From fa0c5540739320258c3e3a45aaae9dae467b2504 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Fri, 12 Dec 2014 16:29:29 +0100 Subject: [PATCH 1/2] reiserfs: destroy allocated commit workqueue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When resirefs is trying to mount a partition, it creates a commit workqueue (sbi->commit_wq). But when mount fails later, the workqueue is not freed. Signed-off-by: Jiri Slaby Reported-by: auxsvr@gmail.com Reported-by: BenoƮt Monin Cc: Jan Kara Cc: stable@vger.kernel.org # >= 3.16 Cc: reiserfs-devel@vger.kernel.org Fixes: 797d9016ceca69879bb273218810fa0beef46aac Signed-off-by: Jan Kara --- fs/reiserfs/super.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c index ea63ab13ef92..71fbbe3e2dab 100644 --- a/fs/reiserfs/super.c +++ b/fs/reiserfs/super.c @@ -2172,6 +2172,9 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) reiserfs_write_unlock(s); } + if (sbi->commit_wq) + destroy_workqueue(sbi->commit_wq); + cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); reiserfs_free_bitmap_cache(s); From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Mon, 15 Dec 2014 14:22:46 +0100 Subject: [PATCH 2/2] isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P CC: stable@vger.kernel.org Signed-off-by: Jan Kara --- fs/isofs/rock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index f488bbae541a..bb63254ed848 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -30,6 +30,7 @@ struct rock_state { int cont_size; int cont_extent; int cont_offset; + int cont_loops; struct inode *inode; }; @@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) rs->inode = inode; } +/* Maximum number of Rock Ridge continuation entries */ +#define RR_MAX_CE_ENTRIES 32 + /* * Returns 0 if the caller should continue scanning, 1 if the scan must end * and -ve on error. @@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) goto out; } ret = -EIO; + if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) + goto out; bh = sb_bread(rs->inode->i_sb, rs->cont_extent); if (bh) { memcpy(rs->buffer, bh->b_data + rs->cont_offset,