Commit 98e2fb26 authored Dec 12, 2024 by Yuezhang Mo Committed by Namjae Jeon Dec 31, 2024

exfat: fix the new buffer was not zeroed before writing



Before writing, if a buffer_head marked as new, its data must
be zeroed, otherwise uninitialized data in the page cache will
be written.

So this commit uses folio_zero_new_buffers() to zero the new
buffers before ->write_end().

Fixes: 6630ea49 ("exfat: move extend valid_size into ->page_mkwrite()")
Reported-by:  <syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=91ae49e1c1a2634d20c0


Tested-by:  <syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com>
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

parent fee87376

fs/exfat/file.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -545,6 +545,7 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
		while (pos < new_valid_size) {
		u32 len;
		struct folio *folio;
		unsigned long off;

		len = PAGE_SIZE - (pos & (PAGE_SIZE - 1));
		if (pos + len > new_valid_size)
		@@ -554,6 +555,9 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
		if (err)
		goto out;

		off = offset_in_folio(folio, pos);
		folio_zero_new_buffers(folio, off, off + len);

		err = ops->write_end(file, mapping, pos, len, len, folio, NULL);
		if (err < 0)
		goto out;
		@@ -563,6 +567,8 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
		cond_resched();
		}

		return 0;

		out:
		return err;
		}