diff options
| author | Al Viro <viro@ftp.linux.org.uk> | 2008-03-16 18:48:08 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-03-17 12:46:55 -0400 |
| commit | 3d10a15d6919488204bdb264050d156ced20d9aa (patch) | |
| tree | c5a230680cb2745c94137e354d66f7734266a009 | |
| parent | a978b30af3bab0dd9af9350eeda25e76123fa28e (diff) | |
hfs_bnode_find() can fail, resulting in hfs_bnode_split() breakage
oops and fs corruption; the latter can happen even on valid fs in case of oom.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/hfs/brec.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c index 878bf25dbc6a..92fb358ce824 100644 --- a/fs/hfs/brec.c +++ b/fs/hfs/brec.c | |||
| @@ -229,7 +229,7 @@ skip: | |||
| 229 | static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd) | 229 | static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd) |
| 230 | { | 230 | { |
| 231 | struct hfs_btree *tree; | 231 | struct hfs_btree *tree; |
| 232 | struct hfs_bnode *node, *new_node; | 232 | struct hfs_bnode *node, *new_node, *next_node; |
| 233 | struct hfs_bnode_desc node_desc; | 233 | struct hfs_bnode_desc node_desc; |
| 234 | int num_recs, new_rec_off, new_off, old_rec_off; | 234 | int num_recs, new_rec_off, new_off, old_rec_off; |
| 235 | int data_start, data_end, size; | 235 | int data_start, data_end, size; |
| @@ -248,6 +248,17 @@ static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd) | |||
| 248 | new_node->type = node->type; | 248 | new_node->type = node->type; |
| 249 | new_node->height = node->height; | 249 | new_node->height = node->height; |
| 250 | 250 | ||
| 251 | if (node->next) | ||
| 252 | next_node = hfs_bnode_find(tree, node->next); | ||
| 253 | else | ||
| 254 | next_node = NULL; | ||
| 255 | |||
| 256 | if (IS_ERR(next_node)) { | ||
| 257 | hfs_bnode_put(node); | ||
| 258 | hfs_bnode_put(new_node); | ||
| 259 | return next_node; | ||
| 260 | } | ||
| 261 | |||
| 251 | size = tree->node_size / 2 - node->num_recs * 2 - 14; | 262 | size = tree->node_size / 2 - node->num_recs * 2 - 14; |
| 252 | old_rec_off = tree->node_size - 4; | 263 | old_rec_off = tree->node_size - 4; |
| 253 | num_recs = 1; | 264 | num_recs = 1; |
| @@ -261,6 +272,8 @@ static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd) | |||
| 261 | /* panic? */ | 272 | /* panic? */ |
| 262 | hfs_bnode_put(node); | 273 | hfs_bnode_put(node); |
| 263 | hfs_bnode_put(new_node); | 274 | hfs_bnode_put(new_node); |
| 275 | if (next_node) | ||
| 276 | hfs_bnode_put(next_node); | ||
| 264 | return ERR_PTR(-ENOSPC); | 277 | return ERR_PTR(-ENOSPC); |
| 265 | } | 278 | } |
| 266 | 279 | ||
| @@ -315,8 +328,7 @@ static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd) | |||
| 315 | hfs_bnode_write(node, &node_desc, 0, sizeof(node_desc)); | 328 | hfs_bnode_write(node, &node_desc, 0, sizeof(node_desc)); |
| 316 | 329 | ||
| 317 | /* update next bnode header */ | 330 | /* update next bnode header */ |
| 318 | if (new_node->next) { | 331 | if (next_node) { |
| 319 | struct hfs_bnode *next_node = hfs_bnode_find(tree, new_node->next); | ||
| 320 | next_node->prev = new_node->this; | 332 | next_node->prev = new_node->this; |
| 321 | hfs_bnode_read(next_node, &node_desc, 0, sizeof(node_desc)); | 333 | hfs_bnode_read(next_node, &node_desc, 0, sizeof(node_desc)); |
| 322 | node_desc.prev = cpu_to_be32(next_node->prev); | 334 | node_desc.prev = cpu_to_be32(next_node->prev); |