Skip to content

Commit 4b95459

Browse files
torvaldstorvalds
committed
Merge tag 'exfat-for-6.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat
Pull exfat fixes from Namjae Jeon: - Fix page allocation failure from allocation bitmap by using kvmalloc_array/kvfree - Add the check to validate if filename entries exceeds max filename length - Fix potential deadlock condition from dir_emit*() * tag 'exfat-for-6.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat: exfat: release s_lock before calling dir_emit() exfat: check if filename entries exceeds max filename length exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
2 parents 79d65ee + ff84772 commit 4b95459

File tree

2 files changed

+22
-20
lines changed

2 files changed

+22
-20
lines changed

fs/exfat/balloc.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ static int exfat_allocate_bitmap(struct super_block *sb,
6969
}
7070
sbi->map_sectors = ((need_map_size - 1) >>
7171
(sb->s_blocksize_bits)) + 1;
72-
sbi->vol_amap = kmalloc_array(sbi->map_sectors,
72+
sbi->vol_amap = kvmalloc_array(sbi->map_sectors,
7373
sizeof(struct buffer_head *), GFP_KERNEL);
7474
if (!sbi->vol_amap)
7575
return -ENOMEM;
@@ -84,7 +84,7 @@ static int exfat_allocate_bitmap(struct super_block *sb,
8484
while (j < i)
8585
brelse(sbi->vol_amap[j++]);
8686

87-
kfree(sbi->vol_amap);
87+
kvfree(sbi->vol_amap);
8888
sbi->vol_amap = NULL;
8989
return -EIO;
9090
}
@@ -138,7 +138,7 @@ void exfat_free_bitmap(struct exfat_sb_info *sbi)
138138
for (i = 0; i < sbi->map_sectors; i++)
139139
__brelse(sbi->vol_amap[i]);
140140

141-
kfree(sbi->vol_amap);
141+
kvfree(sbi->vol_amap);
142142
}
143143

144144
int exfat_set_bitmap(struct inode *inode, unsigned int clu, bool sync)

fs/exfat/dir.c

Lines changed: 19 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ static int exfat_get_uniname_from_ext_entry(struct super_block *sb,
3434
{
3535
int i, err;
3636
struct exfat_entry_set_cache es;
37+
unsigned int uni_len = 0, len;
3738

3839
err = exfat_get_dentry_set(&es, sb, p_dir, entry, ES_ALL_ENTRIES);
3940
if (err)
@@ -52,7 +53,10 @@ static int exfat_get_uniname_from_ext_entry(struct super_block *sb,
5253
if (exfat_get_entry_type(ep) != TYPE_EXTEND)
5354
break;
5455

55-
exfat_extract_uni_name(ep, uniname);
56+
len = exfat_extract_uni_name(ep, uniname);
57+
uni_len += len;
58+
if (len != EXFAT_FILE_NAME_LEN || uni_len >= MAX_NAME_LENGTH)
59+
break;
5660
uniname += EXFAT_FILE_NAME_LEN;
5761
}
5862

@@ -214,7 +218,10 @@ static void exfat_free_namebuf(struct exfat_dentry_namebuf *nb)
214218
exfat_init_namebuf(nb);
215219
}
216220

217-
/* skip iterating emit_dots when dir is empty */
221+
/*
222+
* Before calling dir_emit*(), sbi->s_lock should be released
223+
* because page fault can occur in dir_emit*().
224+
*/
218225
#define ITER_POS_FILLED_DOTS (2)
219226
static int exfat_iterate(struct file *file, struct dir_context *ctx)
220227
{
@@ -229,11 +236,10 @@ static int exfat_iterate(struct file *file, struct dir_context *ctx)
229236
int err = 0, fake_offset = 0;
230237

231238
exfat_init_namebuf(nb);
232-
mutex_lock(&EXFAT_SB(sb)->s_lock);
233239

234240
cpos = ctx->pos;
235241
if (!dir_emit_dots(file, ctx))
236-
goto unlock;
242+
goto out;
237243

238244
if (ctx->pos == ITER_POS_FILLED_DOTS) {
239245
cpos = 0;
@@ -245,16 +251,18 @@ static int exfat_iterate(struct file *file, struct dir_context *ctx)
245251
/* name buffer should be allocated before use */
246252
err = exfat_alloc_namebuf(nb);
247253
if (err)
248-
goto unlock;
254+
goto out;
249255
get_new:
256+
mutex_lock(&EXFAT_SB(sb)->s_lock);
257+
250258
if (ei->flags == ALLOC_NO_FAT_CHAIN && cpos >= i_size_read(inode))
251259
goto end_of_dir;
252260

253261
err = exfat_readdir(inode, &cpos, &de);
254262
if (err) {
255263
/*
256-
* At least we tried to read a sector. Move cpos to next sector
257-
* position (should be aligned).
264+
* At least we tried to read a sector.
265+
* Move cpos to next sector position (should be aligned).
258266
*/
259267
if (err == -EIO) {
260268
cpos += 1 << (sb->s_blocksize_bits);
@@ -277,26 +285,19 @@ static int exfat_iterate(struct file *file, struct dir_context *ctx)
277285
inum = iunique(sb, EXFAT_ROOT_INO);
278286
}
279287

280-
/*
281-
* Before calling dir_emit(), sb_lock should be released.
282-
* Because page fault can occur in dir_emit() when the size
283-
* of buffer given from user is larger than one page size.
284-
*/
285288
mutex_unlock(&EXFAT_SB(sb)->s_lock);
286289
if (!dir_emit(ctx, nb->lfn, strlen(nb->lfn), inum,
287290
(de.attr & ATTR_SUBDIR) ? DT_DIR : DT_REG))
288-
goto out_unlocked;
289-
mutex_lock(&EXFAT_SB(sb)->s_lock);
291+
goto out;
290292
ctx->pos = cpos;
291293
goto get_new;
292294

293295
end_of_dir:
294296
if (!cpos && fake_offset)
295297
cpos = ITER_POS_FILLED_DOTS;
296298
ctx->pos = cpos;
297-
unlock:
298299
mutex_unlock(&EXFAT_SB(sb)->s_lock);
299-
out_unlocked:
300+
out:
300301
/*
301302
* To improve performance, free namebuf after unlock sb_lock.
302303
* If namebuf is not allocated, this function do nothing
@@ -1079,7 +1080,8 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
10791080
if (entry_type == TYPE_EXTEND) {
10801081
unsigned short entry_uniname[16], unichar;
10811082

1082-
if (step != DIRENT_STEP_NAME) {
1083+
if (step != DIRENT_STEP_NAME ||
1084+
name_len >= MAX_NAME_LENGTH) {
10831085
step = DIRENT_STEP_FILE;
10841086
continue;
10851087
}

0 commit comments

Comments
 (0)