Commit b5b440c4 authored Jul 17, 2024 by Baokun Li Committed by Yifan Qiao Jul 17, 2024

ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow

mainline inclusion
from mainline-v6.10-rc1
commit 9a9f3a9842927e4af7ca10c19c94dad83bebd713
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD018
CVE: CVE-2024-40955

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9a9f3a9842927e4af7ca10c19c94dad83bebd713



--------------------------------

Now ac_groups_linear_remaining is of type __u16 and s_mb_max_linear_groups
is of type unsigned int, so an overflow occurs when setting a value above
65535 through the mb_max_linear_groups sysfs interface. Therefore, the
type of ac_groups_linear_remaining is set to __u32 to avoid overflow.

Fixes: 196e402a ("ext4: improve cr 0 / cr 1 group scanning")
CC: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240319113325.3110393-8-libaokun1@huawei.com


Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Conflicts:
	fs/ext4/mballoc.h
[context differences]
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent da4e7421

fs/ext4/mballoc.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -194,8 +194,8 @@ struct ext4_allocation_context {

		__u32 ac_groups_considered;
		__u32 ac_flags; /* allocation hints */
		__u32 ac_groups_linear_remaining;
		__u16 ac_groups_scanned;
		__u16 ac_groups_linear_remaining;
		__u16 ac_found;
		__u16 ac_cX_found[EXT4_MB_NUM_CRS];
		__u16 ac_tail;