From: Greg Kroah-Hartman Date: Sun, 29 Apr 2018 10:25:24 +0000 (+0200) Subject: drop pending ext4 patch now that it is properly queued up. X-Git-Tag: v4.16.7~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=44cf1e29881a14e4734270eb76ea3ce95358af84;p=thirdparty%2Fkernel%2Fstable-queue.git drop pending ext4 patch now that it is properly queued up. --- diff --git a/pending/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/pending/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch deleted file mode 100644 index 2a0ae4a875a..00000000000 --- a/pending/queue-3.18/ext4-add-validity-checks-for-bitmap-block-numbers.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Mon, 26 Mar 2018 23:54:10 -0400 -Subject: ext4: add validity checks for bitmap block numbers - -From: Theodore Ts'o - -commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. - -An privileged attacker can cause a crash by mounting a crafted ext4 -image which triggers a out-of-bounds read in the function -ext4_valid_block_bitmap() in fs/ext4/balloc.c. - -This issue has been assigned CVE-2018-1093. - -Backport notes: -3.18.y is missing commit 6a797d273783 ("ext4: call out CRC and corruption errors with specific error codes") -so the EFSCORRUPTED label doesn't exist. Replaced -all instances of EFSCORRUPTED with EUCLEAN since that's -what 6a797d273783 defined it as. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 -Reported-by: Wen Xu -Signed-off-by: Theodore Ts'o -Cc: stable@vger.kernel.org -[harsh@prjkt.io: s/EFSCORRUPTED/EUCLEAN/ fs/ext4/balloc.c] -Signed-off-by: Harsh Shandilya -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/balloc.c | 16 ++++++++++++++-- - fs/ext4/ialloc.c | 8 +++++++- - 2 files changed, 21 insertions(+), 3 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -340,20 +340,25 @@ static ext4_fsblk_t ext4_valid_block_bit - /* check whether block bitmap block number is set */ - blk = ext4_block_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode bitmap block number is set */ - blk = ext4_inode_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode table block number is set */ - blk = ext4_inode_table(sb, desc); - offset = blk - group_first_block; -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) -+ return blk; - next_zero_bit = ext4_find_next_zero_bit(bh->b_data, - EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), - EXT4_B2C(sbi, offset)); -@@ -416,6 +421,7 @@ struct buffer_head * - ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh; - ext4_fsblk_t bitmap_blk; - -@@ -423,6 +429,12 @@ ext4_read_block_bitmap_nowait(struct sup - if (!desc) - return NULL; - bitmap_blk = ext4_block_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid block bitmap block %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EUCLEAN); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot get buffer for block bitmap - " ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -123,16 +123,22 @@ static struct buffer_head * - ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh = NULL; - ext4_fsblk_t bitmap_blk; - struct ext4_group_info *grp; -- struct ext4_sb_info *sbi = EXT4_SB(sb); - - desc = ext4_get_group_desc(sb, block_group, NULL); - if (!desc) - return NULL; - - bitmap_blk = ext4_inode_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid inode bitmap blk %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EUCLEAN); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot read inode bitmap - " diff --git a/pending/queue-4.14/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/pending/queue-4.14/ext4-add-validity-checks-for-bitmap-block-numbers.patch deleted file mode 100644 index f4cd44b8b9a..00000000000 --- a/pending/queue-4.14/ext4-add-validity-checks-for-bitmap-block-numbers.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Mon, 26 Mar 2018 23:54:10 -0400 -Subject: ext4: add validity checks for bitmap block numbers - -From: Theodore Ts'o - -commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. - -An privileged attacker can cause a crash by mounting a crafted ext4 -image which triggers a out-of-bounds read in the function -ext4_valid_block_bitmap() in fs/ext4/balloc.c. - -This issue has been assigned CVE-2018-1093. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 -Reported-by: Wen Xu -Signed-off-by: Theodore Ts'o -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext4/balloc.c | 16 ++++++++++++++-- - fs/ext4/ialloc.c | 7 +++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bit - /* check whether block bitmap block number is set */ - blk = ext4_block_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode bitmap block number is set */ - blk = ext4_inode_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode table block number is set */ - blk = ext4_inode_table(sb, desc); - offset = blk - group_first_block; -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) -+ return blk; - next_zero_bit = ext4_find_next_zero_bit(bh->b_data, - EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), - EXT4_B2C(sbi, offset)); -@@ -417,6 +422,7 @@ struct buffer_head * - ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh; - ext4_fsblk_t bitmap_blk; - int err; -@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct sup - if (!desc) - return ERR_PTR(-EFSCORRUPTED); - bitmap_blk = ext4_block_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid block bitmap block %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot get buffer for block bitmap - " ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -122,6 +122,7 @@ static struct buffer_head * - ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh = NULL; - ext4_fsblk_t bitmap_blk; - int err; -@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_bloc - return ERR_PTR(-EFSCORRUPTED); - - bitmap_blk = ext4_inode_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid inode bitmap blk %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot read inode bitmap - " diff --git a/pending/queue-4.16/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/pending/queue-4.16/ext4-add-validity-checks-for-bitmap-block-numbers.patch deleted file mode 100644 index 1ff5a43651b..00000000000 --- a/pending/queue-4.16/ext4-add-validity-checks-for-bitmap-block-numbers.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Mon, 26 Mar 2018 23:54:10 -0400 -Subject: ext4: add validity checks for bitmap block numbers - -From: Theodore Ts'o - -commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. - -An privileged attacker can cause a crash by mounting a crafted ext4 -image which triggers a out-of-bounds read in the function -ext4_valid_block_bitmap() in fs/ext4/balloc.c. - -This issue has been assigned CVE-2018-1093. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 -Reported-by: Wen Xu -Signed-off-by: Theodore Ts'o -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext4/balloc.c | 16 ++++++++++++++-- - fs/ext4/ialloc.c | 7 +++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bit - /* check whether block bitmap block number is set */ - blk = ext4_block_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode bitmap block number is set */ - blk = ext4_inode_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode table block number is set */ - blk = ext4_inode_table(sb, desc); - offset = blk - group_first_block; -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) -+ return blk; - next_zero_bit = ext4_find_next_zero_bit(bh->b_data, - EXT4_B2C(sbi, offset + sbi->s_itb_per_group), - EXT4_B2C(sbi, offset)); -@@ -417,6 +422,7 @@ struct buffer_head * - ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh; - ext4_fsblk_t bitmap_blk; - int err; -@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct sup - if (!desc) - return ERR_PTR(-EFSCORRUPTED); - bitmap_blk = ext4_block_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid block bitmap block %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot get buffer for block bitmap - " ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -122,6 +122,7 @@ static struct buffer_head * - ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh = NULL; - ext4_fsblk_t bitmap_blk; - int err; -@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_bloc - return ERR_PTR(-EFSCORRUPTED); - - bitmap_blk = ext4_inode_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid inode bitmap blk %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot read inode bitmap - " diff --git a/pending/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/pending/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch deleted file mode 100644 index eea464cec02..00000000000 --- a/pending/queue-4.4/ext4-add-validity-checks-for-bitmap-block-numbers.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Mon, 26 Mar 2018 23:54:10 -0400 -Subject: ext4: add validity checks for bitmap block numbers - -From: Theodore Ts'o - -commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. - -An privileged attacker can cause a crash by mounting a crafted ext4 -image which triggers a out-of-bounds read in the function -ext4_valid_block_bitmap() in fs/ext4/balloc.c. - -This issue has been assigned CVE-2018-1093. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 -Reported-by: Wen Xu -Signed-off-by: Theodore Ts'o -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext4/balloc.c | 16 ++++++++++++++-- - fs/ext4/ialloc.c | 7 +++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit - /* check whether block bitmap block number is set */ - blk = ext4_block_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode bitmap block number is set */ - blk = ext4_inode_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode table block number is set */ - blk = ext4_inode_table(sb, desc); - offset = blk - group_first_block; -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) -+ return blk; - next_zero_bit = ext4_find_next_zero_bit(bh->b_data, - EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), - EXT4_B2C(sbi, offset)); -@@ -416,6 +421,7 @@ struct buffer_head * - ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh; - ext4_fsblk_t bitmap_blk; - int err; -@@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup - if (!desc) - return ERR_PTR(-EFSCORRUPTED); - bitmap_blk = ext4_block_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid block bitmap block %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot get buffer for block bitmap - " ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -119,6 +119,7 @@ static struct buffer_head * - ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh = NULL; - ext4_fsblk_t bitmap_blk; - int err; -@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc - return ERR_PTR(-EFSCORRUPTED); - - bitmap_blk = ext4_inode_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid inode bitmap blk %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot read inode bitmap - " diff --git a/pending/queue-4.9/ext4-add-validity-checks-for-bitmap-block-numbers.patch b/pending/queue-4.9/ext4-add-validity-checks-for-bitmap-block-numbers.patch deleted file mode 100644 index eea464cec02..00000000000 --- a/pending/queue-4.9/ext4-add-validity-checks-for-bitmap-block-numbers.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001 -From: Theodore Ts'o -Date: Mon, 26 Mar 2018 23:54:10 -0400 -Subject: ext4: add validity checks for bitmap block numbers - -From: Theodore Ts'o - -commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream. - -An privileged attacker can cause a crash by mounting a crafted ext4 -image which triggers a out-of-bounds read in the function -ext4_valid_block_bitmap() in fs/ext4/balloc.c. - -This issue has been assigned CVE-2018-1093. - -BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181 -BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782 -Reported-by: Wen Xu -Signed-off-by: Theodore Ts'o -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext4/balloc.c | 16 ++++++++++++++-- - fs/ext4/ialloc.c | 7 +++++++ - 2 files changed, 21 insertions(+), 2 deletions(-) - ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit - /* check whether block bitmap block number is set */ - blk = ext4_block_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode bitmap block number is set */ - blk = ext4_inode_bitmap(sb, desc); - offset = blk - group_first_block; -- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) - /* bad block bitmap */ - return blk; - - /* check whether the inode table block number is set */ - blk = ext4_inode_table(sb, desc); - offset = blk - group_first_block; -+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize || -+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize) -+ return blk; - next_zero_bit = ext4_find_next_zero_bit(bh->b_data, - EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), - EXT4_B2C(sbi, offset)); -@@ -416,6 +421,7 @@ struct buffer_head * - ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh; - ext4_fsblk_t bitmap_blk; - int err; -@@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup - if (!desc) - return ERR_PTR(-EFSCORRUPTED); - bitmap_blk = ext4_block_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid block bitmap block %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot get buffer for block bitmap - " ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -119,6 +119,7 @@ static struct buffer_head * - ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - { - struct ext4_group_desc *desc; -+ struct ext4_sb_info *sbi = EXT4_SB(sb); - struct buffer_head *bh = NULL; - ext4_fsblk_t bitmap_blk; - int err; -@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc - return ERR_PTR(-EFSCORRUPTED); - - bitmap_blk = ext4_inode_bitmap(sb, desc); -+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || -+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { -+ ext4_error(sb, "Invalid inode bitmap blk %llu in " -+ "block_group %u", bitmap_blk, block_group); -+ return ERR_PTR(-EFSCORRUPTED); -+ } - bh = sb_getblk(sb, bitmap_blk); - if (unlikely(!bh)) { - ext4_error(sb, "Cannot read inode bitmap - "