diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-02-21 13:57:08 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-02-21 13:57:08 -0800 |
| commit | 66f73fb3facd42d0a7c899d7f4c712332b28499a (patch) | |
| tree | d695ff291f52c686ddb0cec98ad5ccdcc99d02e0 | |
| parent | 69e9b12a27a1b2d099e528928162428df4d6e93f (diff) | |
| parent | 42119dbe571eb419dae99b81dd20fa42f47464e1 (diff) | |
| download | linux-66f73fb3facd42d0a7c899d7f4c712332b28499a.tar.gz | |
Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs
Pull JFFS2/UBIFS and UBI updates from Richard Weinberger: "JFFS2: - Fix for use-after-free in jffs2_sum_write_data() - Fix for out-of-bounds access in jffs2_zlib_compress() UBI: - Remove dead/useless code UBIFS: - Fix for a memory leak in ubifs_init_authentication() - Fix for high stack usage - Fix for a off-by-one error in xattrs code" * tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubifs: Fix error return code in alloc_wbufs() jffs2: check the validity of dstlen in jffs2_zlib_compress() ubifs: Fix off-by-one error ubifs: replay: Fix high stack usage, again ubifs: Fix memleak in ubifs_init_authentication jffs2: fix use after free in jffs2_sum_write_data() ubi: eba: Delete useless kfree code ubi: remove dead code in validate_vid_hdr()
| -rw-r--r-- | drivers/mtd/ubi/eba.c | 1 | ||||
| -rw-r--r-- | drivers/mtd/ubi/io.c | 7 | ||||
| -rw-r--r-- | fs/jffs2/compr_rtime.c | 3 | ||||
| -rw-r--r-- | fs/jffs2/summary.c | 3 | ||||
| -rw-r--r-- | fs/ubifs/auth.c | 2 | ||||
| -rw-r--r-- | fs/ubifs/journal.c | 2 | ||||
| -rw-r--r-- | fs/ubifs/replay.c | 4 | ||||
| -rw-r--r-- | fs/ubifs/super.c | 4 | ||||
| -rw-r--r-- | fs/ubifs/xattr.c | 2 |
9 files changed, 16 insertions, 12 deletions
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c index 892494c8cb7c..ccc5979642b7 100644 --- a/drivers/mtd/ubi/eba.c +++ b/drivers/mtd/ubi/eba.c @@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol, return tbl; err: - kfree(tbl->entries); kfree(tbl); return ERR_PTR(err); diff --git a/drivers/mtd/ubi/io.c b/drivers/mtd/ubi/io.c index 2f3312c31e51..8a7306cc1947 100644 --- a/drivers/mtd/ubi/io.c +++ b/drivers/mtd/ubi/io.c @@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi, ubi_err(ubi, "bad data_size"); goto bad; } - } else if (lnum == used_ebs - 1) { - if (data_size == 0) { - ubi_err(ubi, "bad data_size at last LEB"); - goto bad; - } - } else { + } else if (lnum > used_ebs - 1) { ubi_err(ubi, "too high lnum"); goto bad; } diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c index 406d9cc84ba8..79e771ab624f 100644 --- a/fs/jffs2/compr_rtime.c +++ b/fs/jffs2/compr_rtime.c @@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in, int outpos = 0; int pos=0; + if (*dstlen <= 3) + return -1; + memset(positions,0,sizeof(positions)); while (pos < (*sourcelen) && outpos <= (*dstlen)-2) { diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c index be7c8a6a5748..4fe64519870f 100644 --- a/fs/jffs2/summary.c +++ b/fs/jffs2/summary.c @@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n", je16_to_cpu(temp->u.nodetype)); jffs2_sum_disable_collecting(c->summary); + /* The above call removes the list, nothing more to do */ + goto bail_rwcompat; } else { BUG(); /* unknown node in summary information */ } @@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock c->summary->sum_num--; } + bail_rwcompat: jffs2_sum_reset_collected(c->summary); diff --git a/fs/ubifs/auth.c b/fs/ubifs/auth.c index 51a7c8c2c3f0..e564d5ff8781 100644 --- a/fs/ubifs/auth.c +++ b/fs/ubifs/auth.c @@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c) ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)", hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ); err = -EINVAL; - goto out_free_hash; + goto out_free_hmac; } err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen); diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c index 03410ae0813a..2857e64d673d 100644 --- a/fs/ubifs/journal.c +++ b/fs/ubifs/journal.c @@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) struct inode *xino; struct ubifs_dent_node *xent, *pxent = NULL; - if (ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) { + if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) { ubifs_err(c, "Cannot delete inode, it has too much xattrs!"); goto out_release; } diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c index 79801c9a5b87..0f8a6a16421b 100644 --- a/fs/ubifs/replay.c +++ b/fs/ubifs/replay.c @@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud) } /* authenticate_sleb_hash is split out for stack usage */ -static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash) +static int noinline_for_stack +authenticate_sleb_hash(struct ubifs_info *c, + struct shash_desc *log_hash, u8 *hash) { SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm); diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index 138b9426c6c1..ddb2ca636c93 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -838,8 +838,10 @@ static int alloc_wbufs(struct ubifs_info *c) c->jheads[i].wbuf.jhead = i; c->jheads[i].grouped = 1; c->jheads[i].log_hash = ubifs_hash_get_desc(c); - if (IS_ERR(c->jheads[i].log_hash)) + if (IS_ERR(c->jheads[i].log_hash)) { + err = PTR_ERR(c->jheads[i].log_hash); goto out; + } } /* diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index a0b9b349efe6..842d5f14545d 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host) struct fscrypt_name nm = {0}; int err; - if (ubifs_inode(host)->xattr_cnt < ubifs_xattr_max_cnt(c)) + if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c)) return 0; ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion", |