xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()

stable inclusion from stable-v5.10.140 commit 6a564bad3a6474a5247491d2b48637ec69d429dd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5W3GQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6a564bad3a6474a5247491d2b48637ec69d429dd -------------------------------- commit 6ed6356b upstream. The "bufsize" comes from the root user. If "bufsize" is negative then, because of type promotion, neither of the validation checks at the start of the function are able to catch it: if (bufsize < sizeof(struct xfs_attrlist) || bufsize > XFS_XATTR_LIST_MAX) return -EINVAL; This means "bufsize" will trigger (WARN_ON_ONCE(size > INT_MAX)) in kvmalloc_node(). Fix this by changing the type from int to size_t. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Amir Goldstein <amir73il@gmail.com> Acked-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Wang Hai <wanghai38@huawei.com> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()
stable inclusion from stable-v5.10.140 commit 6a564bad3a6474a5247491d2b48637ec69d429dd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5W3GQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6a564bad3a6474a5247491d2b48637ec69d429dd -------------------------------- commit 6ed6356b upstream. The "bufsize" comes from the root user. If "bufsize" is negative then, because of type promotion, neither of the validation checks at the start of the function are able to catch it: if (bufsize < sizeof(struct xfs_attrlist) || bufsize > XFS_XATTR_LIST_MAX) return -EINVAL; This means "bufsize" will trigger (WARN_ON_ONCE(size > INT_MAX)) in kvmalloc_node(). Fix this by changing the type from int to size_t. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Amir Goldstein <amir73il@gmail.com> Acked-by: N Darrick J. Wong <djwong@kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Wang Hai <wanghai38@huawei.com> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
bd8c7810 · Dan Carpenter · Zheng Zengkai · 02133c58 · bd8c7810 · bd8c7810
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

fs/xfs/xfs_ioctl.c fs/xfs/xfs_ioctl.c +1 -1

fs/xfs/xfs_ioctl.h fs/xfs/xfs_ioctl.h +3 -2

未找到文件。
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -371,7 +371,7 @@ int
 xfs_ioc_attr_list(
 	struct xfs_inode		*dp,
 	void __user			*ubuf,
-	int				bufsize,
+	size_t				bufsize,
 	int				flags,
 	struct xfs_attrlist_cursor __user *ucursor)
 {

--- a/fs/xfs/xfs_ioctl.h
+++ b/fs/xfs/xfs_ioctl.h
@@ -38,8 +38,9 @@ xfs_readlink_by_handle(
 int xfs_ioc_attrmulti_one(struct file *parfilp, struct inode *inode,
 		uint32_t opcode, void __user *uname, void __user *value,
 		uint32_t *len, uint32_t flags);
-int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf, int bufsize,
-	int flags, struct xfs_attrlist_cursor __user *ucursor);
+int xfs_ioc_attr_list(struct xfs_inode *dp, void __user *ubuf,
+		      size_t bufsize, int flags,
+		      struct xfs_attrlist_cursor __user *ucursor);

 extern struct dentry *
 xfs_handle_to_dentry(