quota: Don't overflow quota file offsets

stable inclusion from linux-4.19.165 commit 75f1bd7955f17cf15412165d25f03df7d659568e -------------------------------- [ Upstream commit 10f04d40 ] The on-disk quota format supports quota files with upto 2^32 blocks. Be careful when computing quota file offsets in the quota files from block numbers as they can overflow 32-bit types. Since quota files larger than 4GB would require ~26 millions of quota users, this is mostly a theoretical concern now but better be careful, fuzzers would find the problem sooner or later anyway... Reviewed-by: N Andreas Dilger <adilger@dilger.ca> Signed-off-by: N Jan Kara <jack@suse.cz> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>

quota: Don't overflow quota file offsets
stable inclusion from linux-4.19.165 commit 75f1bd7955f17cf15412165d25f03df7d659568e -------------------------------- [ Upstream commit 10f04d40 ] The on-disk quota format supports quota files with upto 2^32 blocks. Be careful when computing quota file offsets in the quota files from block numbers as they can overflow 32-bit types. Since quota files larger than 4GB would require ~26 millions of quota users, this is mostly a theoretical concern now but better be careful, fuzzers would find the problem sooner or later anyway... Reviewed-by: N Andreas Dilger <adilger@dilger.ca> Signed-off-by: N Jan Kara <jack@suse.cz> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>
f58f6391 · Jan Kara · Yang Yingliang · e8a1e09d · f58f6391
隐藏空白更改
内联并排

Showing with 4 addition and 4 deletion

fs/quota/quota_tree.c fs/quota/quota_tree.c +4 -4

未找到文件。
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -61,7 +61,7 @@ static ssize_t read_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
 	memset(buf, 0, info->dqi_usable_bs);
 	return sb->s_op->quota_read(sb, info->dqi_type, buf,
-	       info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+	       info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
 }
 static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
@@ -70,7 +70,7 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf)
 	ssize_t ret;
 	ret = sb->s_op->quota_write(sb, info->dqi_type, buf,
-	       info->dqi_usable_bs, blk << info->dqi_blocksize_bits);
+	       info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits);
 	if (ret != info->dqi_usable_bs) {
 		quota_error(sb, "dquota write failed");
 		if (ret >= 0)
@@ -283,7 +283,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info,
 			    blk);
 		goto out_buf;
 	}
-	dquot->dq_off = (blk << info->dqi_blocksize_bits) +
+	dquot->dq_off = ((loff_t)blk << info->dqi_blocksize_bits) +
 			sizeof(struct qt_disk_dqdbheader) +
 			i * info->dqi_entry_size;
 	kfree(buf);
@@ -558,7 +558,7 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info,
 		ret = -EIO;
 		goto out_buf;
 	} else {
-		ret = (blk << info->dqi_blocksize_bits) + sizeof(struct
+		ret = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct
 		  qt_disk_dqdbheader) + i * info->dqi_entry_size;
 	}
 out_buf: