• Theodore Ts'o's avatar
    Fix nobh_truncate_page() to not pass stack garbage to get_block() · 460bcf57
    Theodore Ts'o authored
    The nobh_truncate_page() function is used by ext2, exofs, and jfs.  Of
    these three, only ext2 and jfs's get_block() function pays attention
    to bh->b_size --- which is normally always the filesystem blocksize
    except when the get_block() function is called by either
    mpage_readpage(), mpage_readpages(), or the direct I/O routines in
    fs/direct_io.c.
    
    Unfortunately, nobh_truncate_page() does not initialize map_bh before
    calling the filesystem-supplied get_block() function.  So ext2 and jfs
    will try to calculate the number of blocks to map by taking stack
    garbage and shifting it left by inode->i_blkbits.  This should be
    *mostly* harmless (except the filesystem will do some unnneeded work)
    unless the stack garbage is less than filesystem's blocksize, in which
    case maxblocks will be zero, and the attempt to find out whether or
    not the filesystem has a hole at a given logical block will fail, and
    the page cache entry might not get zero'ed out.
    
    Also if the stack garbage in in map_bh->state happens to have the
    BH_Mapped bit set, there could be an attempt to call readpage() on a
    non-existent page, which could cause nobh_truncate_page() to return an
    error when it should not.
    
    Fix this by initializing map_bh->state and map_bh->size.
    
    Fortunately, it's probably fairly unlikely that ext2 and jfs users
    mount with nobh these days.
    Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
    Cc: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
    Cc: linux-fsdevel@vger.kernel.org
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    460bcf57
buffer.c 88.7 KB