aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerhard Heift2014-01-30 16:23:59 +0100
committerChris Mason2014-06-12 18:21:39 -0700
commit8f5f6178f366bdb93d6af6f2bdca8ebca1ad9fe9 (patch)
treea2e697a397615dad07bb8665f5d8ec86cd481062
parent12544442882e13aee98126928bb3a1a141484fe8 (diff)
btrfs: tree_search, copy_to_sk: return EOVERFLOW for too small buffer
In copy_to_sk, if an item is too large for the given buffer, it now returns -EOVERFLOW instead of copying a search_header with len = 0. For backward compatibility for the first item it still copies such a header to the buffer, but not any other following items, which could have fitted. tree_search changes -EOVERFLOW back to 0 to behave similiar to the way it behaved before this patch. Signed-off-by: Gerhard Heift <Gerhard@Heift.Name> Signed-off-by: Chris Mason <clm@fb.com> Acked-by: David Sterba <dsterba@suse.cz>
-rw-r--r--fs/btrfs/ioctl.c28
1 files changed, 26 insertions, 2 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 775640475e35..6e09fc1c1c18 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1990,8 +1990,20 @@ static noinline int copy_to_sk(struct btrfs_root *root,
if (!key_in_sk(key, sk))
continue;
- if (sizeof(sh) + item_len > buf_size)
+ if (sizeof(sh) + item_len > buf_size) {
+ if (*num_found) {
+ ret = 1;
+ goto out;
+ }
+
+ /*
+ * return one empty item back for v1, which does not
+ * handle -EOVERFLOW
+ */
+
item_len = 0;
+ ret = -EOVERFLOW;
+ }
if (sizeof(sh) + item_len + *sk_offset > buf_size) {
ret = 1;
@@ -2017,6 +2029,9 @@ static noinline int copy_to_sk(struct btrfs_root *root,
}
(*num_found)++;
+ if (ret) /* -EOVERFLOW from above */
+ goto out;
+
if (*num_found >= sk->nr_items) {
ret = 1;
goto out;
@@ -2095,7 +2110,8 @@ static noinline int search_ioctl(struct inode *inode,
break;
}
- ret = 0;
+ if (ret > 0)
+ ret = 0;
err:
sk->nr_items = num_found;
btrfs_free_path(path);
@@ -2118,6 +2134,14 @@ static noinline int btrfs_ioctl_tree_search(struct file *file,
inode = file_inode(file);
ret = search_ioctl(inode, &args->key, sizeof(args->buf), args->buf);
+
+ /*
+ * In the origin implementation an overflow is handled by returning a
+ * search header with a len of zero, so reset ret.
+ */
+ if (ret == -EOVERFLOW)
+ ret = 0;
+
if (ret == 0 && copy_to_user(argp, args, sizeof(*args)))
ret = -EFAULT;
kfree(args);