bcachefs: Fix journal_entry_dev_usage_to_text() overrun

If the jset_entry_dev_usage is malformed, and too small, our nr_entries
calculation will be incorrect - just bail out.

Reported-by: syzbot+05d7520be047c9be86e0@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/journal_io.c b/fs/bcachefs/journal_io.c
index ccaafa90f4f4aebabac245b4f0ae2361ccb85a8d..fb35dd3363318f0ca94dd8c49c468a623815529f 100644 (file)
--- a/fs/bcachefs/journal_io.c
+++ b/fs/bcachefs/journal_io.c
@@ -708,6 +708,9 @@ static void journal_entry_dev_usage_to_text(struct printbuf *out, struct bch_fs
                container_of(entry, struct jset_entry_dev_usage, entry);
        unsigned i, nr_types = jset_entry_dev_usage_nr_types(u);
 
+       if (vstruct_bytes(entry) < sizeof(*u))
+               return;
+
        prt_printf(out, "dev=%u", le32_to_cpu(u->dev));
 
        printbuf_indent_add(out, 2);