Commit 66f73fb3 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Pull JFFS2/UBIFS and UBI updates from Richard Weinberger:
 "JFFS2:
   - Fix for use-after-free in jffs2_sum_write_data()
   - Fix for out-of-bounds access in jffs2_zlib_compress()

  UBI:
   - Remove dead/useless code

  UBIFS:
   - Fix for a memory leak in ubifs_init_authentication()
   - Fix for high stack usage
   - Fix for a off-by-one error in xattrs code"

* tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  ubifs: Fix error return code in alloc_wbufs()
  jffs2: check the validity of dstlen in jffs2_zlib_compress()
  ubifs: Fix off-by-one error
  ubifs: replay: Fix high stack usage, again
  ubifs: Fix memleak in ubifs_init_authentication
  jffs2: fix use after free in jffs2_sum_write_data()
  ubi: eba: Delete useless kfree code
  ubi: remove dead code in validate_vid_hdr()
parents 69e9b12a 42119dbe
......@@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol,
return tbl;
err:
kfree(tbl->entries);
kfree(tbl);
return ERR_PTR(err);
......
......@@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
ubi_err(ubi, "bad data_size");
goto bad;
}
} else if (lnum == used_ebs - 1) {
if (data_size == 0) {
ubi_err(ubi, "bad data_size at last LEB");
goto bad;
}
} else {
} else if (lnum > used_ebs - 1) {
ubi_err(ubi, "too high lnum");
goto bad;
}
......
......@@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,
int outpos = 0;
int pos=0;
if (*dstlen <= 3)
return -1;
memset(positions,0,sizeof(positions));
while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
......
......@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
je16_to_cpu(temp->u.nodetype));
jffs2_sum_disable_collecting(c->summary);
/* The above call removes the list, nothing more to do */
goto bail_rwcompat;
} else {
BUG(); /* unknown node in summary information */
}
......@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
c->summary->sum_num--;
}
bail_rwcompat:
jffs2_sum_reset_collected(c->summary);
......
......@@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c)
ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)",
hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ);
err = -EINVAL;
goto out_free_hash;
goto out_free_hmac;
}
err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen);
......
......@@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode)
struct inode *xino;
struct ubifs_dent_node *xent, *pxent = NULL;
if (ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) {
if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) {
ubifs_err(c, "Cannot delete inode, it has too much xattrs!");
goto out_release;
}
......
......@@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud)
}
/* authenticate_sleb_hash is split out for stack usage */
static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash)
static int noinline_for_stack
authenticate_sleb_hash(struct ubifs_info *c,
struct shash_desc *log_hash, u8 *hash)
{
SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);
......
......@@ -838,9 +838,11 @@ static int alloc_wbufs(struct ubifs_info *c)
c->jheads[i].wbuf.jhead = i;
c->jheads[i].grouped = 1;
c->jheads[i].log_hash = ubifs_hash_get_desc(c);
if (IS_ERR(c->jheads[i].log_hash))
if (IS_ERR(c->jheads[i].log_hash)) {
err = PTR_ERR(c->jheads[i].log_hash);
goto out;
}
}
/*
* Garbage Collector head does not need to be synchronized by timer.
......
......@@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host)
struct fscrypt_name nm = {0};
int err;
if (ubifs_inode(host)->xattr_cnt < ubifs_xattr_max_cnt(c))
if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c))
return 0;
ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment