Commit 163c3e3d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs 

Pull JFFS2, UBI and UBIFS updates from Richard Weinberger:
 "JFFS2:
   - Fix for a corner case while mounting
   - Fix for an use-after-free issue

  UBI:
   - Fix for a memory load while attaching
   - Don't produce an anchor PEB with fastmap being disabled

  UBIFS:
   - Fix for orphan inode logic
   - Spelling fixes
   - New mount option to specify filesystem version"

* tag 'for-linus-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  jffs2: fix UAF problem
  jffs2: fix jffs2 mounting failure
  ubifs: Fix wrong orphan node deletion in ubifs_jnl_update|rename
  ubi: fastmap: Free fastmap next anchor peb during detach
  ubi: fastmap: Don't produce the initial next anchor PEB when fastmap is disabled
  ubifs: misc.h: delete a duplicated word
  ubifs: add option to specify version for new file systems
parents 4bcf69e5 798b7347

drivers/mtd/ubi/fastmap-wl.c

+5 −0
Original line number Diff line number Diff line
@@ -381,6 +381,11 @@ static void ubi_fastmap_close(struct ubi_device *ubi) 
		ubi->fm_anchor = NULL;

	}



	if (ubi->fm_next_anchor) {

		return_unused_peb(ubi, ubi->fm_next_anchor);

		ubi->fm_next_anchor = NULL;

	}



	if (ubi->fm) {

		for (i = 0; i < ubi->fm->used_blocks; i++)

			kfree(ubi->fm->e[i]);

drivers/mtd/ubi/wl.c

+2 −1
Original line number Diff line number Diff line
@@ -1086,7 +1086,8 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) 
	if (!err) {

		spin_lock(&ubi->wl_lock);



		if (!ubi->fm_next_anchor && e->pnum < UBI_FM_MAX_START) {

		if (!ubi->fm_disabled && !ubi->fm_next_anchor &&

		    e->pnum < UBI_FM_MAX_START) {

			/* Abort anchor production, if needed it will be

			 * enabled again in the wear leveling started below.

			 */

fs/jffs2/dir.c

+5 −1
Original line number Diff line number Diff line
@@ -590,10 +590,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry) 
	int ret;

	uint32_t now = JFFS2_NOW();



	mutex_lock(&f->sem);

	for (fd = f->dents ; fd; fd = fd->next) {

		if (fd->ino)

		if (fd->ino) {

			mutex_unlock(&f->sem);

			return -ENOTEMPTY;

		}

	}

	mutex_unlock(&f->sem);



	ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name,

			      dentry->d_name.len, f, now);

fs/jffs2/scan.c

+2 −1
Original line number Diff line number Diff line
@@ -261,7 +261,8 @@ int jffs2_scan_medium(struct jffs2_sb_info *c) 
	}

#endif

	if (c->nr_erasing_blocks) {

		if ( !c->used_size && ((c->nr_free_blocks+empty_blocks+bad_blocks)!= c->nr_blocks || bad_blocks == c->nr_blocks) ) {

		if (!c->used_size && !c->unchecked_size &&

			((c->nr_free_blocks+empty_blocks+bad_blocks) != c->nr_blocks || bad_blocks == c->nr_blocks)) {

			pr_notice("Cowardly refusing to erase blocks on filesystem with no valid JFFS2 nodes\n");

			pr_notice("empty_blocks %d, bad_blocks %d, c->nr_blocks %d\n",

				  empty_blocks, bad_blocks, c->nr_blocks);

fs/ubifs/journal.c

+6 −4
Original line number Diff line number Diff line
@@ -539,7 +539,7 @@ int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir, 
		     const struct fscrypt_name *nm, const struct inode *inode,

		     int deletion, int xent)

{

	int err, dlen, ilen, len, lnum, ino_offs, dent_offs;

	int err, dlen, ilen, len, lnum, ino_offs, dent_offs, orphan_added = 0;

	int aligned_dlen, aligned_ilen, sync = IS_DIRSYNC(dir);

	int last_reference = !!(deletion && inode->i_nlink == 0);

	struct ubifs_inode *ui = ubifs_inode(inode);
@@ -630,6 +630,7 @@ int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir, 
			goto out_finish;

		}

		ui->del_cmtno = c->cmt_no;

		orphan_added = 1;

	}



	err = write_head(c, BASEHD, dent, len, &lnum, &dent_offs, sync);
@@ -702,7 +703,7 @@ out_release: 
	kfree(dent);

out_ro:

	ubifs_ro_mode(c, err);

	if (last_reference)

	if (orphan_added)

		ubifs_delete_orphan(c, inode->i_ino);

	finish_reservation(c);

	return err;
@@ -1218,7 +1219,7 @@ int ubifs_jnl_rename(struct ubifs_info *c, const struct inode *old_dir, 
	void *p;

	union ubifs_key key;

	struct ubifs_dent_node *dent, *dent2;

	int err, dlen1, dlen2, ilen, lnum, offs, len;

	int err, dlen1, dlen2, ilen, lnum, offs, len, orphan_added = 0;

	int aligned_dlen1, aligned_dlen2, plen = UBIFS_INO_NODE_SZ;

	int last_reference = !!(new_inode && new_inode->i_nlink == 0);

	int move = (old_dir != new_dir);
@@ -1334,6 +1335,7 @@ int ubifs_jnl_rename(struct ubifs_info *c, const struct inode *old_dir, 
			goto out_finish;

		}

		new_ui->del_cmtno = c->cmt_no;

		orphan_added = 1;

	}



	err = write_head(c, BASEHD, dent, len, &lnum, &offs, sync);
@@ -1415,7 +1417,7 @@ out_release: 
	release_head(c, BASEHD);

out_ro:

	ubifs_ro_mode(c, err);

	if (last_reference)

	if (orphan_added)

		ubifs_delete_orphan(c, new_inode->i_ino);

out_finish:

	finish_reservation(c);

CRA Git | Maintained and supported by SUSTech CRA and CCSE