LU-4423 llite: Integer overflow in ll_ioctl_fiemap

[fs/lustre-release.git] / lustre / llite / file.c

diff --git a/lustre/llite/file.c b/lustre/llite/file.c
index 3418966..b29a9c6 100644 (file)
--- a/lustre/llite/file.c
+++ b/lustre/llite/file.c
@@ -1913,6 +1913,9 @@ int ll_fid2path(struct inode *inode, void __user *arg)
        if (get_user(pathlen, &gfin->gf_pathlen))
                RETURN(-EFAULT);
 
+       if (pathlen > PATH_MAX)
+               RETURN(-EINVAL);
+
        outsize = sizeof(*gfout) + pathlen;
        OBD_ALLOC(gfout, outsize);
        if (gfout == NULL)
@@ -1946,6 +1949,10 @@ static int ll_ioctl_fiemap(struct inode *inode, unsigned long arg)
         if (get_user(extent_count,
             &((struct ll_user_fiemap __user *)arg)->fm_extent_count))
                 RETURN(-EFAULT);
+
+       if (extent_count >=
+           (SIZE_MAX - sizeof(*fiemap_s)) / sizeof(struct ll_fiemap_extent))
+               RETURN(-EINVAL);
         num_bytes = sizeof(*fiemap_s) + (extent_count *
                                          sizeof(struct ll_fiemap_extent));
 
@@ -2306,10 +2313,14 @@ static int ll_hsm_import(struct inode *inode, struct file *file,
                         ATTR_MTIME | ATTR_MTIME_SET |
                         ATTR_ATIME | ATTR_ATIME_SET;
 
+       mutex_lock(&inode->i_mutex);
+
        rc = ll_setattr_raw(file->f_dentry, attr, true);
        if (rc == -ENODATA)
                rc = 0;
 
+       mutex_unlock(&inode->i_mutex);
+
 out:
        if (hss != NULL)
                OBD_FREE_PTR(hss);