Commit 66f73fb3 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Pull JFFS2/UBIFS and UBI updates from Richard Weinberger:
 "JFFS2:
   - Fix for use-after-free in jffs2_sum_write_data()
   - Fix for out-of-bounds access in jffs2_zlib_compress()

  UBI:
   - Remove dead/useless code

  UBIFS:
   - Fix for a memory leak in ubifs_init_authentication()
   - Fix for high stack usage
   - Fix for a off-by-one error in xattrs code"

* tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  ubifs: Fix error return code in alloc_wbufs()
  jffs2: check the validity of dstlen in jffs2_zlib_compress()
  ubifs: Fix off-by-one error
  ubifs: replay: Fix high stack usage, again
  ubifs: Fix memleak in ubifs_init_authentication
  jffs2: fix use after free in jffs2_sum_write_data()
  ubi: eba: Delete useless kfree code
  ubi: remove dead code in validate_vid_hdr()
parents 69e9b12a 42119dbe
...@@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol, ...@@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol,
return tbl; return tbl;
err: err:
kfree(tbl->entries);
kfree(tbl); kfree(tbl);
return ERR_PTR(err); return ERR_PTR(err);
......
...@@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi, ...@@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
ubi_err(ubi, "bad data_size"); ubi_err(ubi, "bad data_size");
goto bad; goto bad;
} }
} else if (lnum == used_ebs - 1) { } else if (lnum > used_ebs - 1) {
if (data_size == 0) {
ubi_err(ubi, "bad data_size at last LEB");
goto bad;
}
} else {
ubi_err(ubi, "too high lnum"); ubi_err(ubi, "too high lnum");
goto bad; goto bad;
} }
......
...@@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in, ...@@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,
int outpos = 0; int outpos = 0;
int pos=0; int pos=0;
if (*dstlen <= 3)
return -1;
memset(positions,0,sizeof(positions)); memset(positions,0,sizeof(positions));
while (pos < (*sourcelen) && outpos <= (*dstlen)-2) { while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
......
...@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock ...@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n", dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
je16_to_cpu(temp->u.nodetype)); je16_to_cpu(temp->u.nodetype));
jffs2_sum_disable_collecting(c->summary); jffs2_sum_disable_collecting(c->summary);
/* The above call removes the list, nothing more to do */
goto bail_rwcompat;
} else { } else {
BUG(); /* unknown node in summary information */ BUG(); /* unknown node in summary information */
} }
...@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock ...@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
c->summary->sum_num--; c->summary->sum_num--;
} }
bail_rwcompat:
jffs2_sum_reset_collected(c->summary); jffs2_sum_reset_collected(c->summary);
......
...@@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c) ...@@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c)
ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)", ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)",
hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ); hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ);
err = -EINVAL; err = -EINVAL;
goto out_free_hash; goto out_free_hmac;
} }
err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen); err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen);
......
...@@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) ...@@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode)
struct inode *xino; struct inode *xino;
struct ubifs_dent_node *xent, *pxent = NULL; struct ubifs_dent_node *xent, *pxent = NULL;
if (ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) { if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) {
ubifs_err(c, "Cannot delete inode, it has too much xattrs!"); ubifs_err(c, "Cannot delete inode, it has too much xattrs!");
goto out_release; goto out_release;
} }
......
...@@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud) ...@@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud)
} }
/* authenticate_sleb_hash is split out for stack usage */ /* authenticate_sleb_hash is split out for stack usage */
static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash) static int noinline_for_stack
authenticate_sleb_hash(struct ubifs_info *c,
struct shash_desc *log_hash, u8 *hash)
{ {
SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm); SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);
......
...@@ -838,8 +838,10 @@ static int alloc_wbufs(struct ubifs_info *c) ...@@ -838,8 +838,10 @@ static int alloc_wbufs(struct ubifs_info *c)
c->jheads[i].wbuf.jhead = i; c->jheads[i].wbuf.jhead = i;
c->jheads[i].grouped = 1; c->jheads[i].grouped = 1;
c->jheads[i].log_hash = ubifs_hash_get_desc(c); c->jheads[i].log_hash = ubifs_hash_get_desc(c);
if (IS_ERR(c->jheads[i].log_hash)) if (IS_ERR(c->jheads[i].log_hash)) {
err = PTR_ERR(c->jheads[i].log_hash);
goto out; goto out;
}
} }
/* /*
......
...@@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host) ...@@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host)
struct fscrypt_name nm = {0}; struct fscrypt_name nm = {0};
int err; int err;
if (ubifs_inode(host)->xattr_cnt < ubifs_xattr_max_cnt(c)) if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c))
return 0; return 0;
ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion", ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment