fat: validate ->i_start before using

On corrupted FATfs may have invalid ->i_start.  To handle it, this checks
->i_start before using, and return proper error code.

Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/fat/cache.c b/fs/fat/cache.c
index e9bed49..78d501c 100644 (file)
--- a/fs/fat/cache.c
+++ b/fs/fat/cache.c
@@ -225,7 +225,8 @@ static inline void cache_init(struct fat_cache_id *cid, int fclus, int dclus)
 int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 {
        struct super_block *sb = inode->i_sb;
-       const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits;
+       struct msdos_sb_info *sbi = MSDOS_SB(sb);
+       const int limit = sb->s_maxbytes >> sbi->cluster_bits;
        struct fat_entry fatent;
        struct fat_cache_id cid;
        int nr;
@@ -234,6 +235,12 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
 
        *fclus = 0;
        *dclus = MSDOS_I(inode)->i_start;
+       if (!fat_valid_entry(sbi, *dclus)) {
+               fat_fs_error_ratelimit(sb,
+                       "%s: invalid start cluster (i_pos %lld, start %08x)",
+                       __func__, MSDOS_I(inode)->i_pos, *dclus);
+               return -EIO;
+       }
        if (cluster == 0)
                return 0;
 
@@ -250,9 +257,8 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
                /* prevent the infinite loop of cluster chain */
                if (*fclus > limit) {
                        fat_fs_error_ratelimit(sb,
-                                       "%s: detected the cluster chain loop"
-                                       " (i_pos %lld)", __func__,
-                                       MSDOS_I(inode)->i_pos);
+                               "%s: detected the cluster chain loop (i_pos %lld)",
+                               __func__, MSDOS_I(inode)->i_pos);
                        nr = -EIO;
                        goto out;
                }
@@ -262,9 +268,8 @@ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
                        goto out;
                else if (nr == FAT_ENT_FREE) {
                        fat_fs_error_ratelimit(sb,
-                                      "%s: invalid cluster chain (i_pos %lld)",
-                                      __func__,
-                                      MSDOS_I(inode)->i_pos);
+                               "%s: invalid cluster chain (i_pos %lld)",
+                               __func__, MSDOS_I(inode)->i_pos);
                        nr = -EIO;
                        goto out;
                } else if (nr == FAT_ENT_EOF) {

diff --git a/fs/fat/fat.h b/fs/fat/fat.h
index 154ae54..df84d57 100644 (file)
--- a/fs/fat/fat.h
+++ b/fs/fat/fat.h
@@ -348,6 +348,11 @@ static inline void fatent_brelse(struct fat_entry *fatent)
        fatent->fat_inode = NULL;
 }
 
+static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry)
+{
+       return FAT_START_ENT <= entry && entry < sbi->max_cluster;
+}
+
 extern void fat_ent_access_init(struct super_block *sb);
 extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent,
                        int entry);

diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
index 25d43a5..defc216 100644 (file)
--- a/fs/fat/fatent.c
+++ b/fs/fat/fatent.c
@@ -24,7 +24,7 @@ static void fat12_ent_blocknr(struct super_block *sb, int entry,
 {
        struct msdos_sb_info *sbi = MSDOS_SB(sb);
        int bytes = entry + (entry >> 1);
-       WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
+       WARN_ON(!fat_valid_entry(sbi, entry));
        *offset = bytes & (sb->s_blocksize - 1);
        *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
 }
@@ -34,7 +34,7 @@ static void fat_ent_blocknr(struct super_block *sb, int entry,
 {
        struct msdos_sb_info *sbi = MSDOS_SB(sb);
        int bytes = (entry << sbi->fatent_shift);
-       WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
+       WARN_ON(!fat_valid_entry(sbi, entry));
        *offset = bytes & (sb->s_blocksize - 1);
        *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
 }
@@ -354,7 +354,7 @@ int fat_ent_read(struct inode *inode, struct fat_entry *fatent, int entry)
        int err, offset;
        sector_t blocknr;
 
-       if (entry < FAT_START_ENT || sbi->max_cluster <= entry) {
+       if (!fat_valid_entry(sbi, entry)) {
                fatent_brelse(fatent);
                fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry);
                return -EIO;