diff options
author | Zheng Liu <wenqing.lz@taobao.com> | 2013-03-10 20:48:59 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2013-03-10 20:48:59 -0400 |
commit | bd384364c1185ecb01f3b8242c915ccb5921c60d (patch) | |
tree | d6badf52d7d389180b1557fdaac856f1952031ce /fs/ext4/extents_status.c | |
parent | 6ca470d7b5e7639b7925b3202e796282703b6d5d (diff) |
ext4: avoid a potential overflow in ext4_es_can_be_merged()
Check the length of an extent to avoid a potential overflow in
ext4_es_can_be_merged().
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: Dmitry Monakhov <dmonakhov@openvz.org>
Diffstat (limited to 'fs/ext4/extents_status.c')
-rw-r--r-- | fs/ext4/extents_status.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index 95796a1b7522..37f9a2d8fd04 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c | |||
@@ -333,17 +333,27 @@ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es) | |||
333 | static int ext4_es_can_be_merged(struct extent_status *es1, | 333 | static int ext4_es_can_be_merged(struct extent_status *es1, |
334 | struct extent_status *es2) | 334 | struct extent_status *es2) |
335 | { | 335 | { |
336 | if (es1->es_lblk + es1->es_len != es2->es_lblk) | 336 | if (ext4_es_status(es1) != ext4_es_status(es2)) |
337 | return 0; | 337 | return 0; |
338 | 338 | ||
339 | if (ext4_es_status(es1) != ext4_es_status(es2)) | 339 | if (((__u64) es1->es_len) + es2->es_len > 0xFFFFFFFFULL) |
340 | return 0; | 340 | return 0; |
341 | 341 | ||
342 | if ((ext4_es_is_written(es1) || ext4_es_is_unwritten(es1)) && | 342 | if (((__u64) es1->es_lblk) + es1->es_len != es2->es_lblk) |
343 | (ext4_es_pblock(es1) + es1->es_len != ext4_es_pblock(es2))) | ||
344 | return 0; | 343 | return 0; |
345 | 344 | ||
346 | return 1; | 345 | if ((ext4_es_is_written(es1) || ext4_es_is_unwritten(es1)) && |
346 | (ext4_es_pblock(es1) + es1->es_len == ext4_es_pblock(es2))) | ||
347 | return 1; | ||
348 | |||
349 | if (ext4_es_is_hole(es1)) | ||
350 | return 1; | ||
351 | |||
352 | /* we need to check delayed extent is without unwritten status */ | ||
353 | if (ext4_es_is_delayed(es1) && !ext4_es_is_unwritten(es1)) | ||
354 | return 1; | ||
355 | |||
356 | return 0; | ||
347 | } | 357 | } |
348 | 358 | ||
349 | static struct extent_status * | 359 | static struct extent_status * |