diff options
author | Josh Boyer | 2011-08-19 14:50:26 -0400 |
---|---|---|
committer | Al Viro | 2011-11-19 11:13:26 -0500 |
commit | 016e8d44bc06dd3322f26712bdd3f3a6973592d0 (patch) | |
tree | 3e237994b81e284ad58acc75f37b4c8d4aefbdf3 /fs/minix/bitmap.c | |
parent | d633180c20271d3b7c1fabbccbc7c5b30ad12be4 (diff) |
fs/minix: Verify bitmap block counts before mounting
Newer versions of MINIX can create filesystems that allocate an extra
bitmap block. Mounting of this succeeds, but doing a statfs call will
result in an oops in count_free because of a negative number being used
for the bh index.
Avoid this by verifying the number of allocated blocks at mount time,
erroring out if there are not enough and make statfs ignore the extras
if there are too many.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/minix/bitmap.c')
-rw-r--r-- | fs/minix/bitmap.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/fs/minix/bitmap.c b/fs/minix/bitmap.c index 3f32bcb0d9bd..7c82c29429d7 100644 --- a/fs/minix/bitmap.c +++ b/fs/minix/bitmap.c @@ -20,10 +20,11 @@ static const int nibblemap[] = { 4,3,3,2,3,2,2,1,3,2,2,1,2,1,1,0 }; static DEFINE_SPINLOCK(bitmap_lock); -static unsigned long count_free(struct buffer_head *map[], unsigned numblocks, __u32 numbits) +static unsigned long count_free(struct buffer_head *map[], unsigned blocksize, __u32 numbits) { unsigned i, j, sum = 0; struct buffer_head *bh; + unsigned numblocks = minix_blocks_needed(numbits, blocksize); for (i=0; i<numblocks-1; i++) { if (!(bh=map[i])) @@ -105,10 +106,12 @@ int minix_new_block(struct inode * inode) return 0; } -unsigned long minix_count_free_blocks(struct minix_sb_info *sbi) +unsigned long minix_count_free_blocks(struct super_block *sb) { - return (count_free(sbi->s_zmap, sbi->s_zmap_blocks, - sbi->s_nzones - sbi->s_firstdatazone + 1) + struct minix_sb_info *sbi = minix_sb(sb); + u32 bits = sbi->s_nzones - (sbi->s_firstdatazone + 1); + + return (count_free(sbi->s_zmap, sb->s_blocksize, bits) << sbi->s_log_zone_size); } @@ -273,7 +276,10 @@ struct inode *minix_new_inode(const struct inode *dir, int mode, int *error) return inode; } -unsigned long minix_count_free_inodes(struct minix_sb_info *sbi) +unsigned long minix_count_free_inodes(struct super_block *sb) { - return count_free(sbi->s_imap, sbi->s_imap_blocks, sbi->s_ninodes + 1); + struct minix_sb_info *sbi = minix_sb(sb); + u32 bits = sbi->s_ninodes + 1; + + return count_free(sbi->s_imap, sb->s_blocksize, bits); } |