change system file

hc

2024-10-09 244b2c5ca8b14627e4a17755e5922221e121c771

 kernel/fs/jfs/jfs_dmap.c
..
..
@@ -155,7 +155,7 @@
155
155
 	struct bmap *bmp;
156
156
 	struct dbmap_disk *dbmp_le;
157
157
 	struct metapage *mp;
158
-	int i;
158
+	int i, err;
159
159
 
160
160
 	/*
161
161
 	 * allocate/initialize the in-memory bmap descriptor
..
..
@@ -170,20 +170,25 @@
170
170
 			   BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
171
171
 			   PSIZE, 0);
172
172
 	if (mp == NULL) {
173
-		kfree(bmp);
174
-		return -EIO;
173
+		err = -EIO;
174
+		goto err_kfree_bmp;
175
175
 	}
176
176
 
177
177
 	/* copy the on-disk bmap descriptor to its in-memory version. */
178
178
 	dbmp_le = (struct dbmap_disk *) mp->data;
179
179
 	bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
180
180
 	bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
181
+
181
182
 	bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
183
+	if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
184
+		err = -EINVAL;
185
+		goto err_release_metapage;
186
+	}
187
+
182
188
 	bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
183
189
 	if (!bmp->db_numag) {
184
-		release_metapage(mp);
185
-		kfree(bmp);
186
-		return -EINVAL;
190
+		err = -EINVAL;
191
+		goto err_release_metapage;
187
192
 	}
188
193
 
189
194
 	bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
..
..
@@ -194,6 +199,17 @@
194
199
 	bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
195
200
 	bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
196
201
 	bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
202
+	if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
203
+	    bmp->db_agl2size < 0) {
204
+		err = -EINVAL;
205
+		goto err_release_metapage;
206
+	}
207
+
208
+	if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
209
+		err = -EINVAL;
210
+		goto err_release_metapage;
211
+	}
212
+
197
213
 	for (i = 0; i < MAXAG; i++)
198
214
 		bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
199
215
 	bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
..
..
@@ -214,6 +230,12 @@
214
230
 	BMAP_LOCK_INIT(bmp);
215
231
 
216
232
 	return (0);
233
+
234
+err_release_metapage:
235
+	release_metapage(mp);
236
+err_kfree_bmp:
237
+	kfree(bmp);
238
+	return err;
217
239
 }
218
240
 
219
241
 
..
..
@@ -247,6 +269,7 @@
247
269
 
248
270
 	/* free the memory for the in-memory bmap. */
249
271
 	kfree(bmp);
272
+	JFS_SBI(ipbmap->i_sb)->bmap = NULL;
250
273
 
251
274
 	return (0);
252
275
 }
..
..
@@ -2005,6 +2028,9 @@
2005
2028
 	if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx))
2006
2029
 		return -ENOSPC;
2007
2030
 
2031
+	if (leafidx < 0)
2032
+		return -EIO;
2033
+
2008
2034
 	/* determine the block number within the file system corresponding
2009
2035
 	 * to the leaf at which free space was found.
2010
2036
 	 */