From 48ec6328de6c153a64474d9e5b6ec95f20f4142b Mon Sep 17 00:00:00 2001
From: Yang Li <yang.lee@linux.alibaba.com>
Date: Wed, 12 Jul 2023 15:46:37 +0800
Subject: ubifs: Fix some kernel-doc comments

Add description of @time and @flags in ubifs_update_time().

to silence the warnings:
fs/ubifs/file.c:1383: warning: Function parameter or member 'time' not described in 'ubifs_update_time'
fs/ubifs/file.c:1383: warning: Function parameter or member 'flags' not described in 'ubifs_update_time'

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5848
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/ubifs/file.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'fs/ubifs')

diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
index e5382f0b2587..3345be5edb9f 100644
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -1375,6 +1375,9 @@ static inline int mctime_update_needed(const struct inode *inode,
 /**
  * ubifs_update_time - update time of inode.
  * @inode: inode to update
+ * @time:  timespec structure to hold the current time value
+ * @flags: time updating control flag determines updating
+ *	    which time fields of @inode
  *
  * This function updates time of the inode.
  */
-- 
cgit 


From f4a04c97fb3b7edd7694e725b7dcf0d6901ebcdd Mon Sep 17 00:00:00 2001
From: Vincent Whitchurch <vincent.whitchurch@axis.com>
Date: Tue, 18 Jul 2023 14:41:45 +0200
Subject: ubifs: Fix memory leak of bud->log_hash

Ensure that the allocated bud->log_hash (if any) is freed in all cases
when the bud itself is freed, to fix this leak caught by kmemleak:

 # keyctl add logon foo:bar data @s
 # echo clear > /sys/kernel/debug/kmemleak
 # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar
 # echo a > mnt/x
 # umount mnt
 # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar
 # umount mnt
 # sleep 5
 # echo scan > /sys/kernel/debug/kmemleak
 # echo scan > /sys/kernel/debug/kmemleak
 # cat /sys/kernel/debug/kmemleak
 unreferenced object 0xff... (size 128):
   comm "mount"
   backtrace:
     __kmalloc
     __ubifs_hash_get_desc+0x5d/0xe0 ubifs
     ubifs_replay_journal
     ubifs_mount
     ...

Fixes: da8ef65f9573 ("ubifs: Authenticate replayed journal")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/ubifs/super.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'fs/ubifs')

diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index b08fb28d16b5..610dddc68eba 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -923,8 +923,10 @@ static void free_buds(struct ubifs_info *c)
 {
 	struct ubifs_bud *bud, *n;
 
-	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb)
+	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb) {
+		kfree(bud->log_hash);
 		kfree(bud);
+	}
 }
 
 /**
@@ -1193,6 +1195,7 @@ static void destroy_journal(struct ubifs_info *c)
 
 		bud = list_entry(c->old_buds.next, struct ubifs_bud, list);
 		list_del(&bud->list);
+		kfree(bud->log_hash);
 		kfree(bud);
 	}
 	ubifs_destroy_idx_gc(c);
-- 
cgit 


From 60f2f4a81d486348587a6901e744ca8f22dd9637 Mon Sep 17 00:00:00 2001
From: Ferry Meng <mengferry@linux.alibaba.com>
Date: Fri, 18 Aug 2023 17:18:48 +0800
Subject: ubifs: Fix missing error code err

Fix smatch warning:

fs/ubifs/journal.c:1610 ubifs_jnl_truncate() warn: missing error code
'err'

Signed-off-by: Ferry Meng <mengferry@linux.alibaba.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/ubifs/journal.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'fs/ubifs')

diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
index ffc9beee7be6..e6cceeb8573b 100644
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1607,6 +1607,7 @@ int ubifs_jnl_truncate(struct ubifs_info *c, const struct inode *inode,
 				ubifs_err(c, "bad data node (block %u, inode %lu)",
 					  blk, inode->i_ino);
 				ubifs_dump_node(c, dn, dn_size);
+				err = -EUCLEAN;
 				goto out_free;
 			}
 
-- 
cgit 


From d81efd66106c03771ffc8637855a6ec24caa6350 Mon Sep 17 00:00:00 2001
From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Date: Tue, 5 Sep 2023 18:12:22 +0800
Subject: ubifs: fix possible dereference after free

'old_idx' could be dereferenced after free via 'rb_link_node' function
call.

Fixes: b5fda08ef213 ("ubifs: Fix memleak when insert_old_idx() failed")
Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/ubifs/tnc.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'fs/ubifs')

diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 6b7d95b65f4b..f4728e65d1bd 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -65,6 +65,7 @@ static void do_insert_old_idx(struct ubifs_info *c,
 		else {
 			ubifs_err(c, "old idx added twice!");
 			kfree(old_idx);
+			return;
 		}
 	}
 	rb_link_node(&old_idx->rb, parent, p);
-- 
cgit 


From 75690493591fe283e4c92a3ba7c4420e9858abdb Mon Sep 17 00:00:00 2001
From: Zhihao Cheng <chengzhihao1@huawei.com>
Date: Sat, 23 Sep 2023 11:28:59 +0800
Subject: ubifs: ubifs_link: Fix wrong name len calculating when UBIFS is
 encrypted

The length of dentry name is calculated after the raw name is encrypted,
except for ubifs_link(), which could make the size of dir underflow.
Here is a reproducer:

 touch $TMP/file
 mkdir $TMP/dir
 stat $TMP/dir
 for i in $(seq 1 8)
 do
   ln $TMP/file $TMP/dir/$i
   unlink $TMP/dir/$i
 done
 stat $TMP/dir

The size of dir will be underflow(-96).

Fix it by calculating dentry name's length after the name is encrypted.

Fixes: f4f61d2cc6d8 ("ubifs: Implement encrypted filenames")
Reported-by: Roland Ruckerbauer <roland.ruckerbauer@robart.cc>
Link: https://lore.kernel.org/linux-mtd/1638777819.2925845.1695222544742.JavaMail.zimbra@robart.cc/T/#u
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/ubifs/dir.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'fs/ubifs')

diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index 2f48c58d47cd..5dc1ac4d826d 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -724,7 +724,7 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	struct inode *inode = d_inode(old_dentry);
 	struct ubifs_inode *ui = ubifs_inode(inode);
 	struct ubifs_inode *dir_ui = ubifs_inode(dir);
-	int err, sz_change = CALC_DENT_SIZE(dentry->d_name.len);
+	int err, sz_change;
 	struct ubifs_budget_req req = { .new_dent = 1, .dirtied_ino = 2,
 				.dirtied_ino_d = ALIGN(ui->data_len, 8) };
 	struct fscrypt_name nm;
@@ -748,6 +748,8 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir,
 	if (err)
 		return err;
 
+	sz_change = CALC_DENT_SIZE(fname_len(&nm));
+
 	err = dbg_check_synced_i_size(c, inode);
 	if (err)
 		goto out_fname;
-- 
cgit