diff options
| author | pix106 <sbordenave@gmail.com> | 2021-01-10 01:17:07 +0100 |
|---|---|---|
| committer | pix106 <sbordenave@gmail.com> | 2021-01-10 01:17:07 +0100 |
| commit | 4e43846d0525b097d697c9fd089b8454c3a1ee4b (patch) | |
| tree | ddc769275ad8b54c251dc4e797fbff9b96a50a72 /fs | |
| parent | 49d9381462eeb63aea37f03cde528deef3f09698 (diff) | |
| parent | d90a51363bc5b9c9790fae4dfafa21e9496e1c88 (diff) | |
Merge branch 'kernel.lnx.4.4.r38-rel' of https://github.com/android-linux-stable/msm-4.4 into 11-EASHEADr11.1
* 'kernel.lnx.4.4.r38-rel' of https://github.com/android-linux-stable/msm-4.4:
Linux 4.4.250
mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
iio:magnetometer:mag3110: Fix alignment and data leak issues.
module: delay kobject uevent until after module init call
powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe()
quota: Don't overflow quota file offsets
module: set MODULE_STATE_GOING state when a module fails to load
ALSA: seq: Use bool for snd_seq_queue internal flags
media: gp8psk: initialize stats at power control logic
misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells()
reiserfs: add check for an invalid ih_entry_count
of: fix linker-section match-table corruption
uapi: move constants from <linux/kernel.h> to <linux/const.h>
USB: serial: digi_acceleport: fix write-wakeup deadlocks
s390/dasd: fix hanging device offline processing
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines
ALSA: hda/realtek - Support Dell headset mode for ALC3271
ALSA: usb-audio: fix sync-ep altsetting sanity check
ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk
ALSA: hda/ca0132 - Fix work handling in delayed HP detection
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/quota/quota_tree.c | 8 | ||||
| -rw-r--r-- | fs/reiserfs/stree.c | 6 |
2 files changed, 10 insertions, 4 deletions
diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c index 58efb83dec1c..3069b1186719 100644 --- a/fs/quota/quota_tree.c +++ b/fs/quota/quota_tree.c @@ -55,7 +55,7 @@ static ssize_t read_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) memset(buf, 0, info->dqi_usable_bs); return sb->s_op->quota_read(sb, info->dqi_type, buf, - info->dqi_usable_bs, blk << info->dqi_blocksize_bits); + info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits); } static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) @@ -64,7 +64,7 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) ssize_t ret; ret = sb->s_op->quota_write(sb, info->dqi_type, buf, - info->dqi_usable_bs, blk << info->dqi_blocksize_bits); + info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits); if (ret != info->dqi_usable_bs) { quota_error(sb, "dquota write failed"); if (ret >= 0) @@ -277,7 +277,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info, blk); goto out_buf; } - dquot->dq_off = (blk << info->dqi_blocksize_bits) + + dquot->dq_off = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct qt_disk_dqdbheader) + i * info->dqi_entry_size; kfree(buf); @@ -552,7 +552,7 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info, ret = -EIO; goto out_buf; } else { - ret = (blk << info->dqi_blocksize_bits) + sizeof(struct + ret = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct qt_disk_dqdbheader) + i * info->dqi_entry_size; } out_buf: diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c index e3a4cbad9620..33b78ee9fb9e 100644 --- a/fs/reiserfs/stree.c +++ b/fs/reiserfs/stree.c @@ -453,6 +453,12 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) "(second one): %h", ih); return 0; } + if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { + reiserfs_warning(NULL, "reiserfs-5093", + "item entry count seems wrong %h", + ih); + return 0; + } prev_location = ih_location(ih); } |