From nobody Sun Feb  8 22:08:36 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0D848C88CB5
	for <linux-kernel@archiver.kernel.org>; Mon, 12 Jun 2023 14:01:17 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236875AbjFLOBO (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 12 Jun 2023 10:01:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47098 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236219AbjFLOA5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jun 2023 10:00:57 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B59D310D9
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Jun 2023 07:00:54 -0700 (PDT)
Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.55])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4QftYR4Th3zLqLh;
        Mon, 12 Jun 2023 21:57:47 +0800 (CST)
Received: from build.huawei.com (10.175.101.6) by
 kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.23; Mon, 12 Jun 2023 22:00:51 +0800
From: Wenchao Hao <haowenchao2@huawei.com>
To: Jan Kara <jack@suse.com>, <linux-kernel@vger.kernel.org>
CC: <linfeilong@huawei.com>, Wenchao Hao <haowenchao2@huawei.com>
Subject: [PATCH 1/2] udf: add helper function udf_check_tagged_bh to check
 tagged page
Date: Tue, 13 Jun 2023 11:22:53 +0800
Message-ID: <20230613032254.1235752-2-haowenchao2@huawei.com>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20230613032254.1235752-1-haowenchao2@huawei.com>
References: <20230613032254.1235752-1-haowenchao2@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.175.101.6]
X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To
 kwepemm600012.china.huawei.com (7.193.23.74)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

This helper function is used to check if a buffer head's data is valid
and would be called in future.

Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
---
 fs/udf/misc.c    | 60 ++++++++++++++++++++++++++++--------------------
 fs/udf/udfdecl.h |  1 +
 2 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index 3777468d06ce..b20b53fc8d41 100644
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -179,6 +179,40 @@ struct genericFormat *udf_get_extendedattr(struct inod=
e *inode, uint32_t type,
 	return NULL;
 }
=20
+bool udf_check_tagged_bh(struct super_block *sb, struct buffer_head *bh)
+{
+	u8 checksum;
+	struct tag *tag_p =3D (struct tag *)(bh->b_data);
+
+	/* Verify the tag checksum */
+	checksum =3D udf_tag_checksum(tag_p);
+	if (checksum !=3D tag_p->tagChecksum) {
+		udf_err(sb, "tag checksum failed, block %llu: 0x%02x !=3D 0x%02x\n",
+			bh->b_blocknr, checksum, tag_p->tagChecksum);
+		return false;
+	}
+
+	/* Verify the tag version */
+	if (tag_p->descVersion !=3D cpu_to_le16(0x0002U) &&
+	    tag_p->descVersion !=3D cpu_to_le16(0x0003U)) {
+		udf_err(sb, "tag version 0x%04x !=3D 0x0002 || 0x0003, block %llu\n",
+			le16_to_cpu(tag_p->descVersion), bh->b_blocknr);
+		return false;
+	}
+
+	/* Verify the descriptor CRC */
+	if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocks=
ize ||
+	    le16_to_cpu(tag_p->descCRC) =3D=3D crc_itu_t(0,
+					bh->b_data + sizeof(struct tag),
+					le16_to_cpu(tag_p->descCRCLength)))
+		return true;
+
+	udf_debug("Crc failure block %llu: crc =3D %u, crclen =3D %u\n", bh->b_bl=
ocknr,
+		  le16_to_cpu(tag_p->descCRC),
+		  le16_to_cpu(tag_p->descCRCLength));
+	return false;
+}
+
 /*
  * udf_read_tagged
  *
@@ -194,7 +228,6 @@ struct buffer_head *udf_read_tagged(struct super_block =
*sb, uint32_t block,
 {
 	struct tag *tag_p;
 	struct buffer_head *bh =3D NULL;
-	u8 checksum;
=20
 	/* Read the block */
 	if (block =3D=3D 0xFFFFFFFF)
@@ -217,32 +250,9 @@ struct buffer_head *udf_read_tagged(struct super_block=
 *sb, uint32_t block,
 		goto error_out;
 	}
=20
-	/* Verify the tag checksum */
-	checksum =3D udf_tag_checksum(tag_p);
-	if (checksum !=3D tag_p->tagChecksum) {
-		udf_err(sb, "tag checksum failed, block %u: 0x%02x !=3D 0x%02x\n",
-			block, checksum, tag_p->tagChecksum);
-		goto error_out;
-	}
-
-	/* Verify the tag version */
-	if (tag_p->descVersion !=3D cpu_to_le16(0x0002U) &&
-	    tag_p->descVersion !=3D cpu_to_le16(0x0003U)) {
-		udf_err(sb, "tag version 0x%04x !=3D 0x0002 || 0x0003, block %u\n",
-			le16_to_cpu(tag_p->descVersion), block);
-		goto error_out;
-	}
-
-	/* Verify the descriptor CRC */
-	if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocks=
ize ||
-	    le16_to_cpu(tag_p->descCRC) =3D=3D crc_itu_t(0,
-					bh->b_data + sizeof(struct tag),
-					le16_to_cpu(tag_p->descCRCLength)))
+	if (udf_check_tagged_bh(sb, bh))
 		return bh;
=20
-	udf_debug("Crc failure block %u: crc =3D %u, crclen =3D %u\n", block,
-		  le16_to_cpu(tag_p->descCRC),
-		  le16_to_cpu(tag_p->descCRCLength));
 error_out:
 	brelse(bh);
 	return NULL;
diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h
index 88692512a466..fb269752b9c6 100644
--- a/fs/udf/udfdecl.h
+++ b/fs/udf/udfdecl.h
@@ -180,6 +180,7 @@ extern struct genericFormat *udf_add_extendedattr(struc=
t inode *, uint32_t,
 						  uint32_t, uint8_t);
 extern struct genericFormat *udf_get_extendedattr(struct inode *, uint32_t,
 						  uint8_t);
+extern bool udf_check_tagged_bh(struct super_block *sb, struct buffer_head=
 *bh);
 extern struct buffer_head *udf_read_tagged(struct super_block *, uint32_t,
 					   uint32_t, uint16_t *);
 extern struct buffer_head *udf_read_ptagged(struct super_block *,
--=20
2.35.3
From nobody Sun Feb  8 22:08:36 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CE6ACC88CB2
	for <linux-kernel@archiver.kernel.org>; Mon, 12 Jun 2023 14:01:11 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236823AbjFLOBK (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 12 Jun 2023 10:01:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47090 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236177AbjFLOA5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jun 2023 10:00:57 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B603310E6
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Jun 2023 07:00:54 -0700 (PDT)
Received: from kwepemm600012.china.huawei.com (unknown [172.30.72.53])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4QftcS0cSHzTl2s;
        Mon, 12 Jun 2023 22:00:24 +0800 (CST)
Received: from build.huawei.com (10.175.101.6) by
 kwepemm600012.china.huawei.com (7.193.23.74) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.23; Mon, 12 Jun 2023 22:00:51 +0800
From: Wenchao Hao <haowenchao2@huawei.com>
To: Jan Kara <jack@suse.com>, <linux-kernel@vger.kernel.org>
CC: <linfeilong@huawei.com>, Wenchao Hao <haowenchao2@huawei.com>
Subject: [PATCH 2/2] udf:check if buffer head's data when getting lvidiu
Date: Tue, 13 Jun 2023 11:22:54 +0800
Message-ID: <20230613032254.1235752-3-haowenchao2@huawei.com>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20230613032254.1235752-1-haowenchao2@huawei.com>
References: <20230613032254.1235752-1-haowenchao2@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.175.101.6]
X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To
 kwepemm600012.china.huawei.com (7.193.23.74)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

We can not always assume udf_sb_info->s_lvid_bh's data is valid. If the
data is corrupted, we would get an incorrect offset and cause the
following code access an illegal address.

Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
---
 fs/udf/super.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/udf/super.c b/fs/udf/super.c
index 6304e3c5c3d9..71481b60c871 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -114,6 +114,8 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(str=
uct super_block *sb)
=20
 	if (!UDF_SB(sb)->s_lvid_bh)
 		return NULL;
+	if (!udf_check_tagged_bh(sb, UDF_SB(sb)->s_lvid_bh))
+		return NULL;
 	lvid =3D (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data;
 	partnum =3D le32_to_cpu(lvid->numOfPartitions);
 	/* The offset is to skip freeSpaceTable and sizeTable arrays */
--=20
2.35.3