Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Pull UDF fixes from Jan Kara: "Make UDF more robust in presence of corrupted filesystem" * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: udf: Fortify loading of sparing table udf: Avoid run away loop when partition table length is corrupted udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-06-28 14:43:45 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-06-28 14:43:45 -0400
commit: 221d3ebf3ad2c69704e21495e9a936c78d797732 (patch)
tree: 49df5243c7fbf2705b5118ae3aae0ed755eee8da /fs
parent: 9a7c6b73c40e916861eb852dc5855ffb3d58a3cd (diff)
parent: 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 (diff)
1 files changed, 64 insertions, 38 deletions
diff --git a/fs/udf/super.c b/fs/udf/super.c
index ac8a348dcb69..8d86a8706c0e 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -56,6 +56,7 @@
 #include <linux/seq_file.h>
 #include <linux/bitmap.h>
 #include <linux/crc-itu-t.h>
+#include <linux/log2.h>
 #include <asm/byteorder.h>
 #include "udf_sb.h"
@@ -1215,16 +1216,65 @@ out_bh:
        return ret;
 }
+static int udf_load_sparable_map(struct super_block *sb,
+                                 struct udf_part_map *map,
+                                 struct sparablePartitionMap *spm)
+{
+        uint32_t loc;
+        uint16_t ident;
+        struct sparingTable *st;
+        struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
+        int i;
+        struct buffer_head *bh;
+        map->s_partition_type = UDF_SPARABLE_MAP15;
+        sdata->s_packet_len = le16_to_cpu(spm->packetLength);
+        if (!is_power_of_2(sdata->s_packet_len)) {
+                udf_err(sb, "error loading logical volume descriptor: "
+                        "Invalid packet length %u\n",
+                        (unsigned)sdata->s_packet_len);
+                return -EIO;
+        }
+        if (spm->numSparingTables > 4) {
+                udf_err(sb, "error loading logical volume descriptor: "
+                        "Too many sparing tables (%d)\n",
+                        (int)spm->numSparingTables);
+                return -EIO;
+        }
+        for (i = 0; i < spm->numSparingTables; i++) {
+                loc = le32_to_cpu(spm->locSparingTable[i]);
+                bh = udf_read_tagged(sb, loc, loc, &ident);
+                if (!bh)
+                        continue;
+                st = (struct sparingTable *)bh->b_data;
+                if (ident != 0 ||
+                    strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
+                            strlen(UDF_ID_SPARING)) ||
+                    sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
+                                                        sb->s_blocksize) {
+                        brelse(bh);
+                        continue;
+                }
+                sdata->s_spar_map[i] = bh;
+        }
+        map->s_partition_func = udf_get_pblock_spar15;
+        return 0;
+}
 static int udf_load_logicalvol(struct super_block *sb, sector_t block,
                               struct kernel_lb_addr *fileset)
 {
        struct logicalVolDesc *lvd;
-        int i, j, offset;
+        int i, offset;
        uint8_t type;
        struct udf_sb_info *sbi = UDF_SB(sb);
        struct genericPartitionMap *gpm;
        uint16_t ident;
        struct buffer_head *bh;
+        unsigned int table_len;
        int ret = 0;
        bh = udf_read_tagged(sb, block, block, &ident);
@@ -1232,15 +1282,20 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
                return 1;
        BUG_ON(ident != TAG_IDENT_LVD);
        lvd = (struct logicalVolDesc *)bh->b_data;
+        table_len = le32_to_cpu(lvd->mapTableLength);
-        i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+        if (sizeof(*lvd) + table_len > sb->s_blocksize) {
-        if (i != 0) {
+                udf_err(sb, "error loading logical volume descriptor: "
-                ret = i;
+                        "Partition table too long (%u > %lu)\n", table_len,
+                        sb->s_blocksize - sizeof(*lvd));
                goto out_bh;
        }
+        ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+        if (ret)
+                goto out_bh;
        for (i = 0, offset = 0;
-             i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
+             i < sbi->s_partitions && offset < table_len;
             i++, offset += gpm->partitionMapLength) {
                struct udf_part_map *map = &sbi->s_partmaps[i];
                gpm = (struct genericPartitionMap *)
@@ -1275,38 +1330,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
                        } else if (!strncmp(upm2->partIdent.ident,
                                                UDF_ID_SPARABLE,
                                                strlen(UDF_ID_SPARABLE))) {
-                                uint32_t loc;
+                                if (udf_load_sparable_map(sb, map,
-                                struct sparingTable *st;
+                                    (struct sparablePartitionMap *)gpm) < 0)
-                                struct sparablePartitionMap *spm =
+                                        goto out_bh;
-                                        (struct sparablePartitionMap *)gpm;
-                                map->s_partition_type = UDF_SPARABLE_MAP15;
-                                map->s_type_specific.s_sparing.s_packet_len =
-                                                le16_to_cpu(spm->packetLength);
-                                for (j = 0; j < spm->numSparingTables; j++) {
-                                        struct buffer_head *bh2;
-                                        loc = le32_to_cpu(
-                                                spm->locSparingTable[j]);
-                                        bh2 = udf_read_tagged(sb, loc, loc,
-                                                             &ident);
-                                        map->s_type_specific.s_sparing.
-                                                        s_spar_map[j] = bh2;
-                                        if (bh2 == NULL)
-                                                continue;
-                                        st = (struct sparingTable *)bh2->b_data;
-                                        if (ident != 0 || strncmp(
-                                                st->sparingIdent.ident,
-                                                UDF_ID_SPARING,
-                                                strlen(UDF_ID_SPARING))) {
-                                                brelse(bh2);
-                                                map->s_type_specific.s_sparing.
-                                                        s_spar_map[j] = NULL;
-                                        }
-                                }
-                                map->s_partition_func = udf_get_pblock_spar15;
                        } else if (!strncmp(upm2->partIdent.ident,
                                                UDF_ID_METADATA,
                                                strlen(UDF_ID_METADATA))) {
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-06-28 14:43:45 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-06-28 14:43:45 -0400
commit	221d3ebf3ad2c69704e21495e9a936c78d797732 (patch)
tree	49df5243c7fbf2705b5118ae3aae0ed755eee8da /fs
parent	9a7c6b73c40e916861eb852dc5855ffb3d58a3cd (diff)
parent	1df2ae31c724e57be9d7ac00d78db8a5dabdd050 (diff)

diff --git a/fs/udf/super.c b/fs/udf/super.c index ac8a348dcb69..8d86a8706c0e 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c
@@ -56,6 +56,7 @@
56	#include <linux/seq_file.h>	56	#include <linux/seq_file.h>
57	#include <linux/bitmap.h>	57	#include <linux/bitmap.h>
58	#include <linux/crc-itu-t.h>	58	#include <linux/crc-itu-t.h>
		59	#include <linux/log2.h>
59	#include <asm/byteorder.h>	60	#include <asm/byteorder.h>
60		61
61	#include "udf_sb.h"	62	#include "udf_sb.h"
@@ -1215,16 +1216,65 @@ out_bh:
1215	return ret;	1216	return ret;
1216	}	1217	}
1217		1218
		1219	static int udf_load_sparable_map(struct super_block *sb,
		1220	struct udf_part_map *map,
		1221	struct sparablePartitionMap *spm)
		1222	{
		1223	uint32_t loc;
		1224	uint16_t ident;
		1225	struct sparingTable *st;
		1226	struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
		1227	int i;
		1228	struct buffer_head *bh;
		1229
		1230	map->s_partition_type = UDF_SPARABLE_MAP15;
		1231	sdata->s_packet_len = le16_to_cpu(spm->packetLength);
		1232	if (!is_power_of_2(sdata->s_packet_len)) {
		1233	udf_err(sb, "error loading logical volume descriptor: "
		1234	"Invalid packet length %u\n",
		1235	(unsigned)sdata->s_packet_len);
		1236	return -EIO;
		1237	}
		1238	if (spm->numSparingTables > 4) {
		1239	udf_err(sb, "error loading logical volume descriptor: "
		1240	"Too many sparing tables (%d)\n",
		1241	(int)spm->numSparingTables);
		1242	return -EIO;
		1243	}
		1244
		1245	for (i = 0; i < spm->numSparingTables; i++) {
		1246	loc = le32_to_cpu(spm->locSparingTable[i]);
		1247	bh = udf_read_tagged(sb, loc, loc, &ident);
		1248	if (!bh)
		1249	continue;
		1250
		1251	st = (struct sparingTable *)bh->b_data;
		1252	if (ident != 0 \|\|
		1253	strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
		1254	strlen(UDF_ID_SPARING)) \|\|
		1255	sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
		1256	sb->s_blocksize) {
		1257	brelse(bh);
		1258	continue;
		1259	}
		1260
		1261	sdata->s_spar_map[i] = bh;
		1262	}
		1263	map->s_partition_func = udf_get_pblock_spar15;
		1264	return 0;
		1265	}
		1266
1218	static int udf_load_logicalvol(struct super_block *sb, sector_t block,	1267	static int udf_load_logicalvol(struct super_block *sb, sector_t block,
1219	struct kernel_lb_addr *fileset)	1268	struct kernel_lb_addr *fileset)
1220	{	1269	{
1221	struct logicalVolDesc *lvd;	1270	struct logicalVolDesc *lvd;
1222	int i, j, offset;	1271	int i, offset;
1223	uint8_t type;	1272	uint8_t type;
1224	struct udf_sb_info *sbi = UDF_SB(sb);	1273	struct udf_sb_info *sbi = UDF_SB(sb);
1225	struct genericPartitionMap *gpm;	1274	struct genericPartitionMap *gpm;
1226	uint16_t ident;	1275	uint16_t ident;
1227	struct buffer_head *bh;	1276	struct buffer_head *bh;
		1277	unsigned int table_len;
1228	int ret = 0;	1278	int ret = 0;
1229		1279
1230	bh = udf_read_tagged(sb, block, block, &ident);	1280	bh = udf_read_tagged(sb, block, block, &ident);
@@ -1232,15 +1282,20 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
1232	return 1;	1282	return 1;
1233	BUG_ON(ident != TAG_IDENT_LVD);	1283	BUG_ON(ident != TAG_IDENT_LVD);
1234	lvd = (struct logicalVolDesc *)bh->b_data;	1284	lvd = (struct logicalVolDesc *)bh->b_data;
1235		1285	table_len = le32_to_cpu(lvd->mapTableLength);
1236	i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));	1286	if (sizeof(*lvd) + table_len > sb->s_blocksize) {
1237	if (i != 0) {	1287	udf_err(sb, "error loading logical volume descriptor: "
1238	ret = i;	1288	"Partition table too long (%u > %lu)\n", table_len,
		1289	sb->s_blocksize - sizeof(*lvd));
1239	goto out_bh;	1290	goto out_bh;
1240	}	1291	}
1241		1292
		1293	ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
		1294	if (ret)
		1295	goto out_bh;
		1296
1242	for (i = 0, offset = 0;	1297	for (i = 0, offset = 0;
1243	i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);	1298	i < sbi->s_partitions && offset < table_len;
1244	i++, offset += gpm->partitionMapLength) {	1299	i++, offset += gpm->partitionMapLength) {
1245	struct udf_part_map *map = &sbi->s_partmaps[i];	1300	struct udf_part_map *map = &sbi->s_partmaps[i];
1246	gpm = (struct genericPartitionMap *)	1301	gpm = (struct genericPartitionMap *)
@@ -1275,38 +1330,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
1275	} else if (!strncmp(upm2->partIdent.ident,	1330	} else if (!strncmp(upm2->partIdent.ident,
1276	UDF_ID_SPARABLE,	1331	UDF_ID_SPARABLE,
1277	strlen(UDF_ID_SPARABLE))) {	1332	strlen(UDF_ID_SPARABLE))) {
1278	uint32_t loc;	1333	if (udf_load_sparable_map(sb, map,
1279	struct sparingTable *st;	1334	(struct sparablePartitionMap *)gpm) < 0)
1280	struct sparablePartitionMap *spm =	1335	goto out_bh;
1281	(struct sparablePartitionMap *)gpm;
1282
1283	map->s_partition_type = UDF_SPARABLE_MAP15;
1284	map->s_type_specific.s_sparing.s_packet_len =
1285	le16_to_cpu(spm->packetLength);
1286	for (j = 0; j < spm->numSparingTables; j++) {
1287	struct buffer_head *bh2;
1288
1289	loc = le32_to_cpu(
1290	spm->locSparingTable[j]);
1291	bh2 = udf_read_tagged(sb, loc, loc,
1292	&ident);
1293	map->s_type_specific.s_sparing.
1294	s_spar_map[j] = bh2;
1295
1296	if (bh2 == NULL)
1297	continue;
1298
1299	st = (struct sparingTable *)bh2->b_data;
1300	if (ident != 0 \|\| strncmp(
1301	st->sparingIdent.ident,
1302	UDF_ID_SPARING,
1303	strlen(UDF_ID_SPARING))) {
1304	brelse(bh2);
1305	map->s_type_specific.s_sparing.
1306	s_spar_map[j] = NULL;
1307	}
1308	}
1309	map->s_partition_func = udf_get_pblock_spar15;
1310	} else if (!strncmp(upm2->partIdent.ident,	1336	} else if (!strncmp(upm2->partIdent.ident,
1311	UDF_ID_METADATA,	1337	UDF_ID_METADATA,
1312	strlen(UDF_ID_METADATA))) {	1338	strlen(UDF_ID_METADATA))) {