Commit 1ecd3c7e authored by Xi Wang's avatar Xi Wang Committed by Linus Torvalds
Browse files

nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments()

nsegs is read from userspace.  Limit its value and avoid overflowing nsegs
* sizeof(__u64) in the subsequent call to memdup_user().

This patch complements 481fe17e

 ("nilfs2: potential integer overflow
in nilfs_ioctl_clean_segments()").
Signed-off-by: default avatarXi Wang <>
Cc: Haogang Chen <>
Acked-by: default avatarRyusuke Konishi <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 98e96852
......@@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
nsegs = argv[4].v_nmembs;
if (argv[4].v_size != argsz[4])
goto out;
if (nsegs > UINT_MAX / sizeof(__u64))
goto out;
* argv[4] points to segment numbers this ioctl cleans. We
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment