From: Linus Torvalds Date: Thu, 18 Nov 2021 20:41:14 +0000 (-0800) Subject: Merge tag 'for-5.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave... X-Git-Tag: v6.6.17~8781 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6fdf886424cf8c4fff96a20189c00606327e5df6;p=platform%2Fkernel%2Flinux-rpi.git Merge tag 'for-5.16-rc1-tag' of git://git./linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "Several xes and one old ioctl deprecation. Namely there's fix for crashes/warnings with lzo compression that was suspected to be caused by first pull merge resolution, but it was a different bug. Summary: - regression fix for a crash in lzo due to missing boundary checks of the page array - fix crashes on ARM64 due to missing barriers when synchronizing status bits between work queues - silence lockdep when reading chunk tree during mount - fix false positive warning in integrity checker on devices with disabled write caching - fix signedness of bitfields in scrub - start deprecation of balance v1 ioctl" * tag 'for-5.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: deprecate BTRFS_IOC_BALANCE ioctl btrfs: make 1-bit bit-fields of scrub_page unsigned int btrfs: check-integrity: fix a warning on write caching disabled disk btrfs: silence lockdep when reading chunk tree during mount btrfs: fix memory ordering between normal and ordered work functions btrfs: fix a out-of-bound access in copy_compressed_data_to_page() --- 6fdf886424cf8c4fff96a20189c00606327e5df6 diff --cc fs/btrfs/lzo.c index 65cb076,f410cea..9febb80 --- a/fs/btrfs/lzo.c +++ b/fs/btrfs/lzo.c @@@ -131,8 -132,10 +132,11 @@@ static int copy_compressed_data_to_page u32 sector_bytes_left; u32 orig_out; struct page *cur_page; + char *kaddr; + if ((*cur_out / PAGE_SIZE) >= max_nr_page) + return -E2BIG; + /* * We never allow a segment header crossing sector boundary, previous * run should ensure we have enough space left inside the sector. @@@ -160,7 -162,9 +164,11 @@@ u32 copy_len = min_t(u32, sectorsize - *cur_out % sectorsize, orig_out + compressed_size - *cur_out); + kunmap(cur_page); ++ + if ((*cur_out / PAGE_SIZE) >= max_nr_page) + return -E2BIG; + cur_page = out_pages[*cur_out / PAGE_SIZE]; /* Allocate a new page */ if (!cur_page) { @@@ -202,7 -202,7 +210,8 @@@ int lzo_compress_pages(struct list_hea struct workspace *workspace = list_entry(ws, struct workspace, list); const u32 sectorsize = btrfs_sb(mapping->host->i_sb)->sectorsize; struct page *page_in = NULL; + char *sizes_ptr; + const unsigned long max_nr_page = *out_pages; int ret = 0; /* Points to the file offset of input data */ u64 cur_in = start;