Module Name: src Committed By: reinoud Date: Sat Mar 21 13:39:31 UTC 2020
Modified Files: src/sys/fs/nilfs: nilfs_subr.c Log Message: Fix use-after-free issue! To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/fs/nilfs/nilfs_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/fs/nilfs/nilfs_subr.c diff -u src/sys/fs/nilfs/nilfs_subr.c:1.14 src/sys/fs/nilfs/nilfs_subr.c:1.15 --- src/sys/fs/nilfs/nilfs_subr.c:1.14 Sun Mar 29 14:12:28 2015 +++ src/sys/fs/nilfs/nilfs_subr.c Sat Mar 21 13:39:31 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: nilfs_subr.c,v 1.14 2015/03/29 14:12:28 riastradh Exp $ */ +/* $NetBSD: nilfs_subr.c,v 1.15 2020/03/21 13:39:31 reinoud Exp $ */ /* * Copyright (c) 2008, 2009 Reinoud Zandijk @@ -28,7 +28,7 @@ #include <sys/cdefs.h> #ifndef lint -__KERNEL_RCSID(0, "$NetBSD: nilfs_subr.c,v 1.14 2015/03/29 14:12:28 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: nilfs_subr.c,v 1.15 2020/03/21 13:39:31 reinoud Exp $"); #endif /* not lint */ #include <sys/param.h> @@ -230,6 +230,7 @@ nilfs_btree_lookup_level(struct nilfs_no dptrs = dkeys + NILFS_BTREE_NODE_NCHILDREN_MAX(nilfsdev->blocksize); assert((btree_hdr->bn_flags & NILFS_BTREE_NODE_ROOT) == 0); + assert((btree_hdr->bn_level == level)); /* select matching child XXX could use binary search */ selected = 0; @@ -253,7 +254,7 @@ nilfs_btree_lookup_level(struct nilfs_no brelse(bp, BC_AGE); return nilfs_btree_lookup_level(node, lblocknr, - child_btree_blk, btree_hdr->bn_level-1, vblocknr); + child_btree_blk, level-1, vblocknr); } @@ -686,9 +687,10 @@ nilfs_get_node_raw(struct nilfs_device * /* fixup inode size for system nodes */ if ((ino < NILFS_USER_INO) && (ino != NILFS_ROOT_INO)) { - DPRINTF(VOLUMES, ("NEED TO GET my size for inode %"PRIu64"\n", + DPRINTF(VOLUMES, ("NEED TO GET my size for inode %"PRIu64"?\n", ino)); /* for now set it to maximum, -1 is illegal */ + DPRINTF(VOLUMES, (" current size of inode is %"PRIu64"\n", inode->i_size)); inode->i_size = nilfs_rw64(((uint64_t) -2)); }