From 8a3f152be8e9428a6c5710da27acfdad87e32e40 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 11 May 2018 15:24:58 +0200 Subject: [PATCH] 4.9-stable patches added patches: f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch --- .../f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch | 52 +++++++++++++++++++ queue-4.9/series | 1 + 2 files changed, 53 insertions(+) create mode 100644 queue-4.9/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch diff --git a/queue-4.9/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch b/queue-4.9/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch new file mode 100644 index 00000000000..db13b452c40 --- /dev/null +++ b/queue-4.9/f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch @@ -0,0 +1,52 @@ +From b86e33075ed1909d8002745b56ecf73b833db143 Mon Sep 17 00:00:00 2001 +From: Wei Fang +Date: Sun, 22 Jan 2017 12:21:02 +0800 +Subject: f2fs: fix a dead loop in f2fs_fiemap() + +From: Wei Fang + +commit b86e33075ed1909d8002745b56ecf73b833db143 upstream. + +A dead loop can be triggered in f2fs_fiemap() using the test case +as below: + + ... + fd = open(); + fallocate(fd, 0, 0, 4294967296); + ioctl(fd, FS_IOC_FIEMAP, fiemap_buf); + ... + +It's caused by an overflow in __get_data_block(): + ... + bh->b_size = map.m_len << inode->i_blkbits; + ... +map.m_len is an unsigned int, and bh->b_size is a size_t which is 64 bits +on 64 bits archtecture, type conversion from an unsigned int to a size_t +will result in an overflow. + +In the above-mentioned case, bh->b_size will be zero, and f2fs_fiemap() +will call get_data_block() at block 0 again an again. + +Fix this by adding a force conversion before left shift. + +Signed-off-by: Wei Fang +Acked-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -844,7 +844,7 @@ static int __get_data_block(struct inode + if (!ret) { + map_bh(bh, inode->i_sb, map.m_pblk); + bh->b_state = (bh->b_state & ~F2FS_MAP_FLAGS) | map.m_flags; +- bh->b_size = map.m_len << inode->i_blkbits; ++ bh->b_size = (u64)map.m_len << inode->i_blkbits; + } + return ret; + } diff --git a/queue-4.9/series b/queue-4.9/series index 8f5b07372c9..3b20e6aef4d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,4 @@ perf-remove-superfluous-allocation-error-check.patch tcp-fix-tcp_repair_queue-bound-checking.patch bdi-fix-oops-in-wb_workfn.patch kvm-ppc-book3s-hv-fix-trap-number-return-from-__kvmppc_vcore_entry.patch +f2fs-fix-a-dead-loop-in-f2fs_fiemap.patch -- 2.47.3