xfs: complain if anyone tries to create a too-large buffer log item

Complain if someone calls xfs_buf_item_init on a buffer that is larger
than the dirty bitmap can handle, or tries to log a region that's past
the end of the dirty bitmap.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index 9737f177a49b5e5eb6ca2117d44bfe74152fca24..be691d1d9fad21b2d7a3ab7396501aabeb8ff19c 100644 (file)
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -763,6 +763,15 @@ xfs_buf_item_init(
                                      XFS_BLF_CHUNK);
                map_size = DIV_ROUND_UP(chunks, NBWORD);
 
+               if (map_size > XFS_BLF_DATAMAP_SIZE) {
+                       kmem_cache_free(xfs_buf_item_zone, bip);
+                       xfs_err(mp,
+       "buffer item dirty bitmap (%u uints) too small to reflect %u bytes!",
+                                       map_size,
+                                       BBTOB(bp->b_maps[i].bm_len));
+                       return -EFSCORRUPTED;
+               }
+
                bip->bli_formats[i].blf_type = XFS_LI_BUF;
                bip->bli_formats[i].blf_blkno = bp->b_maps[i].bm_bn;
                bip->bli_formats[i].blf_len = bp->b_maps[i].bm_len;
@@ -795,6 +804,9 @@ xfs_buf_item_log_segment(
        uint            end_bit;
        uint            mask;
 
+       ASSERT(first < XFS_BLF_DATAMAP_SIZE * XFS_BLF_CHUNK * NBWORD);
+       ASSERT(last < XFS_BLF_DATAMAP_SIZE * XFS_BLF_CHUNK * NBWORD);
+
        /*
         * Convert byte offsets to bit numbers.
         */