David Sterba f5cdedd73f btrfs: handle invalid num_stripes in sys_array ... We can handle the special case of num_stripes == 0 directly inside btrfs_read_sys_array. The BUG_ON in btrfs_chunk_item_size is there to catch other unhandled cases where we fail to validate external data. A crafted or corrupted image crashes at mount time: BTRFS: device fsid 9006933e-2a9a-44f0-917f-514252aeec2c devid 1 transid 7 /dev/loop0 BTRFS info (device loop0): disk space caching is enabled BUG: failure at fs/btrfs/ctree.h:337/btrfs_chunk_item_size()! Kernel panic - not syncing: BUG! CPU: 0 PID: 313 Comm: mount Not tainted 4.2.5-00657-ge047887-dirty #25 Stack: 637af890 60062489 602aeb2e 604192ba 60387961 00000011 637af8a0 6038a835 637af9c0 6038776b 634ef32b 00000000 Call Trace: [<6001c86d>] show_stack+0xfe/0x15b [<6038a835>] dump_stack+0x2a/0x2c [<6038776b>] panic+0x13e/0x2b3 [<6020f099>] btrfs_read_sys_array+0x25d/0x2ff [<601cfbbe>] open_ctree+0x192d/0x27af [<6019c2c1>] btrfs_mount+0x8f5/0xb9a [<600bc9a7>] mount_fs+0x11/0xf3 [<600d5167>] vfs_kern_mount+0x75/0x11a [<6019bcb0>] btrfs_mount+0x2e4/0xb9a [<600bc9a7>] mount_fs+0x11/0xf3 [<600d5167>] vfs_kern_mount+0x75/0x11a [<600d710b>] do_mount+0xa35/0xbc9 [<600d7557>] SyS_mount+0x95/0xc8 [<6001e884>] handle_syscall+0x6b/0x8e Reported-by: Jiri Slaby <jslaby@suse.com> Reported-by: Vegard Nossum <vegard.nossum@oracle.com> CC: stable@vger.kernel.org # 3.19+ Signed-off-by: David Sterba <dsterba@suse.com>		2016-01-07 14:26:58 +01:00
..
9p	9p: ->evict_inode() should kick out ->i_data, not ->i_mapping	2015-12-08 14:51:16 -05:00
adfs
affs
afs
autofs4
befs
bfs
btrfs	btrfs: handle invalid num_stripes in sys_array	2016-01-07 14:26:58 +01:00
cachefiles
ceph
cifs	sched/wait: Fix the signal handling fix	2015-12-13 14:30:59 -08:00
coda
configfs
cramfs
debugfs
devpts
dlm	net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA	2015-12-01 15:45:05 -05:00
ecryptfs
efivarfs
efs
exofs	osd fs: __r4w_get_page rely on PageUptodate for uptodate	2015-12-12 10:15:34 -08:00
exportfs
ext2
ext4	Ext4 bug fixes for v4.4, including fixes for post-2038 time encodings,	2015-12-07 10:25:00 -08:00
f2fs
fat
freevxfs
fscache
fuse	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse	2015-12-11 10:56:41 -08:00
gfs2
hfs
hfsplus
hostfs
hpfs
hugetlbfs
isofs
jbd2	Ext4 bug fixes for v4.4, including fixes for post-2038 time encodings,	2015-12-07 10:25:00 -08:00
jffs2
jfs
kernfs
lockd
logfs
minix
ncpfs
nfs	sched/wait: Fix the signal handling fix	2015-12-13 14:30:59 -08:00
nfs_common
nfsd
nilfs2
nls
notify
ntfs
ocfs2	ocfs2: fix SGID not inherited issue	2015-12-12 10:15:34 -08:00
omfs
openpromfs
overlayfs	ovl: get rid of the dead code left from broken (and disabled) optimizations	2015-12-06 12:31:07 -05:00
proc	proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter	2015-12-18 14:25:40 -08:00
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs
sysv	fix sysvfs symlinks	2015-11-23 21:11:08 -05:00
tracefs
ubifs
udf
ufs
xfs
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c	block: detach bdev inode from its wb in __blkdev_put()	2015-12-04 11:02:17 -07:00
buffer.c
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c
coredump.c
dax.c
dcache.c
dcookies.c
direct-io.c	fix the regression from "direct-io: Fix negative return from dio read beyond eof"	2015-12-08 15:02:42 -05:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c
fcntl.c
fhandle.c
file.c
file_table.c
filesystems.c
fs-writeback.c
fs_pin.c
fs_struct.c
inode.c
internal.h
ioctl.c
Kconfig
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c
mount.h
mpage.c
namei.c	Don't reset ->total_link_count on nested calls of vfs_path_lookup()	2015-12-06 12:33:02 -05:00
namespace.c
no-block.c
nsfs.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
select.c
seq_file.c
signalfd.c
splice.c	vfs: Avoid softlockups with sendfile(2)	2015-11-23 21:15:30 -05:00
stack.c
stat.c
statfs.c
super.c
sync.c
timerfd.c
userfaultfd.c
utimes.c
xattr.c