Merge tag 'for-linus-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull UBI and UBIFS updates from Richard Weinberger:

- Fix for memory leaks around UBIFS orphan handling

- Fix for memory leaks around UBI fastmap

- Remove zero-length array from ubi-media.h

- Fix for TNC lookup in UBIFS orphan code

* tag 'for-linus-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
ubi: ubi-media.h: Replace zero-length array with flexible-array member
ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
ubi: fastmap: Only produce the initial anchor PEB when fastmap is used
ubi: fastmap: Free unused fastmap anchor peb during detach
ubifs: ubifs_add_orphan: Fix a memory leak bug
ubifs: ubifs_jnl_write_inode: Fix a memory leak bug
ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans()

Linus Torvalds 6 years ago 763dede1 762a9f2f

+40 -10

6 changed files

expand all

drivers

mtd

ubi

fastmap-wl.c

ubi-media.h

wl.c

ubifs

io.c

journal.c

orphan.c

+13 -2

drivers/mtd/ubi/fastmap-wl.c

··· 39 39 return victim; 40 40 } 41 41 42 + static inline void return_unused_peb(struct ubi_device *ubi, 43 + struct ubi_wl_entry *e) 44 + { 45 + wl_tree_add(e, &ubi->free); 46 + ubi->free_count++; 47 + } 48 + 42 49 /** 43 50 * return_unused_pool_pebs - returns unused PEB to the free tree. 44 51 * @ubi: UBI device description object ··· 59 52 60 53 for (i = pool->used; i < pool->size; i++) { 61 54 e = ubi->lookuptbl[pool->pebs[i]]; 62 - wl_tree_add(e, &ubi->free); 63 - ubi->free_count++; 55 + return_unused_peb(ubi, e); 64 56 } 65 57 } 66 58 ··· 366 360 367 361 return_unused_pool_pebs(ubi, &ubi->fm_pool); 368 362 return_unused_pool_pebs(ubi, &ubi->fm_wl_pool); 363 + 364 + if (ubi->fm_anchor) { 365 + return_unused_peb(ubi, ubi->fm_anchor); 366 + ubi->fm_anchor = NULL; 367 + } 369 368 370 369 if (ubi->fm) { 371 370 for (i = 0; i < ubi->fm->used_blocks; i++)

+1 -1

drivers/mtd/ubi/ubi-media.h

··· 498 498 struct ubi_fm_eba { 499 499 __be32 magic; 500 500 __be32 reserved_pebs; 501 - __be32 pnum[0]; 501 + __be32 pnum[]; 502 502 } __packed; 503 503 #endif /* !__UBI_MEDIA_H__ */

+2 -1

drivers/mtd/ubi/wl.c

··· 1875 1875 goto out_free; 1876 1876 1877 1877 #ifdef CONFIG_MTD_UBI_FASTMAP 1878 - ubi_ensure_anchor_pebs(ubi); 1878 + if (!ubi->ro_mode && !ubi->fm_disabled) 1879 + ubi_ensure_anchor_pebs(ubi); 1879 1880 #endif 1880 1881 return 0; 1881 1882

+14 -2

fs/ubifs/io.c

··· 225 225 int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, 226 226 int offs, int quiet, int must_chk_crc) 227 227 { 228 - int err = -EINVAL, type, node_len; 228 + int err = -EINVAL, type, node_len, dump_node = 1; 229 229 uint32_t crc, node_crc, magic; 230 230 const struct ubifs_ch *ch = buf; 231 231 ··· 278 278 out_len: 279 279 if (!quiet) 280 280 ubifs_err(c, "bad node length %d", node_len); 281 + if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) 282 + dump_node = 0; 281 283 out: 282 284 if (!quiet) { 283 285 ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); 284 - ubifs_dump_node(c, buf); 286 + if (dump_node) { 287 + ubifs_dump_node(c, buf); 288 + } else { 289 + int safe_len = min3(node_len, c->leb_size - offs, 290 + (int)UBIFS_MAX_DATA_NODE_SZ); 291 + pr_err("\tprevent out-of-bounds memory access\n"); 292 + pr_err("\ttruncated data node length %d\n", safe_len); 293 + pr_err("\tcorrupted data node:\n"); 294 + print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, 295 + buf, safe_len, 0); 296 + } 285 297 dump_stack(); 286 298 } 287 299 return err;

fs/ubifs/journal.c

··· 905 905 ubifs_err(c, "dead directory entry '%s', error %d", 906 906 xent->name, err); 907 907 ubifs_ro_mode(c, err); 908 + kfree(xent); 908 909 goto out_release; 909 910 } 910 911 ubifs_assert(c, ubifs_inode(xino)->xattr);

+9 -4

fs/ubifs/orphan.c

··· 157 157 int err = 0; 158 158 ino_t xattr_inum; 159 159 union ubifs_key key; 160 - struct ubifs_dent_node *xent; 160 + struct ubifs_dent_node *xent, *pxent = NULL; 161 161 struct fscrypt_name nm = {0}; 162 162 struct ubifs_orphan *xattr_orphan; 163 163 struct ubifs_orphan *orphan; ··· 181 181 xattr_inum = le64_to_cpu(xent->inum); 182 182 183 183 xattr_orphan = orphan_add(c, xattr_inum, orphan); 184 - if (IS_ERR(xattr_orphan)) 184 + if (IS_ERR(xattr_orphan)) { 185 + kfree(xent); 185 186 return PTR_ERR(xattr_orphan); 187 + } 186 188 189 + kfree(pxent); 190 + pxent = xent; 187 191 key_read(c, &xent->key, &key); 188 192 } 193 + kfree(pxent); 189 194 190 195 return 0; 191 196 } ··· 693 688 694 689 ino_key_init(c, &key1, inum); 695 690 err = ubifs_tnc_lookup(c, &key1, ino); 696 - if (err) 691 + if (err && err != -ENOENT) 697 692 goto out_free; 698 693 699 694 /* 700 695 * Check whether an inode can really get deleted. 701 696 * linkat() with O_TMPFILE allows rebirth of an inode. 702 697 */ 703 - if (ino->nlink == 0) { 698 + if (err == 0 && ino->nlink == 0) { 704 699 dbg_rcvry("deleting orphaned inode %lu", 705 700 (unsigned long)inum); 706 701