Hi!
From: Zijun Hu quic_zijuhu@quicinc.com
[ Upstream commit 1363c134ade81e425873b410566e957fecebb261 ]
fs_name() has @index as unsigned int, so there is underflow risk for operation '@index--'.
Fix by breaking the for loop when '@index == 0' which is also more proper than '@index <= 0' for unsigned integer comparison.
How could it underflow? for (..., index) already means we break the loop. I don't see underflow possibility.
BR, Pavel
Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Link: https://lore.kernel.org/20250410-fix_fs-v1-1-7c14ccc8ebaa@quicinc.com Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
fs/filesystems.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/filesystems.c b/fs/filesystems.c index 58b9067b2391c..95e5256821a53 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -156,15 +156,19 @@ static int fs_index(const char __user * __name) static int fs_name(unsigned int index, char __user * buf) { struct file_system_type * tmp;
- int len, res;
- int len, res = -EINVAL;
read_lock(&file_systems_lock);
- for (tmp = file_systems; tmp; tmp = tmp->next, index--)
if (index <= 0 && try_module_get(tmp->owner))
- for (tmp = file_systems; tmp; tmp = tmp->next, index--) {
if (index == 0) {
if (try_module_get(tmp->owner))
res = 0; break;
}
- } read_unlock(&file_systems_lock);
- if (!tmp)
return -EINVAL;
- if (res)
return res;
/* OK, we got the reference, so we can safely block */ len = strlen(tmp->name) + 1;