1. 24 Jul, 2020 9 commits
  2. 23 Jul, 2020 7 commits
  3. 22 Jul, 2020 8 commits
  4. 21 Jul, 2020 13 commits
    • Boris Burkov's avatar
      btrfs: fix mount failure caused by race with umount · 48cfa61b
      Boris Burkov authored
      It is possible to cause a btrfs mount to fail by racing it with a slow
      umount. The crux of the sequence is generic_shutdown_super not yet
      calling sop->put_super before btrfs_mount_root calls btrfs_open_devices.
      If that occurs, btrfs_open_devices will decide the opened counter is
      non-zero, increment it, and skip resetting fs_devices->total_rw_bytes to
      0. From here, mount will call sget which will result in grab_super
      trying to take the super block umount semaphore. That semaphore will be
      held by the slow umount, so mount will block. Before up-ing the
      semaphore, umount will delete the super block, resulting in mount's sget
      reliably allocating a new one, which causes the mount path to dutifully
      fill it out, and increment total_rw_bytes a second time, which causes
      the mount to fail, as we see double the expected bytes.
      
      Here is the sequence laid out in greater detail:
      
      CPU0                                                    CPU1
      down_write sb->s_umount
      btrfs_kill_super
        kill_anon_super(sb)
          generic_shutdown_super(sb);
            shrink_dcache_for_umount(sb);
            sync_filesystem(sb);
            evict_inodes(sb); // SLOW
      
                                                    btrfs_mount_root
                                                      btrfs_scan_one_device
                                                      fs_devices = device->fs_devices
                                                      fs_info->fs_devices = fs_devices
                                                      // fs_devices-opened makes this a no-op
                                                      btrfs_open_devices(fs_devices, mode, fs_type)
                                                      s = sget(fs_type, test, set, flags, fs_info);
                                                        find sb in s_instances
                                                        grab_super(sb);
                                                          down_write(&s->s_umount); // blocks
      
            sop->put_super(sb)
              // sb->fs_devices->opened == 2; no-op
            spin_lock(&sb_lock);
            hlist_del_init(&sb->s_instances);
            spin_unlock(&sb_lock);
            up_write(&sb->s_umount);
                                                          return 0;
                                                        retry lookup
                                                        don't find sb in s_instances (deleted by CPU0)
                                                        s = alloc_super
                                                        return s;
                                                      btrfs_fill_super(s, fs_devices, data)
                                                        open_ctree // fs_devices total_rw_bytes improperly set!
                                                          btrfs_read_chunk_tree
                                                            read_one_dev // increment total_rw_bytes again!!
                                                            super_total_bytes < fs_devices->total_rw_bytes // ERROR!!!
      
      To fix this, we clear total_rw_bytes from within btrfs_read_chunk_tree
      before the calls to read_one_dev, while holding the sb umount semaphore
      and the uuid mutex.
      
      To reproduce, it is sufficient to dirty a decent number of inodes, then
      quickly umount and mount.
      
        for i in $(seq 0 500)
        do
          dd if=/dev/zero of="/mnt/foo/$i" bs=1M count=1
        done
        umount /mnt/foo&
        mount /mnt/foo
      
      does the trick for me.
      
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: default avatarBoris Burkov <boris@bur.io>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      48cfa61b
    • Robbie Ko's avatar
      btrfs: fix page leaks after failure to lock page for delalloc · 5909ca11
      Robbie Ko authored
      When locking pages for delalloc, we check if it's dirty and mapping still
      matches. If it does not match, we need to return -EAGAIN and release all
      pages. Only the current page was put though, iterate over all the
      remaining pages too.
      
      CC: stable@vger.kernel.org # 4.14+
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarRobbie Ko <robbieko@synology.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      5909ca11
    • Qu Wenruo's avatar
      btrfs: qgroup: fix data leak caused by race between writeback and truncate · fa91e4aa
      Qu Wenruo authored
      [BUG]
      When running tests like generic/013 on test device with btrfs quota
      enabled, it can normally lead to data leak, detected at unmount time:
      
        BTRFS warning (device dm-3): qgroup 0/5 has unreleased space, type 0 rsv 4096
        ------------[ cut here ]------------
        WARNING: CPU: 11 PID: 16386 at fs/btrfs/disk-io.c:4142 close_ctree+0x1dc/0x323 [btrfs]
        RIP: 0010:close_ctree+0x1dc/0x323 [btrfs]
        Call Trace:
         btrfs_put_super+0x15/0x17 [btrfs]
         generic_shutdown_super+0x72/0x110
         kill_anon_super+0x18/0x30
         btrfs_kill_super+0x17/0x30 [btrfs]
         deactivate_locked_super+0x3b/0xa0
         deactivate_super+0x40/0x50
         cleanup_mnt+0x135/0x190
         __cleanup_mnt+0x12/0x20
         task_work_run+0x64/0xb0
         __prepare_exit_to_usermode+0x1bc/0x1c0
         __syscall_return_slowpath+0x47/0x230
         do_syscall_64+0x64/0xb0
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
        ---[ end trace caf08beafeca2392 ]---
        BTRFS error (device dm-3): qgroup reserved space leaked
      
      [CAUSE]
      In the offending case, the offending operations are:
      2/6: writev f2X[269 1 0 0 0 0] [1006997,67,288] 0
      2/7: truncate f2X[269 1 0 0 48 1026293] 18388 0
      
      The following sequence of events could happen after the writev():
      	CPU1 (writeback)		|		CPU2 (truncate)
      -----------------------------------------------------------------
      btrfs_writepages()			|
      |- extent_write_cache_pages()		|
         |- Got page for 1003520		|
         |  1003520 is Dirty, no writeback	|
         |  So (!clear_page_dirty_for_io())   |
         |  gets called for it		|
         |- Now page 1003520 is Clean.	|
         |					| btrfs_setattr()
         |					| |- btrfs_setsize()
         |					|    |- truncate_setsize()
         |					|       New i_size is 18388
         |- __extent_writepage()		|
         |  |- page_offset() > i_size		|
            |- btrfs_invalidatepage()		|
      	 |- Page is clean, so no qgroup |
      	    callback executed
      
      This means, the qgroup reserved data space is not properly released in
      btrfs_invalidatepage() as the page is Clean.
      
      [FIX]
      Instead of checking the dirty bit of a page, call
      btrfs_qgroup_free_data() unconditionally in btrfs_invalidatepage().
      
      As qgroup rsv are completely bound to the QGROUP_RESERVED bit of
      io_tree, not bound to page status, thus we won't cause double freeing
      anyway.
      
      Fixes: 0b34c261 ("btrfs: qgroup: Prevent qgroup->reserved from going subzero")
      CC: stable@vger.kernel.org # 4.14+
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      fa91e4aa
    • Paweł Gronowski's avatar
      drm/amdgpu: Fix NULL dereference in dpm sysfs handlers · 38e0c89a
      Paweł Gronowski authored
      NULL dereference occurs when string that is not ended with space or
      newline is written to some dpm sysfs interface (for example pp_dpm_sclk).
      This happens because strsep replaces the tmp with NULL if the delimiter
      is not present in string, which is then dereferenced by tmp[0].
      
      Reproduction example:
      sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk'
      Signed-off-by: default avatarPaweł Gronowski <me@woland.xyz>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      38e0c89a
    • Qiu Wenbo's avatar
      drm/amd/powerplay: fix a crash when overclocking Vega M · 88bb16ad
      Qiu Wenbo authored
      Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and
      vddci_voltage_table is empty. It has been tested on Intel Hades Canyon
      (i7-8809G).
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489
      Fixes: ac7822b0 ("drm/amd/powerplay: add smumgr support for VEGAM (v2)")
      Reviewed-by: default avatarEvan Quan <evan.quan@amd.com>
      Signed-off-by: default avatarQiu Wenbo <qiuwenbo@phytium.com.cn>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      88bb16ad
    • Filipe Manana's avatar
      btrfs: fix double free on ulist after backref resolution failure · 580c079b
      Filipe Manana authored
      At btrfs_find_all_roots_safe() we allocate a ulist and set the **roots
      argument to point to it. However if later we fail due to an error returned
      by find_parent_nodes(), we free that ulist but leave a dangling pointer in
      the **roots argument. Upon receiving the error, a caller of this function
      can attempt to free the same ulist again, resulting in an invalid memory
      access.
      
      One such scenario is during qgroup accounting:
      
      btrfs_qgroup_account_extents()
      
       --> calls btrfs_find_all_roots() passes &new_roots (a stack allocated
           pointer) to btrfs_find_all_roots()
      
         --> btrfs_find_all_roots() just calls btrfs_find_all_roots_safe()
             passing &new_roots to it
      
           --> allocates ulist and assigns its address to **roots (which
               points to new_roots from btrfs_qgroup_account_extents())
      
           --> find_parent_nodes() returns an error, so we free the ulist
               and leave **roots pointing to it after returning
      
       --> btrfs_qgroup_account_extents() sees btrfs_find_all_roots() returned
           an error and jumps to the label 'cleanup', which just tries to
           free again the same ulist
      
      Stack trace example:
      
       ------------[ cut here ]------------
       BTRFS: tree first key check failed
       WARNING: CPU: 1 PID: 1763215 at fs/btrfs/disk-io.c:422 btrfs_verify_level_key+0xe0/0x180 [btrfs]
       Modules linked in: dm_snapshot dm_thin_pool (...)
       CPU: 1 PID: 1763215 Comm: fsstress Tainted: G        W         5.8.0-rc3-btrfs-next-64 #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
       RIP: 0010:btrfs_verify_level_key+0xe0/0x180 [btrfs]
       Code: 28 5b 5d (...)
       RSP: 0018:ffffb89b473779a0 EFLAGS: 00010286
       RAX: 0000000000000000 RBX: ffff90397759bf08 RCX: 0000000000000000
       RDX: 0000000000000001 RSI: 0000000000000027 RDI: 00000000ffffffff
       RBP: ffff9039a419c000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: ffffb89b43301000 R12: 000000000000005e
       R13: ffffb89b47377a2e R14: ffffb89b473779af R15: 0000000000000000
       FS:  00007fc47e1e1000(0000) GS:ffff9039ac200000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007fc47e1df000 CR3: 00000003d9e4e001 CR4: 00000000003606e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        read_block_for_search+0xf6/0x350 [btrfs]
        btrfs_next_old_leaf+0x242/0x650 [btrfs]
        resolve_indirect_refs+0x7cf/0x9e0 [btrfs]
        find_parent_nodes+0x4ea/0x12c0 [btrfs]
        btrfs_find_all_roots_safe+0xbf/0x130 [btrfs]
        btrfs_qgroup_account_extents+0x9d/0x390 [btrfs]
        btrfs_commit_transaction+0x4f7/0xb20 [btrfs]
        btrfs_sync_file+0x3d4/0x4d0 [btrfs]
        do_fsync+0x38/0x70
        __x64_sys_fdatasync+0x13/0x20
        do_syscall_64+0x5c/0xe0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fc47e2d72e3
       Code: Bad RIP value.
       RSP: 002b:00007fffa32098c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
       RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc47e2d72e3
       RDX: 00007fffa3209830 RSI: 00007fffa3209830 RDI: 0000000000000003
       RBP: 000000000000072e R08: 0000000000000001 R09: 0000000000000003
       R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000003e8
       R13: 0000000051eb851f R14: 00007fffa3209970 R15: 00005607c4ac8b50
       irq event stamp: 0
       hardirqs last  enabled at (0): [<0000000000000000>] 0x0
       hardirqs last disabled at (0): [<ffffffffb8eb5e85>] copy_process+0x755/0x1eb0
       softirqs last  enabled at (0): [<ffffffffb8eb5e85>] copy_process+0x755/0x1eb0
       softirqs last disabled at (0): [<0000000000000000>] 0x0
       ---[ end trace 8639237550317b48 ]---
       BTRFS error (device sdc): tree first key mismatch detected, bytenr=62324736 parent_transid=94 key expected=(262,108,1351680) has=(259,108,1921024)
       general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
       CPU: 2 PID: 1763215 Comm: fsstress Tainted: G        W         5.8.0-rc3-btrfs-next-64 #1
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
       RIP: 0010:ulist_release+0x14/0x60 [btrfs]
       Code: c7 07 00 (...)
       RSP: 0018:ffffb89b47377d60 EFLAGS: 00010282
       RAX: 6b6b6b6b6b6b6b6b RBX: ffff903959b56b90 RCX: 0000000000000000
       RDX: 0000000000000001 RSI: 0000000000270024 RDI: ffff9036e2adc840
       RBP: ffff9036e2adc848 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: ffff9036e2adc840
       R13: 0000000000000015 R14: ffff9039a419ccf8 R15: ffff90395d605840
       FS:  00007fc47e1e1000(0000) GS:ffff9039ac600000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007f8c1c0a51c8 CR3: 00000003d9e4e004 CR4: 00000000003606e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       Call Trace:
        ulist_free+0x13/0x20 [btrfs]
        btrfs_qgroup_account_extents+0xf3/0x390 [btrfs]
        btrfs_commit_transaction+0x4f7/0xb20 [btrfs]
        btrfs_sync_file+0x3d4/0x4d0 [btrfs]
        do_fsync+0x38/0x70
        __x64_sys_fdatasync+0x13/0x20
        do_syscall_64+0x5c/0xe0
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fc47e2d72e3
       Code: Bad RIP value.
       RSP: 002b:00007fffa32098c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
       RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc47e2d72e3
       RDX: 00007fffa3209830 RSI: 00007fffa3209830 RDI: 0000000000000003
       RBP: 000000000000072e R08: 0000000000000001 R09: 0000000000000003
       R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000003e8
       R13: 0000000051eb851f R14: 00007fffa3209970 R15: 00005607c4ac8b50
       Modules linked in: dm_snapshot dm_thin_pool (...)
       ---[ end trace 8639237550317b49 ]---
       RIP: 0010:ulist_release+0x14/0x60 [btrfs]
       Code: c7 07 00 (...)
       RSP: 0018:ffffb89b47377d60 EFLAGS: 00010282
       RAX: 6b6b6b6b6b6b6b6b RBX: ffff903959b56b90 RCX: 0000000000000000
       RDX: 0000000000000001 RSI: 0000000000270024 RDI: ffff9036e2adc840
       RBP: ffff9036e2adc848 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: ffff9036e2adc840
       R13: 0000000000000015 R14: ffff9039a419ccf8 R15: ffff90395d605840
       FS:  00007fc47e1e1000(0000) GS:ffff9039ad200000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007f6a776f7d40 CR3: 00000003d9e4e002 CR4: 00000000003606e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      Fix this by making btrfs_find_all_roots_safe() set *roots to NULL after
      it frees the ulist.
      
      Fixes: 8da6d581 ("Btrfs: added btrfs_find_all_roots()")
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      580c079b
    • Jason Gunthorpe's avatar
      RDMA/mlx5: Prevent prefetch from racing with implicit destruction · a862192e
      Jason Gunthorpe authored
      Prefetch work in mlx5_ib_prefetch_mr_work can be queued and able to run
      concurrently with destruction of the implicit MR. The num_deferred_work
      was intended to serialize this, but there is a race:
      
             CPU0                                          CPU1
      
          mlx5_ib_free_implicit_mr()
            xa_erase(odp_mkeys)
            synchronize_srcu()
            __xa_erase(implicit_children)
                                            mlx5_ib_prefetch_mr_work()
                                              pagefault_mr()
                                               pagefault_implicit_mr()
                                                implicit_get_child_mr()
                                                 xa_cmpxchg()
                                              atomic_dec_and_test(num_deferred_mr)
            wait_event(imr->q_deferred_work)
            ib_umem_odp_release(odp_imr)
              kfree(odp_imr)
      
      At this point in mlx5_ib_free_implicit_mr() the implicit_children list is
      supposed to be empty forever so that destroy_unused_implicit_child_mr()
      and related are not and will not be running.
      
      Since it is not empty the destroy_unused_implicit_child_mr() flow ends up
      touching deallocated memory as mlx5_ib_free_implicit_mr() already tore down the
      imr parent.
      
      The solution is to flush out the prefetch wq by driving num_deferred_work
      to zero after creation of new prefetch work is blocked.
      
      Fixes: 5256edcb ("RDMA/mlx5: Rework implicit ODP destroy")
      Link: https://lore.kernel.org/r/20200719065435.130722-1-leon@kernel.orgSigned-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      a862192e
    • Linus Torvalds's avatar
      Merge tag 'sound-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound into master · 8c26c87b
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became fairly large, containing mostly the collection of ASoC
        fixes that slipped from the previous request, so I sent now a bit
        earlier than usual. But all changes look small and mostly
        device-specific, hence nothing to worry too much.
      
        Majority of changes are for x86 based platforms and their CODEC
        drivers, in order to address some issues hit by their recent tests and
        fuzzing. The rest are other ASoC device-specific fixes (imx, qcom,
        wm8974, amd, rockchip) as well as a trivial fix for a kernel WARNING
        hit by syzkaller"
      
      * tag 'sound-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (28 commits)
        ALSA: hda/realtek: Fixed ALC298 sound bug by adding quirk for Samsung Notebook Pen S
        ALSA: info: Drop WARN_ON() from buffer NULL sanity check
        ASoC: rt5682: Report the button event in the headset type only
        ASoC: Intel: bytcht_es8316: Add missed put_device()
        ASoC: rt5682: Enable Vref2 under using PLL2
        ASoC: rt286: fix unexpected interrupt happens
        ASoC: wm8974: remove unsupported clock mode
        ASoC: wm8974: fix Boost Mixer Aux Switch
        ASoC: SOF: core: fix null-ptr-deref bug during device removal
        ASoc: codecs: max98373: remove Idle_bias_on to let codec suspend
        ASoC: codecs: max98373: Removed superfluous volume control from chip default
        ASoC: topology: fix tlvs in error handling for widget_dmixer
        ASoC: topology: fix kernel oops on route addition error
        ASoC: SOF: imx: add min/max channels for SAI/ESAI on i.MX8/i.MX8M
        ASoC: Intel: bdw-rt5677: fix non BE conversion
        ASoC: soc-dai: set dai_link dpcm_ flags with a helper
        MAINTAINERS: Add Shengjiu to reviewer list of sound/soc/fsl
        ASoC: core: Remove only the registered component in devm functions
        MAINTAINERS: Change Maintainer for some at91 drivers
        ASoC: dt-bindings: simple-card: Fix 'make dt_binding_check' warnings
        ...
      8c26c87b
    • Thomas Richter's avatar
      s390/cpum_cf,perf: change DFLT_CCERROR counter name · 3d3af181
      Thomas Richter authored
      Change the counter name DLFT_CCERROR to DLFT_CCFINISH on IBM z15.
      This counter counts completed DEFLATE instructions with exit code
      0, 1 or 2. Since exit code 0 means success and exit code 1 or 2
      indicate errors, change the counter name to avoid confusion.
      This counter is incremented each time the DEFLATE instruction
      completed regardless if an error was detected or not.
      
      Fixes: d68d5d51 ("s390/cpum_cf: Add new extended counters for IBM z15")
      Fixes: e7950166 ("perf vendor events s390: Add new deflate counters for IBM z15")
      Cc: stable@vger.kernel.org # v5.7
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: default avatarSumanth Korikkar <sumanthk@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      3d3af181
    • Ilya Ponetayev's avatar
      exfat: fix name_hash computation on big endian systems · db415f7a
      Ilya Ponetayev authored
      On-disk format for name_hash field is LE, so it must be explicitly
      transformed on BE system for proper result.
      
      Fixes: 370e812b ("exfat: add nls operations")
      Cc: stable@vger.kernel.org # v5.7
      Signed-off-by: default avatarChen Minqiang <ptpt52@gmail.com>
      Signed-off-by: default avatarIlya Ponetayev <i.ponetaev@ndmsystems.com>
      Reviewed-by: default avatarSungjong Seo <sj1557.seo@samsung.com>
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      db415f7a
    • Hyeongseok Kim's avatar
      exfat: fix wrong size update of stream entry by typo · 41e3928f
      Hyeongseok Kim authored
      The stream.size field is updated to the value of create timestamp
      of the file entry. Fix this to use correct stream entry pointer.
      
      Fixes: 29bbb14b ("exfat: fix incorrect update of stream entry in __exfat_truncate()")
      Signed-off-by: default avatarHyeongseok Kim <hyeongseok@gmail.com>
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      41e3928f
    • Namjae Jeon's avatar
      exfat: fix wrong hint_stat initialization in exfat_find_dir_entry() · d2fa0c33
      Namjae Jeon authored
      We found the wrong hint_stat initialization in exfat_find_dir_entry().
      It should be initialized when cluster is EXFAT_EOF_CLUSTER.
      
      Fixes: ca061973 ("exfat: add directory operations")
      Cc: stable@vger.kernel.org # v5.7
      Reviewed-by: default avatarSungjong Seo <sj1557.seo@samsung.com>
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      d2fa0c33
    • Namjae Jeon's avatar
      exfat: fix overflow issue in exfat_cluster_to_sector() · 43946b70
      Namjae Jeon authored
      An overflow issue can occur while calculating sector in
      exfat_cluster_to_sector(). It needs to cast clus's type to sector_t
      before left shifting.
      
      Fixes: 1acf1a56 ("exfat: add in-memory and on-disk structures and headers")
      Cc: stable@vger.kernel.org # v5.7
      Reviewed-by: default avatarSungjong Seo <sj1557.seo@samsung.com>
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      43946b70
  5. 20 Jul, 2020 3 commits