From: Zhong Jinghua zhongjinghua@huawei.com
hulk inclusion category: bugfix bugzilla: 187046, https://gitee.com/openeuler/kernel/issues/I5QH0X CVE: NA
--------------------------------
This reverts commit 1e9a49cfcc71112409dd40231ac614a809fffc38.
The mainline of this patch already exists, revert the interim patch
Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/quota/quota_tree.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c index 5389cabc6f20..3b5d2429b29c 100644 --- a/fs/quota/quota_tree.c +++ b/fs/quota/quota_tree.c @@ -79,12 +79,11 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) return ret; }
-static inline int do_check_range(struct super_block *sb, uint val, - uint min_val, uint max_val) +static inline int do_check_range(struct super_block *sb, uint val, uint max_val) { - if (val < min_val || val >= max_val) { - quota_error(sb, "Getting block %u out of range %u-%u", - val, min_val, max_val); + if (val >= max_val) { + quota_error(sb, "Getting block too big (%u >= %u)", + val, max_val); return -EUCLEAN; }
@@ -98,11 +97,11 @@ static int check_free_block(struct qtree_mem_dqinfo *info, uint nextblk, prevblk;
nextblk = le32_to_cpu(dh->dqdh_next_free); - err = do_check_range(info->dqi_sb, nextblk, 0, info->dqi_blocks); + err = do_check_range(info->dqi_sb, nextblk, info->dqi_blocks); if (err) return err; prevblk = le32_to_cpu(dh->dqdh_prev_free); - err = do_check_range(info->dqi_sb, prevblk, 0, info->dqi_blocks); + err = do_check_range(info->dqi_sb, prevblk, info->dqi_blocks); if (err) return err;
@@ -527,10 +526,12 @@ static int remove_tree(struct qtree_mem_dqinfo *info, struct dquot *dquot, goto out_buf; } newblk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); - ret = do_check_range(dquot->dq_sb, newblk, QT_TREEOFF, - info->dqi_blocks); - if (ret) + if (newblk < QT_TREEOFF || newblk >= info->dqi_blocks) { + quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", + newblk, info->dqi_blocks); + ret = -EUCLEAN; goto out_buf; + }
if (depth == info->dqi_qtree_depth - 1) { ret = free_dqentry(info, dquot, newblk); @@ -631,9 +632,12 @@ static loff_t find_tree_dqentry(struct qtree_mem_dqinfo *info, blk = le32_to_cpu(ref[get_index(info, dquot->dq_id, depth)]); if (!blk) /* No reference? */ goto out_buf; - ret = do_check_range(dquot->dq_sb, blk, QT_TREEOFF, info->dqi_blocks); - if (ret) + if (blk < QT_TREEOFF || blk >= info->dqi_blocks) { + quota_error(dquot->dq_sb, "Getting block too big (%u >= %u)", + blk, info->dqi_blocks); + ret = -EUCLEAN; goto out_buf; + }
if (depth < info->dqi_qtree_depth - 1) ret = find_tree_dqentry(info, dquot, blk, depth+1);