino_t, struct buffer_head **);
 extern struct inode * minix_new_inode(const struct inode *, int, int *);
 extern void minix_free_inode(struct inode * inode);
-extern unsigned long minix_count_free_inodes(struct minix_sb_info *sbi);
+extern unsigned long minix_count_free_inodes(struct super_block *sb);
 extern int minix_new_block(struct inode * inode);
 extern void minix_free_block(struct inode *inode, unsigned long block);
-extern unsigned long minix_count_free_blocks(struct minix_sb_info *sbi);
+extern unsigned long minix_count_free_blocks(struct super_block *sb);
 extern int minix_getattr(struct vfsmount *, struct dentry *, struct kstat *);
 extern int minix_prepare_chunk(struct page *page, loff_t pos, unsigned len);
 
@@ -88,6 +88,11 @@ static inline struct minix_inode_info *minix_i(struct inode *inode)
         return list_entry(inode, struct minix_inode_info, vfs_inode);
 }
 
+static inline unsigned minix_blocks_needed(unsigned bits, unsigned blocksize)
+{
+        return DIV_ROUND_UP(bits, blocksize * 8);
+}
+
 #if defined(CONFIG_MINIX_FS_NATIVE_ENDIAN) && \
         defined(CONFIG_MINIX_FS_BIG_ENDIAN_16BIT_INDEXED)