From: Lukas Czerner <lczerner@redhat.com>
Date: Mon, 5 Sep 2011 14:34:54 +0000 (+0200)
Subject: btrfs: return EINVAL if start > total_bytes in fitrim ioctl
X-Git-Tag: firefly_0821_release~3680^2~3894^2~77^2~11
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f4c697e6406da5dd445eda8d923c53e1138793dd;p=firefly-linux-kernel-4.4.55.git

btrfs: return EINVAL if start > total_bytes in fitrim ioctl

We should retirn EINVAL if the start is beyond the end of the file
system in the btrfs_ioctl_fitrim(). Fix that by adding the appropriate
check for it.

Also in the btrfs_trim_fs() it is possible that len+start might overflow
if big values are passed. Fix it by decrementing the len so that start+len
is equal to the file system size in the worst case.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
---

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index d524b6697ad9..136a2f980e21 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -282,6 +282,7 @@ static noinline int btrfs_ioctl_fitrim(struct file *file, void __user *arg)
 	struct fstrim_range range;
 	u64 minlen = ULLONG_MAX;
 	u64 num_devices = 0;
+	u64 total_bytes = btrfs_super_total_bytes(&root->fs_info->super_copy);
 	int ret;
 
 	if (!capable(CAP_SYS_ADMIN))
@@ -300,12 +301,15 @@ static noinline int btrfs_ioctl_fitrim(struct file *file, void __user *arg)
 		}
 	}
 	rcu_read_unlock();
+
 	if (!num_devices)
 		return -EOPNOTSUPP;
-
 	if (copy_from_user(&range, arg, sizeof(range)))
 		return -EFAULT;
+	if (range.start > total_bytes)
+		return -EINVAL;
 
+	range.len = min(range.len, total_bytes - range.start);
 	range.minlen = max(range.minlen, minlen);
 	ret = btrfs_trim_fs(root, &range);
 	if (ret < 0)