[PATCH] ext2/ext3_free_blocks() extra check

From Andreas Dilger.

Additional sanity checks in the ext2 and ext3 block allocators: if
someone tries to free a negative number of blocks, detect and handle
that rather than wrecking the fs.

diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c
index e204a55b415e931dfa7c699b28b0f6c8790c4753..e82a5ed847369c3bcf91372e93929c998e3be5c8 100644 (file)
--- a/fs/ext2/balloc.c
+++ b/fs/ext2/balloc.c
@@ -178,8 +178,9 @@ void ext2_free_blocks (struct inode * inode, unsigned long block,
 
        lock_super (sb);
        es = EXT2_SB(sb)->s_es;
-       if (block < le32_to_cpu(es->s_first_data_block) || 
-           (block + count) > le32_to_cpu(es->s_blocks_count)) {
+       if (block < le32_to_cpu(es->s_first_data_block) ||
+           block + count < block ||
+           block + count > le32_to_cpu(es->s_blocks_count)) {
                ext2_error (sb, "ext2_free_blocks",
                            "Freeing blocks not in datazone - "
                            "block = %lu, count = %lu", block, count);

diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
index c6760c7b42dc0ad9c89a8da3cdd479f01fd7bf42..c4c65eee62b46a806c4c9e7472881f2dc6916a51 100644 (file)
--- a/fs/ext3/balloc.c
+++ b/fs/ext3/balloc.c
@@ -120,8 +120,9 @@ void ext3_free_blocks (handle_t *handle, struct inode * inode,
        }
        lock_super (sb);
        es = EXT3_SB(sb)->s_es;
-       if (block < le32_to_cpu(es->s_first_data_block) || 
-           (block + count) > le32_to_cpu(es->s_blocks_count)) {
+       if (block < le32_to_cpu(es->s_first_data_block) ||
+           block + count < block ||
+           block + count > le32_to_cpu(es->s_blocks_count)) {
                ext3_error (sb, "ext3_free_blocks",
                            "Freeing blocks not in datazone - "
                            "block = %lu, count = %lu", block, count);