From d141e72aeffc5f1a4b2f2e144b683bf57d0d12d0 Mon Sep 17 00:00:00 2001 From: Yuezhang Mo Date: Thu, 12 Dec 2024 16:29:23 +0800 Subject: [PATCH] exfat: fix the new buffer was not zeroed before writing In exfat, not only the newly allocated space will be mapped as the new buffer, but also the space between ->valid_size and the file size will be mapped as the new buffer. If the buffer is mapped as new in ->write_begin(), it will be zeroed. But if the buffer has been mapped as new before ->write_begin(), ->write_begin() will not zero them, resulting in access to uninitialized data. So this commit uses folio_zero_new_buffers() to zero the new buffers after ->write_begin(). Fixes: 6630ea49103c ("exfat: move extend valid_size into ->page_mkwrite()") Reported-by: syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=91ae49e1c1a2634d20c0 Tested-by: syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com Signed-off-by: Yuezhang Mo Signed-off-by: Namjae Jeon --- fs/exfat/file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/exfat/file.c b/fs/exfat/file.c index fb38769c3e39..05b51e721783 100644 --- a/fs/exfat/file.c +++ b/fs/exfat/file.c @@ -545,6 +545,7 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size) while (pos < new_valid_size) { u32 len; struct folio *folio; + unsigned long off; len = PAGE_SIZE - (pos & (PAGE_SIZE - 1)); if (pos + len > new_valid_size) @@ -554,6 +555,9 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size) if (err) goto out; + off = offset_in_folio(folio, pos); + folio_zero_new_buffers(folio, off, off + len); + err = ops->write_end(file, mapping, pos, len, len, folio, NULL); if (err < 0) goto out; @@ -563,6 +567,8 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size) cond_resched(); } + return 0; + out: return err; }