udf: refactor udf_current_aext()/udf_next_aext() to handle error

[PATCH 0/3] udf: refactor udf_current_aext()/udf_next_aext() to handle error

Zhao Mengmeng posted 3 patches 2 months, 1 week ago

Download series mbox

fs/udf/balloc.c    |   6 +--
fs/udf/directory.c |  20 +++++---
fs/udf/inode.c     | 112 ++++++++++++++++++++++++++-------------------
fs/udf/partition.c |   6 ++-
fs/udf/super.c     |   3 +-
fs/udf/truncate.c  |  16 +++----
fs/udf/udfdecl.h   |  15 +++---
7 files changed, 104 insertions(+), 74 deletions(-)

Expand all Fold all

[PATCH 0/3] udf: refactor udf_current_aext()/udf_next_aext() to handle error

Posted by Zhao Mengmeng 2 months, 1 week ago

From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>

syzbot reports a udf slab-out-of-bounds at [1] and I proposed a fix patch,
after talking with Jan, a better way to fix this is to refactor 
udf_current_aext() and udf_next_aext() to differentiate between error and
"hit EOF".
This series refactor udf_current_aext(), udf_next_aext() and inode_bmap(),
they take pointer to etype to store the extent type and just return 0 on 
success, <0 on error. It has passed the syz repro test.



[1]. https://lore.kernel.org/all/0000000000005093590621340ecf@google.com/

Zhao Mengmeng (3):
  udf: refactor udf_current_aext() to handle error
  udf: refactor udf_next_aext() to handle error
  udf: refactor inode_bmap() to handle error

 fs/udf/balloc.c    |   6 +--
 fs/udf/directory.c |  20 +++++---
 fs/udf/inode.c     | 112 ++++++++++++++++++++++++++-------------------
 fs/udf/partition.c |   6 ++-
 fs/udf/super.c     |   3 +-
 fs/udf/truncate.c  |  16 +++----
 fs/udf/udfdecl.h   |  15 +++---
 7 files changed, 104 insertions(+), 74 deletions(-)

-- 
2.43.0