From: Kent Overstreet <kent.overstreet@linux.dev>
Date: Mon, 11 Nov 2024 21:01:38 +0000 (-0500)
Subject: bcachefs: Fix journal_entry_dev_usage_to_text() overrun
X-Git-Tag: v6.12~16^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=657d4282d8c4ac2349472529c9a6f20c503d1aee;p=platform%2Fkernel%2Flinux-amlogic.git

bcachefs: Fix journal_entry_dev_usage_to_text() overrun

If the jset_entry_dev_usage is malformed, and too small, our nr_entries
calculation will be incorrect - just bail out.

Reported-by: syzbot+05d7520be047c9be86e0@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/journal_io.c b/fs/bcachefs/journal_io.c
index ccaafa90f4f4..fb35dd336331 100644
--- a/fs/bcachefs/journal_io.c
+++ b/fs/bcachefs/journal_io.c
@@ -708,6 +708,9 @@ static void journal_entry_dev_usage_to_text(struct printbuf *out, struct bch_fs
 		container_of(entry, struct jset_entry_dev_usage, entry);
 	unsigned i, nr_types = jset_entry_dev_usage_nr_types(u);
 
+	if (vstruct_bytes(entry) < sizeof(*u))
+		return;
+
 	prt_printf(out, "dev=%u", le32_to_cpu(u->dev));
 
 	printbuf_indent_add(out, 2);