hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

freevxfs: refactor readdir and lookup code 

This change fixes also a buffer overflow which was caused by
accessing address space beyond mapped page

Signed-off-by: Krzysztof Błaszkowski <kb@sysmikro.com.pl>
Signed-off-by: Christoph Hellwig <hch@lst.de>
This commit is contained in:
Krzysztof Błaszkowski 2016-06-12 19:26:45 +02:00 committed by Christoph Hellwig
parent f2fe2fa1fb
commit 12495ea3ac
1 changed files with 103 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
fs/freevxfs/vxfs_lookup.c
View File

@ -62,35 +62,6 @@ const struct file_operations vxfs_dir_operations = {
.iterate_shared = vxfs_readdir, .iterate_shared = vxfs_readdir,
}; };
static inline u_long
dir_blocks(struct inode *ip)
{
u_long bsize = ip->i_sb->s_blocksize;
return (ip->i_size + bsize - 1) & ~(bsize - 1);
}
/*
* NOTE! unlike strncmp, vxfs_match returns 1 for success, 0 for failure.
*
* len <= VXFS_NAMELEN and de != NULL are guaranteed by caller.
*/
static inline int
vxfs_match(struct vxfs_sb_info *sbi, int len, const char *const name,
struct vxfs_direct *de)
{
if (len != fs16_to_cpu(sbi, de->d_namelen))
return 0;
if (!de->d_ino)
return 0;
return !memcmp(name, de->d_name, len);
}
static inline struct vxfs_direct *
vxfs_next_entry(struct vxfs_sb_info *sbi, struct vxfs_direct *de)
{
return ((struct vxfs_direct *)
((char *)de + fs16_to_cpu(sbi, de->d_reclen)));
}
/** /**
* vxfs_find_entry - find a mathing directory entry for a dentry * vxfs_find_entry - find a mathing directory entry for a dentry
@ -109,53 +80,64 @@ vxfs_next_entry(struct vxfs_sb_info *sbi, struct vxfs_direct *de)
static struct vxfs_direct * static struct vxfs_direct *
vxfs_find_entry(struct inode *ip, struct dentry *dp, struct page **ppp) vxfs_find_entry(struct inode *ip, struct dentry *dp, struct page **ppp)
{ {
struct vxfs_sb_info *sbi = VXFS_SBI(ip->i_sb); u_long bsize = ip->i_sb->s_blocksize;
u_long npages, page, nblocks, pblocks, block; const char *name = dp->d_name.name;
u_long bsize = ip->i_sb->s_blocksize; int namelen = dp->d_name.len;
const char *name = dp->d_name.name; loff_t limit = VXFS_DIRROUND(ip->i_size);
int namelen = dp->d_name.len; struct vxfs_direct *de_exit = NULL;
loff_t pos = 0;
struct vxfs_sb_info *sbi = VXFS_SBI(ip->i_sb);
npages = dir_pages(ip); while (pos < limit) {
nblocks = dir_blocks(ip); struct page *pp;
pblocks = VXFS_BLOCK_PER_PAGE(ip->i_sb); char *kaddr;
int pg_ofs = pos & ~PAGE_MASK;
for (page = 0; page < npages; page++) {
caddr_t kaddr;
struct page *pp;
pp = vxfs_get_page(ip->i_mapping, page); pp = vxfs_get_page(ip->i_mapping, pos >> PAGE_SHIFT);
if (IS_ERR(pp)) if (IS_ERR(pp))
continue; return NULL;
kaddr = (caddr_t)page_address(pp); kaddr = (char *)page_address(pp);
for (block = 0; block <= nblocks && block <= pblocks; block++) { while (pg_ofs < PAGE_SIZE && pos < limit) {
caddr_t baddr, limit; struct vxfs_direct *de;
struct vxfs_dirblk *dbp;
struct vxfs_direct *de;
baddr = kaddr + (block * bsize); if ((pos & (bsize - 1)) < 4) {
limit = baddr + bsize - VXFS_DIRLEN(1); struct vxfs_dirblk *dbp =
(struct vxfs_dirblk *)
dbp = (struct vxfs_dirblk *)baddr; (kaddr + (pos & ~PAGE_MASK));
de = (struct vxfs_direct *) int overhead = VXFS_DIRBLKOV(sbi, dbp);
(baddr + VXFS_DIRBLKOV(sbi, dbp));
for (; (caddr_t)de <= limit; pos += overhead;
de = vxfs_next_entry(sbi, de)) { pg_ofs += overhead;
if (!de->d_reclen) }
break; de = (struct vxfs_direct *)(kaddr + pg_ofs);
if (!de->d_ino)
continue; if (!de->d_reclen) {
if (vxfs_match(sbi, namelen, name, de)) { pos += bsize - 1;
*ppp = pp; pos &= ~(bsize - 1);
return (de); break;
} }
pg_ofs += fs16_to_cpu(sbi, de->d_reclen);
pos += fs16_to_cpu(sbi, de->d_reclen);
if (!de->d_ino)
continue;
if (namelen != fs16_to_cpu(sbi, de->d_namelen))
continue;
if (!memcmp(name, de->d_name, namelen)) {
*ppp = pp;
de_exit = de;
break;
} }
} }
vxfs_put_page(pp); if (!de_exit)
vxfs_put_page(pp);
else
break;
} }
return NULL; return de_exit;
} }
/** /**
@ -238,80 +220,81 @@ vxfs_readdir(struct file *fp, struct dir_context *ctx)
{ {
struct inode *ip = file_inode(fp); struct inode *ip = file_inode(fp);
struct super_block *sbp = ip->i_sb; struct super_block *sbp = ip->i_sb;
struct vxfs_sb_info *sbi = VXFS_SBI(sbp);
u_long bsize = sbp->s_blocksize; u_long bsize = sbp->s_blocksize;
u_long page, npages, block, pblocks, nblocks, offset; loff_t pos, limit;
loff_t pos; struct vxfs_sb_info *sbi = VXFS_SBI(sbp);
if (ctx->pos == 0) { if (ctx->pos == 0) {
if (!dir_emit_dot(fp, ctx)) if (!dir_emit_dot(fp, ctx))
return 0; goto out;
ctx->pos = 1; ctx->pos++;
} }
if (ctx->pos == 1) { if (ctx->pos == 1) {
if (!dir_emit(ctx, "..", 2, VXFS_INO(ip)->vii_dotdot, DT_DIR)) if (!dir_emit(ctx, "..", 2, VXFS_INO(ip)->vii_dotdot, DT_DIR))
return 0; goto out;
ctx->pos = 2; ctx->pos++;
} }
pos = ctx->pos - 2;
if (pos > VXFS_DIRROUND(ip->i_size))
return 0;
npages = dir_pages(ip); limit = VXFS_DIRROUND(ip->i_size);
nblocks = dir_blocks(ip); if (ctx->pos > limit)
pblocks = VXFS_BLOCK_PER_PAGE(sbp); goto out;
page = pos >> PAGE_SHIFT; pos = ctx->pos & ~3L;
offset = pos & ~PAGE_MASK;
block = (u_long)(pos >> sbp->s_blocksize_bits) % pblocks;
for (; page < npages; page++, block = 0) { while (pos < limit) {
char *kaddr; struct page *pp;
struct page *pp; char *kaddr;
int pg_ofs = pos & ~PAGE_MASK;
int rc = 0;
pp = vxfs_get_page(ip->i_mapping, page); pp = vxfs_get_page(ip->i_mapping, pos >> PAGE_SHIFT);
if (IS_ERR(pp)) if (IS_ERR(pp))
continue; return -ENOMEM;
kaddr = (char *)page_address(pp); kaddr = (char *)page_address(pp);
for (; block <= nblocks && block <= pblocks; block++) { while (pg_ofs < PAGE_SIZE && pos < limit) {
char *baddr, *limit; struct vxfs_direct *de;
struct vxfs_dirblk *dbp;
struct vxfs_direct *de;
baddr = kaddr + (block * bsize); if ((pos & (bsize - 1)) < 4) {
limit = baddr + bsize - VXFS_DIRLEN(1); struct vxfs_dirblk *dbp =
(struct vxfs_dirblk *)
dbp = (struct vxfs_dirblk *)baddr; (kaddr + (pos & ~PAGE_MASK));
de = (struct vxfs_direct *) int overhead = VXFS_DIRBLKOV(sbi, dbp);
(offset ?
(kaddr + offset) :
(baddr + VXFS_DIRBLKOV(sbi, dbp)));
for (; (char *)de <= limit; pos += overhead;
de = vxfs_next_entry(sbi, de)) { pg_ofs += overhead;
if (!de->d_reclen) }
break; de = (struct vxfs_direct *)(kaddr + pg_ofs);
if (!de->d_ino)
continue; if (!de->d_reclen) {
pos += bsize - 1;
offset = (char *)de - kaddr; pos &= ~(bsize - 1);
ctx->pos = ((page << PAGE_SHIFT) | offset) + 2; break;
if (!dir_emit(ctx, de->d_name, }
fs16_to_cpu(sbi, de->d_namelen),
fs32_to_cpu(sbi, de->d_ino), pg_ofs += fs16_to_cpu(sbi, de->d_reclen);
DT_UNKNOWN)) { pos += fs16_to_cpu(sbi, de->d_reclen);
vxfs_put_page(pp); if (!de->d_ino)
return 0; continue;
}
rc = dir_emit(ctx, de->d_name,
fs16_to_cpu(sbi, de->d_namelen),
fs32_to_cpu(sbi, de->d_ino),
DT_UNKNOWN);
if (!rc) {
/* the dir entry was not read, fix pos. */
pos -= fs16_to_cpu(sbi, de->d_reclen);
break;
} }
offset = 0;
} }
vxfs_put_page(pp); vxfs_put_page(pp);
offset = 0; if (!rc)
break;
} }
ctx->pos = ((page << PAGE_SHIFT) | offset) + 2;
ctx->pos = pos | 2;
out:
return 0; return 0;
} }