linux-next/fs/omfs/file.c
Bob Copeland 9419fc1c95 omfs: fix oops when file metadata is corrupted
A fuzzed fileystem image failed with OMFS when the extent count was
used in a loop without being checked against the max number of extents.
It also provoked a signed division for an array index that was checked
as if unsigned, leading to index by -1.

omfsck will be updated to fix these cases, in the meantime bail out
gracefully.

Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-08-15 08:35:44 -07:00

366 lines
9.0 KiB
C

/*
* OMFS (as used by RIO Karma) file operations.
* Copyright (C) 2005 Bob Copeland <me@bobcopeland.com>
* Released under GPL v2.
*/
#include <linux/version.h>
#include <linux/module.h>
#include <linux/fs.h>
#include <linux/buffer_head.h>
#include <linux/mpage.h>
#include "omfs.h"
static int omfs_sync_file(struct file *file, struct dentry *dentry,
int datasync)
{
struct inode *inode = dentry->d_inode;
int err;
err = sync_mapping_buffers(inode->i_mapping);
if (!(inode->i_state & I_DIRTY))
return err;
if (datasync && !(inode->i_state & I_DIRTY_DATASYNC))
return err;
err |= omfs_sync_inode(inode);
return err ? -EIO : 0;
}
static u32 omfs_max_extents(struct omfs_sb_info *sbi, int offset)
{
return (sbi->s_sys_blocksize - offset -
sizeof(struct omfs_extent)) /
sizeof(struct omfs_extent_entry) + 1;
}
void omfs_make_empty_table(struct buffer_head *bh, int offset)
{
struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
oe->e_next = ~cpu_to_be64(0ULL);
oe->e_extent_count = cpu_to_be32(1),
oe->e_fill = cpu_to_be32(0x22),
oe->e_entry.e_cluster = ~cpu_to_be64(0ULL);
oe->e_entry.e_blocks = ~cpu_to_be64(0ULL);
}
int omfs_shrink_inode(struct inode *inode)
{
struct omfs_sb_info *sbi = OMFS_SB(inode->i_sb);
struct omfs_extent *oe;
struct omfs_extent_entry *entry;
struct buffer_head *bh;
u64 next, last;
u32 extent_count;
u32 max_extents;
int ret;
/* traverse extent table, freeing each entry that is greater
* than inode->i_size;
*/
next = inode->i_ino;
/* only support truncate -> 0 for now */
ret = -EIO;
if (inode->i_size != 0)
goto out;
bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next));
if (!bh)
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
for (;;) {
if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next))
goto out_brelse;
extent_count = be32_to_cpu(oe->e_extent_count);
if (extent_count > max_extents)
goto out_brelse;
last = next;
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
/* ignore last entry as it is the terminator */
for (; extent_count > 1; extent_count--) {
u64 start, count;
start = be64_to_cpu(entry->e_cluster);
count = be64_to_cpu(entry->e_blocks);
omfs_clear_range(inode->i_sb, start, (int) count);
entry++;
}
omfs_make_empty_table(bh, (char *) oe - bh->b_data);
mark_buffer_dirty(bh);
brelse(bh);
if (last != inode->i_ino)
omfs_clear_range(inode->i_sb, last, sbi->s_mirrors);
if (next == ~0)
break;
bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next));
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
}
ret = 0;
out:
return ret;
out_brelse:
brelse(bh);
return ret;
}
static void omfs_truncate(struct inode *inode)
{
omfs_shrink_inode(inode);
mark_inode_dirty(inode);
}
/*
* Add new blocks to the current extent, or create new entries/continuations
* as necessary.
*/
static int omfs_grow_extent(struct inode *inode, struct omfs_extent *oe,
u64 *ret_block)
{
struct omfs_extent_entry *terminator;
struct omfs_extent_entry *entry = &oe->e_entry;
struct omfs_sb_info *sbi = OMFS_SB(inode->i_sb);
u32 extent_count = be32_to_cpu(oe->e_extent_count);
u64 new_block = 0;
u32 max_count;
int new_count;
int ret = 0;
/* reached the end of the extent table with no blocks mapped.
* there are three possibilities for adding: grow last extent,
* add a new extent to the current extent table, and add a
* continuation inode. in last two cases need an allocator for
* sbi->s_cluster_size
*/
/* TODO: handle holes */
/* should always have a terminator */
if (extent_count < 1)
return -EIO;
/* trivially grow current extent, if next block is not taken */
terminator = entry + extent_count - 1;
if (extent_count > 1) {
entry = terminator-1;
new_block = be64_to_cpu(entry->e_cluster) +
be64_to_cpu(entry->e_blocks);
if (omfs_allocate_block(inode->i_sb, new_block)) {
entry->e_blocks =
cpu_to_be64(be64_to_cpu(entry->e_blocks) + 1);
terminator->e_blocks = ~(cpu_to_be64(
be64_to_cpu(~terminator->e_blocks) + 1));
goto out;
}
}
max_count = omfs_max_extents(sbi, OMFS_EXTENT_START);
/* TODO: add a continuation block here */
if (be32_to_cpu(oe->e_extent_count) > max_count-1)
return -EIO;
/* try to allocate a new cluster */
ret = omfs_allocate_range(inode->i_sb, 1, sbi->s_clustersize,
&new_block, &new_count);
if (ret)
goto out_fail;
/* copy terminator down an entry */
entry = terminator;
terminator++;
memcpy(terminator, entry, sizeof(struct omfs_extent_entry));
entry->e_cluster = cpu_to_be64(new_block);
entry->e_blocks = cpu_to_be64((u64) new_count);
terminator->e_blocks = ~(cpu_to_be64(
be64_to_cpu(~terminator->e_blocks) + (u64) new_count));
/* write in new entry */
oe->e_extent_count = cpu_to_be32(1 + be32_to_cpu(oe->e_extent_count));
out:
*ret_block = new_block;
out_fail:
return ret;
}
/*
* Scans across the directory table for a given file block number.
* If block not found, return 0.
*/
static sector_t find_block(struct inode *inode, struct omfs_extent_entry *ent,
sector_t block, int count, int *left)
{
/* count > 1 because of terminator */
sector_t searched = 0;
for (; count > 1; count--) {
int numblocks = clus_to_blk(OMFS_SB(inode->i_sb),
be64_to_cpu(ent->e_blocks));
if (block >= searched &&
block < searched + numblocks) {
/*
* found it at cluster + (block - searched)
* numblocks - (block - searched) is remainder
*/
*left = numblocks - (block - searched);
return clus_to_blk(OMFS_SB(inode->i_sb),
be64_to_cpu(ent->e_cluster)) +
block - searched;
}
searched += numblocks;
ent++;
}
return 0;
}
static int omfs_get_block(struct inode *inode, sector_t block,
struct buffer_head *bh_result, int create)
{
struct buffer_head *bh;
sector_t next, offset;
int ret;
u64 new_block;
u32 max_extents;
int extent_count;
struct omfs_extent *oe;
struct omfs_extent_entry *entry;
struct omfs_sb_info *sbi = OMFS_SB(inode->i_sb);
int max_blocks = bh_result->b_size >> inode->i_blkbits;
int remain;
ret = -EIO;
bh = sb_bread(inode->i_sb, clus_to_blk(sbi, inode->i_ino));
if (!bh)
goto out;
oe = (struct omfs_extent *)(&bh->b_data[OMFS_EXTENT_START]);
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_START);
next = inode->i_ino;
for (;;) {
if (omfs_is_bad(sbi, (struct omfs_header *) bh->b_data, next))
goto out_brelse;
extent_count = be32_to_cpu(oe->e_extent_count);
next = be64_to_cpu(oe->e_next);
entry = &oe->e_entry;
if (extent_count > max_extents)
goto out_brelse;
offset = find_block(inode, entry, block, extent_count, &remain);
if (offset > 0) {
ret = 0;
map_bh(bh_result, inode->i_sb, offset);
if (remain > max_blocks)
remain = max_blocks;
bh_result->b_size = (remain << inode->i_blkbits);
goto out_brelse;
}
if (next == ~0)
break;
brelse(bh);
bh = sb_bread(inode->i_sb, clus_to_blk(sbi, next));
if (!bh)
goto out;
oe = (struct omfs_extent *) (&bh->b_data[OMFS_EXTENT_CONT]);
max_extents = omfs_max_extents(sbi, OMFS_EXTENT_CONT);
}
if (create) {
ret = omfs_grow_extent(inode, oe, &new_block);
if (ret == 0) {
mark_buffer_dirty(bh);
mark_inode_dirty(inode);
map_bh(bh_result, inode->i_sb,
clus_to_blk(sbi, new_block));
}
}
out_brelse:
brelse(bh);
out:
return ret;
}
static int omfs_readpage(struct file *file, struct page *page)
{
return block_read_full_page(page, omfs_get_block);
}
static int omfs_readpages(struct file *file, struct address_space *mapping,
struct list_head *pages, unsigned nr_pages)
{
return mpage_readpages(mapping, pages, nr_pages, omfs_get_block);
}
static int omfs_writepage(struct page *page, struct writeback_control *wbc)
{
return block_write_full_page(page, omfs_get_block, wbc);
}
static int
omfs_writepages(struct address_space *mapping, struct writeback_control *wbc)
{
return mpage_writepages(mapping, wbc, omfs_get_block);
}
static int omfs_write_begin(struct file *file, struct address_space *mapping,
loff_t pos, unsigned len, unsigned flags,
struct page **pagep, void **fsdata)
{
*pagep = NULL;
return block_write_begin(file, mapping, pos, len, flags,
pagep, fsdata, omfs_get_block);
}
static sector_t omfs_bmap(struct address_space *mapping, sector_t block)
{
return generic_block_bmap(mapping, block, omfs_get_block);
}
struct file_operations omfs_file_operations = {
.llseek = generic_file_llseek,
.read = do_sync_read,
.write = do_sync_write,
.aio_read = generic_file_aio_read,
.aio_write = generic_file_aio_write,
.mmap = generic_file_mmap,
.fsync = omfs_sync_file,
.splice_read = generic_file_splice_read,
};
struct inode_operations omfs_file_inops = {
.truncate = omfs_truncate
};
struct address_space_operations omfs_aops = {
.readpage = omfs_readpage,
.readpages = omfs_readpages,
.writepage = omfs_writepage,
.writepages = omfs_writepages,
.sync_page = block_sync_page,
.write_begin = omfs_write_begin,
.write_end = generic_write_end,
.bmap = omfs_bmap,
};