Commit 12495ea3 authored by Krzysztof Błaszkowski's avatar Krzysztof Błaszkowski Committed by Christoph Hellwig

freevxfs: refactor readdir and lookup code

This change fixes also a buffer overflow which was caused by
accessing address space beyond mapped page
Signed-off-by: default avatarKrzysztof Błaszkowski <kb@sysmikro.com.pl>
Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
parent f2fe2fa1
...@@ -62,35 +62,6 @@ const struct file_operations vxfs_dir_operations = { ...@@ -62,35 +62,6 @@ const struct file_operations vxfs_dir_operations = {
.iterate_shared = vxfs_readdir, .iterate_shared = vxfs_readdir,
}; };
static inline u_long
dir_blocks(struct inode *ip)
{
u_long bsize = ip->i_sb->s_blocksize;
return (ip->i_size + bsize - 1) & ~(bsize - 1);
}
/*
* NOTE! unlike strncmp, vxfs_match returns 1 for success, 0 for failure.
*
* len <= VXFS_NAMELEN and de != NULL are guaranteed by caller.
*/
static inline int
vxfs_match(struct vxfs_sb_info *sbi, int len, const char *const name,
struct vxfs_direct *de)
{
if (len != fs16_to_cpu(sbi, de->d_namelen))
return 0;
if (!de->d_ino)
return 0;
return !memcmp(name, de->d_name, len);
}
static inline struct vxfs_direct *
vxfs_next_entry(struct vxfs_sb_info *sbi, struct vxfs_direct *de)
{
return ((struct vxfs_direct *)
((char *)de + fs16_to_cpu(sbi, de->d_reclen)));
}
/** /**
* vxfs_find_entry - find a mathing directory entry for a dentry * vxfs_find_entry - find a mathing directory entry for a dentry
...@@ -109,53 +80,64 @@ vxfs_next_entry(struct vxfs_sb_info *sbi, struct vxfs_direct *de) ...@@ -109,53 +80,64 @@ vxfs_next_entry(struct vxfs_sb_info *sbi, struct vxfs_direct *de)
static struct vxfs_direct * static struct vxfs_direct *
vxfs_find_entry(struct inode *ip, struct dentry *dp, struct page **ppp) vxfs_find_entry(struct inode *ip, struct dentry *dp, struct page **ppp)
{ {
struct vxfs_sb_info *sbi = VXFS_SBI(ip->i_sb);
u_long npages, page, nblocks, pblocks, block;
u_long bsize = ip->i_sb->s_blocksize; u_long bsize = ip->i_sb->s_blocksize;
const char *name = dp->d_name.name; const char *name = dp->d_name.name;
int namelen = dp->d_name.len; int namelen = dp->d_name.len;
loff_t limit = VXFS_DIRROUND(ip->i_size);
struct vxfs_direct *de_exit = NULL;
loff_t pos = 0;
struct vxfs_sb_info *sbi = VXFS_SBI(ip->i_sb);
npages = dir_pages(ip); while (pos < limit) {
nblocks = dir_blocks(ip);
pblocks = VXFS_BLOCK_PER_PAGE(ip->i_sb);
for (page = 0; page < npages; page++) {
caddr_t kaddr;
struct page *pp; struct page *pp;
char *kaddr;
int pg_ofs = pos & ~PAGE_MASK;
pp = vxfs_get_page(ip->i_mapping, page); pp = vxfs_get_page(ip->i_mapping, pos >> PAGE_SHIFT);
if (IS_ERR(pp)) if (IS_ERR(pp))
continue; return NULL;
kaddr = (caddr_t)page_address(pp); kaddr = (char *)page_address(pp);
for (block = 0; block <= nblocks && block <= pblocks; block++) { while (pg_ofs < PAGE_SIZE && pos < limit) {
caddr_t baddr, limit;
struct vxfs_dirblk *dbp;
struct vxfs_direct *de; struct vxfs_direct *de;
baddr = kaddr + (block * bsize); if ((pos & (bsize - 1)) < 4) {
limit = baddr + bsize - VXFS_DIRLEN(1); struct vxfs_dirblk *dbp =
(struct vxfs_dirblk *)
(kaddr + (pos & ~PAGE_MASK));
int overhead = VXFS_DIRBLKOV(sbi, dbp);
dbp = (struct vxfs_dirblk *)baddr; pos += overhead;
de = (struct vxfs_direct *) pg_ofs += overhead;
(baddr + VXFS_DIRBLKOV(sbi, dbp)); }
de = (struct vxfs_direct *)(kaddr + pg_ofs);
for (; (caddr_t)de <= limit; if (!de->d_reclen) {
de = vxfs_next_entry(sbi, de)) { pos += bsize - 1;
if (!de->d_reclen) pos &= ~(bsize - 1);
break; break;
}
pg_ofs += fs16_to_cpu(sbi, de->d_reclen);
pos += fs16_to_cpu(sbi, de->d_reclen);
if (!de->d_ino) if (!de->d_ino)
continue; continue;
if (vxfs_match(sbi, namelen, name, de)) {
if (namelen != fs16_to_cpu(sbi, de->d_namelen))
continue;
if (!memcmp(name, de->d_name, namelen)) {
*ppp = pp; *ppp = pp;
return (de); de_exit = de;
} break;
} }
} }
if (!de_exit)
vxfs_put_page(pp); vxfs_put_page(pp);
else
break;
} }
return NULL; return de_exit;
} }
/** /**
...@@ -238,80 +220,81 @@ vxfs_readdir(struct file *fp, struct dir_context *ctx) ...@@ -238,80 +220,81 @@ vxfs_readdir(struct file *fp, struct dir_context *ctx)
{ {
struct inode *ip = file_inode(fp); struct inode *ip = file_inode(fp);
struct super_block *sbp = ip->i_sb; struct super_block *sbp = ip->i_sb;
struct vxfs_sb_info *sbi = VXFS_SBI(sbp);
u_long bsize = sbp->s_blocksize; u_long bsize = sbp->s_blocksize;
u_long page, npages, block, pblocks, nblocks, offset; loff_t pos, limit;
loff_t pos; struct vxfs_sb_info *sbi = VXFS_SBI(sbp);
if (ctx->pos == 0) { if (ctx->pos == 0) {
if (!dir_emit_dot(fp, ctx)) if (!dir_emit_dot(fp, ctx))
return 0; goto out;
ctx->pos = 1; ctx->pos++;
} }
if (ctx->pos == 1) { if (ctx->pos == 1) {
if (!dir_emit(ctx, "..", 2, VXFS_INO(ip)->vii_dotdot, DT_DIR)) if (!dir_emit(ctx, "..", 2, VXFS_INO(ip)->vii_dotdot, DT_DIR))
return 0; goto out;
ctx->pos = 2; ctx->pos++;
} }
pos = ctx->pos - 2;
if (pos > VXFS_DIRROUND(ip->i_size)) limit = VXFS_DIRROUND(ip->i_size);
return 0; if (ctx->pos > limit)
goto out;
npages = dir_pages(ip);
nblocks = dir_blocks(ip);
pblocks = VXFS_BLOCK_PER_PAGE(sbp);
page = pos >> PAGE_SHIFT; pos = ctx->pos & ~3L;
offset = pos & ~PAGE_MASK;
block = (u_long)(pos >> sbp->s_blocksize_bits) % pblocks;
for (; page < npages; page++, block = 0) { while (pos < limit) {
char *kaddr;
struct page *pp; struct page *pp;
char *kaddr;
int pg_ofs = pos & ~PAGE_MASK;
int rc = 0;
pp = vxfs_get_page(ip->i_mapping, page); pp = vxfs_get_page(ip->i_mapping, pos >> PAGE_SHIFT);
if (IS_ERR(pp)) if (IS_ERR(pp))
continue; return -ENOMEM;
kaddr = (char *)page_address(pp); kaddr = (char *)page_address(pp);
for (; block <= nblocks && block <= pblocks; block++) { while (pg_ofs < PAGE_SIZE && pos < limit) {
char *baddr, *limit;
struct vxfs_dirblk *dbp;
struct vxfs_direct *de; struct vxfs_direct *de;
baddr = kaddr + (block * bsize); if ((pos & (bsize - 1)) < 4) {
limit = baddr + bsize - VXFS_DIRLEN(1); struct vxfs_dirblk *dbp =
(struct vxfs_dirblk *)
(kaddr + (pos & ~PAGE_MASK));
int overhead = VXFS_DIRBLKOV(sbi, dbp);
dbp = (struct vxfs_dirblk *)baddr; pos += overhead;
de = (struct vxfs_direct *) pg_ofs += overhead;
(offset ? }
(kaddr + offset) : de = (struct vxfs_direct *)(kaddr + pg_ofs);
(baddr + VXFS_DIRBLKOV(sbi, dbp)));
for (; (char *)de <= limit; if (!de->d_reclen) {
de = vxfs_next_entry(sbi, de)) { pos += bsize - 1;
if (!de->d_reclen) pos &= ~(bsize - 1);
break; break;
}
pg_ofs += fs16_to_cpu(sbi, de->d_reclen);
pos += fs16_to_cpu(sbi, de->d_reclen);
if (!de->d_ino) if (!de->d_ino)
continue; continue;
offset = (char *)de - kaddr; rc = dir_emit(ctx, de->d_name,
ctx->pos = ((page << PAGE_SHIFT) | offset) + 2;
if (!dir_emit(ctx, de->d_name,
fs16_to_cpu(sbi, de->d_namelen), fs16_to_cpu(sbi, de->d_namelen),
fs32_to_cpu(sbi, de->d_ino), fs32_to_cpu(sbi, de->d_ino),
DT_UNKNOWN)) { DT_UNKNOWN);
vxfs_put_page(pp); if (!rc) {
return 0; /* the dir entry was not read, fix pos. */
} pos -= fs16_to_cpu(sbi, de->d_reclen);
break;
} }
offset = 0;
} }
vxfs_put_page(pp); vxfs_put_page(pp);
offset = 0; if (!rc)
break;
} }
ctx->pos = ((page << PAGE_SHIFT) | offset) + 2;
ctx->pos = pos | 2;
out:
return 0; return 0;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment