Hello,
while working on my patchset, I stumbled over an overflow bug which
made me do a quick audit of shifts in ext4 code. I've found a couple of
places which use << and which can overflow (usually on 32-bit
architecture only but at least SEEK_HOLE / SEEK_DATA bugs are real even
for 64-bit architectures). Patches in this series fix the issues I've
found. Likely this is also stable material so Ted, you might want to add
[email protected] to CC when merging the patches.
Honza
On 32-bit archs when sector_t is defined as 32-bit the logic computing
data offset in ext4_inline_data_fiemap(). Fix that by properly typing
the shifted value.
Signed-off-by: Jan Kara <[email protected]>
---
fs/ext4/inline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3e2bf87..33331b4 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1842,7 +1842,7 @@ int ext4_inline_data_fiemap(struct inode *inode,
if (error)
goto out;
- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
physical += offsetof(struct ext4_inode, i_block);
length = i_size_read(inode);
--
1.8.1.4
ext4_lblk_t is just u32 so multiplying it by blocksize can easily
overflow for files larger than 4 GB. Fix that by properly typing the
block offsets before shifting.
Signed-off-by: Jan Kara <[email protected]>
---
fs/ext4/file.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index b1b4d51..b19f0a4 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -312,7 +312,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
blkbits = inode->i_sb->s_blocksize_bits;
startoff = *offset;
lastoff = startoff;
- endoff = (map->m_lblk + map->m_len) << blkbits;
+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
index = startoff >> PAGE_CACHE_SHIFT;
end = endoff >> PAGE_CACHE_SHIFT;
@@ -457,7 +457,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -468,7 +468,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent_range(inode, last, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -486,7 +486,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
}
last++;
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
} while (last <= end);
mutex_unlock(&inode->i_mutex);
@@ -540,7 +540,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -551,7 +551,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent_range(inode, last, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
last = es.es_lblk + es.es_len;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -566,7 +566,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
&map, &holeoff);
if (!unwritten) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
}
--
1.8.1.4
The arithmetics adding delalloc blocks to the number of used blocks in
ext4_getattr() can easily overflow on 32-bit archs as we first multiply
number of blocks by blocksize and then divide back by 512. Make the
arithmetics more clever and also use proper type (unsigned long long
instead of unsigned long).
Signed-off-by: Jan Kara <[email protected]>
---
fs/ext4/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index d6382b8..83d9e69 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4805,7 +4805,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
struct kstat *stat)
{
struct inode *inode;
- unsigned long delalloc_blocks;
+ unsigned long long delalloc_blocks;
inode = dentry->d_inode;
generic_fillattr(inode, stat);
@@ -4823,7 +4823,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb),
EXT4_I(inode)->i_reserved_data_blocks);
- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9;
+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9);
return 0;
}
--
1.8.1.4
On 32-bit architectures with 32-bit sector_t computation of data offset
in ext4_xattr_fiemap() can overflow resulting in reporting bogus data
location. Fix the problem by typing block number to proper type before
shifting.
Signed-off-by: Jan Kara <[email protected]>
---
fs/ext4/extents.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index bc0f191..e49da58 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4659,7 +4659,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
error = ext4_get_inode_loc(inode, &iloc);
if (error)
return error;
- physical = iloc.bh->b_blocknr << blockbits;
+ physical = (__u64)iloc.bh->b_blocknr << blockbits;
offset = EXT4_GOOD_OLD_INODE_SIZE +
EXT4_I(inode)->i_extra_isize;
physical += offset;
@@ -4667,7 +4667,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
flags |= FIEMAP_EXTENT_DATA_INLINE;
brelse(iloc.bh);
} else { /* external block */
- physical = EXT4_I(inode)->i_file_acl << blockbits;
+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits;
length = inode->i_sb->s_blocksize;
}
--
1.8.1.4
On Wed, May 29, 2013 at 02:05:31PM +0200, Jan Kara wrote:
> ext4_lblk_t is just u32 so multiplying it by blocksize can easily
> overflow for files larger than 4 GB. Fix that by properly typing the
> block offsets before shifting.
>
> Signed-off-by: Jan Kara <[email protected]>
Ah, it's my fault. Thanks for fixing this.
Reviewed-by: Zheng Liu <[email protected]>
- Zheng
> ---
> fs/ext4/file.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/fs/ext4/file.c b/fs/ext4/file.c
> index b1b4d51..b19f0a4 100644
> --- a/fs/ext4/file.c
> +++ b/fs/ext4/file.c
> @@ -312,7 +312,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
> blkbits = inode->i_sb->s_blocksize_bits;
> startoff = *offset;
> lastoff = startoff;
> - endoff = (map->m_lblk + map->m_len) << blkbits;
> + endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
>
> index = startoff >> PAGE_CACHE_SHIFT;
> end = endoff >> PAGE_CACHE_SHIFT;
> @@ -457,7 +457,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
> ret = ext4_map_blocks(NULL, inode, &map, 0);
> if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
> if (last != start)
> - dataoff = last << blkbits;
> + dataoff = (loff_t)last << blkbits;
> break;
> }
>
> @@ -468,7 +468,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
> ext4_es_find_delayed_extent_range(inode, last, last, &es);
> if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
> if (last != start)
> - dataoff = last << blkbits;
> + dataoff = (loff_t)last << blkbits;
> break;
> }
>
> @@ -486,7 +486,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
> }
>
> last++;
> - dataoff = last << blkbits;
> + dataoff = (loff_t)last << blkbits;
> } while (last <= end);
>
> mutex_unlock(&inode->i_mutex);
> @@ -540,7 +540,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
> ret = ext4_map_blocks(NULL, inode, &map, 0);
> if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
> last += ret;
> - holeoff = last << blkbits;
> + holeoff = (loff_t)last << blkbits;
> continue;
> }
>
> @@ -551,7 +551,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
> ext4_es_find_delayed_extent_range(inode, last, last, &es);
> if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
> last = es.es_lblk + es.es_len;
> - holeoff = last << blkbits;
> + holeoff = (loff_t)last << blkbits;
> continue;
> }
>
> @@ -566,7 +566,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
> &map, &holeoff);
> if (!unwritten) {
> last += ret;
> - holeoff = last << blkbits;
> + holeoff = (loff_t)last << blkbits;
> continue;
> }
> }
> --
> 1.8.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, May 29, 2013 at 02:05:33PM +0200, Jan Kara wrote:
> The arithmetics adding delalloc blocks to the number of used blocks in
> ext4_getattr() can easily overflow on 32-bit archs as we first multiply
> number of blocks by blocksize and then divide back by 512. Make the
> arithmetics more clever and also use proper type (unsigned long long
> instead of unsigned long).
>
> Signed-off-by: Jan Kara <[email protected]>
I've applied these four patches to the ext4 tree, thanks!!
- Ted
On 5/29/13 7:05 AM, Jan Kara wrote:
> Hello,
>
> while working on my patchset, I stumbled over an overflow bug which
> made me do a quick audit of shifts in ext4 code. I've found a couple of
> places which use << and which can overflow (usually on 32-bit
> architecture only but at least SEEK_HOLE / SEEK_DATA bugs are real even
> for 64-bit architectures). Patches in this series fix the issues I've
> found. Likely this is also stable material so Ted, you might want to add
> [email protected] to CC when merging the patches.
>
> Honza
I don't think these did get cc'd to stable. Was there a reason for that,
or was it an oversight?
-Eric
On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
>
> I don't think these did get cc'd to stable. Was there a reason for that,
> or was it an oversight?
It was an oversight; my fault, sorry. I'll send a request to the
stable kernel tree for the following patches:
8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
- Ted
From: Jan Kara <[email protected]>
On 32-bit architectures with 32-bit sector_t computation of data offset
in ext4_xattr_fiemap() can overflow resulting in reporting bogus data
location. Fix the problem by typing block number to proper type before
shifting.
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
---
fs/ext4/extents.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 214e68a..299ee9d 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4679,7 +4679,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
error = ext4_get_inode_loc(inode, &iloc);
if (error)
return error;
- physical = iloc.bh->b_blocknr << blockbits;
+ physical = (__u64)iloc.bh->b_blocknr << blockbits;
offset = EXT4_GOOD_OLD_INODE_SIZE +
EXT4_I(inode)->i_extra_isize;
physical += offset;
@@ -4687,7 +4687,7 @@ static int ext4_xattr_fiemap(struct inode *inode,
flags |= FIEMAP_EXTENT_DATA_INLINE;
brelse(iloc.bh);
} else { /* external block */
- physical = EXT4_I(inode)->i_file_acl << blockbits;
+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits;
length = inode->i_sb->s_blocksize;
}
--
1.7.12.rc0.22.gcdd159b
From: Jan Kara <[email protected]>
ext4_lblk_t is just u32 so multiplying it by blocksize can easily
overflow for files larger than 4 GB. Fix that by properly typing the
block offsets before shifting.
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Reviewed-by: Zheng Liu <[email protected]>
---
fs/ext4/file.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index b1b4d51..b19f0a4 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -312,7 +312,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
blkbits = inode->i_sb->s_blocksize_bits;
startoff = *offset;
lastoff = startoff;
- endoff = (map->m_lblk + map->m_len) << blkbits;
+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits;
index = startoff >> PAGE_CACHE_SHIFT;
end = endoff >> PAGE_CACHE_SHIFT;
@@ -457,7 +457,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -468,7 +468,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent_range(inode, last, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
if (last != start)
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
break;
}
@@ -486,7 +486,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize)
}
last++;
- dataoff = last << blkbits;
+ dataoff = (loff_t)last << blkbits;
} while (last <= end);
mutex_unlock(&inode->i_mutex);
@@ -540,7 +540,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ret = ext4_map_blocks(NULL, inode, &map, 0);
if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -551,7 +551,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
ext4_es_find_delayed_extent_range(inode, last, last, &es);
if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) {
last = es.es_lblk + es.es_len;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
@@ -566,7 +566,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize)
&map, &holeoff);
if (!unwritten) {
last += ret;
- holeoff = last << blkbits;
+ holeoff = (loff_t)last << blkbits;
continue;
}
}
--
1.7.12.rc0.22.gcdd159b
From: Jan Kara <[email protected]>
On 32-bit archs when sector_t is defined as 32-bit the logic computing
data offset in ext4_inline_data_fiemap(). Fix that by properly typing
the shifted value.
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
---
fs/ext4/inline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3e2bf87..33331b4 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1842,7 +1842,7 @@ int ext4_inline_data_fiemap(struct inode *inode,
if (error)
goto out;
- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits;
physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data;
physical += offsetof(struct ext4_inode, i_block);
length = i_size_read(inode);
--
1.7.12.rc0.22.gcdd159b
From: Jan Kara <[email protected]>
The arithmetics adding delalloc blocks to the number of used blocks in
ext4_getattr() can easily overflow on 32-bit archs as we first multiply
number of blocks by blocksize and then divide back by 512. Make the
arithmetics more clever and also use proper type (unsigned long long
instead of unsigned long).
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
---
fs/ext4/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 0fca5a8..38f03dc 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4702,7 +4702,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
struct kstat *stat)
{
struct inode *inode;
- unsigned long delalloc_blocks;
+ unsigned long long delalloc_blocks;
inode = dentry->d_inode;
generic_fillattr(inode, stat);
@@ -4720,7 +4720,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb),
EXT4_I(inode)->i_reserved_data_blocks);
- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9;
+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9);
return 0;
}
--
1.7.12.rc0.22.gcdd159b
On 7/9/13 9:38 AM, Theodore Ts'o wrote:
> On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
>>
>> I don't think these did get cc'd to stable. Was there a reason for that,
>> or was it an oversight?
>
> It was an oversight; my fault, sorry. I'll send a request to the
> stable kernel tree for the following patches:
>
> 8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
> a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
> e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
> eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
>
> - Ted
Thanks Ted!
-Eric
"Theodore Ts'o" <[email protected]> writes:
> On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
>>
>> I don't think these did get cc'd to stable. Was there a reason for that,
>> or was it an oversight?
>
> It was an oversight; my fault, sorry. I'll send a request to the
> stable kernel tree for the following patches:
>
> 8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
> a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
> e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
> eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
>
> - Ted
Thanks Ted. All of these patches seem to be applicable to the 3.8
kernel. As for the 3.5 kernel, I'm queuing the first 2 patches only.
Cheers,
--
Luis
On Tue, Jul 9, 2013 at 10:38 AM, Theodore Ts'o <[email protected]> wrote:
> On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
>>
>> I don't think these did get cc'd to stable. Was there a reason for that,
>> or was it an oversight?
>
> It was an oversight; my fault, sorry. I'll send a request to the
> stable kernel tree for the following patches:
>
> 8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
> a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
> e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
> eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
Greg, are these 4 commits part of the large pile you're sitting on
right now? Just want to make sure the request wasn't missed, as they
lack the CC to stable.
josh
On Fri, Jul 12, 2013 at 09:15:06AM -0400, Josh Boyer wrote:
> On Tue, Jul 9, 2013 at 10:38 AM, Theodore Ts'o <[email protected]> wrote:
> > On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
> >>
> >> I don't think these did get cc'd to stable. Was there a reason for that,
> >> or was it an oversight?
> >
> > It was an oversight; my fault, sorry. I'll send a request to the
> > stable kernel tree for the following patches:
> >
> > 8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
> > a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
> > e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
> > eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
>
> Greg, are these 4 commits part of the large pile you're sitting on
> right now? Just want to make sure the request wasn't missed, as they
> lack the CC to stable.
They are still in my "to-apply" queue, and are not lost. And I wasn't
counting them in the 170 patches I have to review, make that 174 now :)
thanks,
greg k-h
On Tue, 2013-07-09 at 10:38 -0400, Theodore Ts'o wrote:
> On Tue, Jul 09, 2013 at 09:14:29AM -0500, Eric Sandeen wrote:
> >
> > I don't think these did get cc'd to stable. Was there a reason for that,
> > or was it an oversight?
>
> It was an oversight; my fault, sorry. I'll send a request to the
> stable kernel tree for the following patches:
>
> 8af8eec ext4: fix overflow when counting used blocks on 32-bit architectures
> a60697f ext4: fix data offset overflow in ext4_xattr_fiemap() on 32-bit archs
Both queued up for 3.2, thanks.
> e7293fd ext4: fix overflows in SEEK_HOLE, SEEK_DATA implementations
> eaf3793 ext4: fix data offset overflow on 32-bit archs in ext4_inline_data_fiemap()
These are for features that were added after 3.2.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.