This pull request contains changes (actually just fixes) for UBIFS
JFFS2: - Fix for use-after-free in jffs2_sum_write_data() - Fix for out-of-bounds access in jffs2_zlib_compress() UBI: - Remove dead/useless code UBIFS: - Fix for a memory leak in ubifs_init_authentication() - Fix for high stack usage - Fix for a off-by-one error in xattrs code -----BEGIN PGP SIGNATURE----- iQJKBAABCAA0FiEEdgfidid8lnn52cLTZvlZhesYu8EFAmAyuh8WHHJpY2hhcmRA c2lnbWEtc3Rhci5hdAAKCRBm+VmF6xi7wT+bD/9Q2Ar9yMX9drPyAnyb3vudE8c8 l0RdNLyBSL87pskpszNZR2+o8Yi3vjlbGWq5i97JsP/7UOb4Gc/MfXPYJteP1xUN S46EZwgcZa4XCgMSSdMk/NZl7bVdbwjvcGjw1CA4RdPkwt8s2jwYdS+hPrHu6o87 3xkP7kWShs/2KhUyvodZgAu6SYcTW+OjiKwdAIKxa1Ak9YUMGzsSHqCbl19he5MG hMxFZIqRZ2zZUfFeYXffVApJI8eBEKVud2qtNA/A6eGsy5Wx3c4F/bxG/uWdoJPp n5CmFRc6UGh8teA43aag5BnLv8sR9bC1Kf3lQX4nwfpBSzE7LwIMN7SVpL0JH5vT dJdwn37JYL/RQjmjTk++O/sSgeg9jJWMG+VOSmuKWPgP6xAYEVXqWg9njuV3wl9W NFBoybP82IyVHcthOcTrY8dx0F7A4q+3PkMy+7cikO2fYKVvJjdKgTp4pcVnGCR3 IadXzNRdYrLPvYwf25D2AyETwQQxcmh/Ox7ZOhkUXuFQ/KnhU0yqbO3cTTB1A/mO jY2SPtXXeUZwgGpGc8Lyr8/KGZ6tJX/3jswwmg+XvdegBLRogqty8XOcwUuJszCh 1kDAKs2LJ6UaMYyhV6Jxr4c+wgHoKJG+voY+oTkrUP4Lt0hQVELCylEkX2uJo60Y x4Gic/YbRUwnfjlAcg== =xorv -----END PGP SIGNATURE----- Merge tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs Pull JFFS2/UBIFS and UBI updates from Richard Weinberger: "JFFS2: - Fix for use-after-free in jffs2_sum_write_data() - Fix for out-of-bounds access in jffs2_zlib_compress() UBI: - Remove dead/useless code UBIFS: - Fix for a memory leak in ubifs_init_authentication() - Fix for high stack usage - Fix for a off-by-one error in xattrs code" * tag 'for-linus-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubifs: Fix error return code in alloc_wbufs() jffs2: check the validity of dstlen in jffs2_zlib_compress() ubifs: Fix off-by-one error ubifs: replay: Fix high stack usage, again ubifs: Fix memleak in ubifs_init_authentication jffs2: fix use after free in jffs2_sum_write_data() ubi: eba: Delete useless kfree code ubi: remove dead code in validate_vid_hdr()
This commit is contained in:
Linus Torvalds
commit
66f73fb3fa
@ -142,7 +142,6 @@ struct ubi_eba_table *ubi_eba_create_table(struct ubi_volume *vol,
|
||||
return tbl;
|
||||
|
||||
err:
|
||||
kfree(tbl->entries);
|
||||
kfree(tbl);
|
||||
|
||||
return ERR_PTR(err);
|
||||
|
||||
@ -913,12 +913,7 @@ static int validate_vid_hdr(const struct ubi_device *ubi,
|
||||
ubi_err(ubi, "bad data_size");
|
||||
goto bad;
|
||||
}
|
||||
} else if (lnum == used_ebs - 1) {
|
||||
if (data_size == 0) {
|
||||
ubi_err(ubi, "bad data_size at last LEB");
|
||||
goto bad;
|
||||
}
|
||||
} else {
|
||||
} else if (lnum > used_ebs - 1) {
|
||||
ubi_err(ubi, "too high lnum");
|
||||
goto bad;
|
||||
}
|
||||
|
||||
@ -37,6 +37,9 @@ static int jffs2_rtime_compress(unsigned char *data_in,
|
||||
int outpos = 0;
|
||||
int pos=0;
|
||||
|
||||
if (*dstlen <= 3)
|
||||
return -1;
|
||||
|
||||
memset(positions,0,sizeof(positions));
|
||||
|
||||
while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
|
||||
|
||||
@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
|
||||
dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n",
|
||||
je16_to_cpu(temp->u.nodetype));
|
||||
jffs2_sum_disable_collecting(c->summary);
|
||||
/* The above call removes the list, nothing more to do */
|
||||
goto bail_rwcompat;
|
||||
} else {
|
||||
BUG(); /* unknown node in summary information */
|
||||
}
|
||||
@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
|
||||
|
||||
c->summary->sum_num--;
|
||||
}
|
||||
bail_rwcompat:
|
||||
|
||||
jffs2_sum_reset_collected(c->summary);
|
||||
|
||||
|
||||
@ -327,7 +327,7 @@ int ubifs_init_authentication(struct ubifs_info *c)
|
||||
ubifs_err(c, "hmac %s is bigger than maximum allowed hmac size (%d > %d)",
|
||||
hmac_name, c->hmac_desc_len, UBIFS_HMAC_ARR_SZ);
|
||||
err = -EINVAL;
|
||||
goto out_free_hash;
|
||||
goto out_free_hmac;
|
||||
}
|
||||
|
||||
err = crypto_shash_setkey(c->hmac_tfm, ukp->data, ukp->datalen);
|
||||
|
||||
@ -881,7 +881,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode)
|
||||
struct inode *xino;
|
||||
struct ubifs_dent_node *xent, *pxent = NULL;
|
||||
|
||||
if (ui->xattr_cnt >= ubifs_xattr_max_cnt(c)) {
|
||||
if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) {
|
||||
ubifs_err(c, "Cannot delete inode, it has too much xattrs!");
|
||||
goto out_release;
|
||||
}
|
||||
|
||||
@ -559,7 +559,9 @@ static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud)
|
||||
}
|
||||
|
||||
/* authenticate_sleb_hash is split out for stack usage */
|
||||
static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash)
|
||||
static int noinline_for_stack
|
||||
authenticate_sleb_hash(struct ubifs_info *c,
|
||||
struct shash_desc *log_hash, u8 *hash)
|
||||
{
|
||||
SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);
|
||||
|
||||
|
||||
@ -838,8 +838,10 @@ static int alloc_wbufs(struct ubifs_info *c)
|
||||
c->jheads[i].wbuf.jhead = i;
|
||||
c->jheads[i].grouped = 1;
|
||||
c->jheads[i].log_hash = ubifs_hash_get_desc(c);
|
||||
if (IS_ERR(c->jheads[i].log_hash))
|
||||
if (IS_ERR(c->jheads[i].log_hash)) {
|
||||
err = PTR_ERR(c->jheads[i].log_hash);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -498,7 +498,7 @@ int ubifs_purge_xattrs(struct inode *host)
|
||||
struct fscrypt_name nm = {0};
|
||||
int err;
|
||||
|
||||
if (ubifs_inode(host)->xattr_cnt < ubifs_xattr_max_cnt(c))
|
||||
if (ubifs_inode(host)->xattr_cnt <= ubifs_xattr_max_cnt(c))
|
||||
return 0;
|
||||
|
||||
ubifs_warn(c, "inode %lu has too many xattrs, doing a non-atomic deletion",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user