fs/nilfs2: fix integer overflow in nilfs_ioctl_wrap_copy()

[~andy/linux] / fs / nilfs2 / ioctl.c

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index b44bdb291b8435000055b6c7321acc57e3a026f3..d22281d60071122de626d5d6296127b3f223f86d 100644 (file)
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -57,6 +57,14 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs,
        if (argv->v_size > PAGE_SIZE)
                return -EINVAL;
 
+       /*
+        * Reject pairs of a start item position (argv->v_index) and a
+        * total count (argv->v_nmembs) which leads position 'pos' to
+        * overflow by the increment at the end of the loop.
+        */
+       if (argv->v_index > ~(__u64)0 - argv->v_nmembs)
+               return -EINVAL;
+
        buf = (void *)__get_free_pages(GFP_NOFS, 0);
        if (unlikely(!buf))
                return -ENOMEM;