Commit ff812e19 authored by Matthew Wilcox (Oracle)'s avatar Matthew Wilcox (Oracle) Committed by Wang Zhaolong
Browse files

ubifs: Set page uptodate in the correct place 

stable inclusion
from stable-v5.10.215
commit 8f599ab6fabbca4c741107eade70722a98adfd9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q97O
CVE: CVE-2024-35821

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8f599ab6fabbca4c741107eade70722a98adfd9f



--------------------------------

[ Upstream commit 723012cab779eee8228376754e22c6594229bf8f ]

Page cache reads are lockless, so setting the freshly allocated page
uptodate before we've overwritten it with the data it's supposed to have
in it will allow a simultaneous reader to see old data.  Move the call
to SetPageUptodate into ubifs_write_end(), which is after we copied the
new data into the page.

Fixes: 1e51764a ("UBIFS: add new flash file system")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: default avatarZhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarWang Zhaolong <wangzhaolong1@huawei.com>
parent 87d5a74b

fs/ubifs/file.c

+4 −9
Original line number Diff line number Diff line
@@ -262,9 +262,6 @@ static int write_begin_slow(struct address_space *mapping, 
				return err;

			}

		}



		SetPageUptodate(page);

		ClearPageError(page);

	}



	if (PagePrivate(page))
@@ -463,9 +460,6 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping, 
				return err;

			}

		}



		SetPageUptodate(page);

		ClearPageError(page);

	}



	err = allocate_budget(c, page, ui, appending);
@@ -475,10 +469,8 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping, 
		 * If we skipped reading the page because we were going to

		 * write all of it, then it is not up to date.

		 */

		if (skipped_read) {

		if (skipped_read)

			ClearPageChecked(page);

			ClearPageUptodate(page);

		}

		/*

		 * Budgeting failed which means it would have to force

		 * write-back but didn't, because we set the @fast flag in the
@@ -569,6 +561,9 @@ static int ubifs_write_end(struct file *file, struct address_space *mapping, 
		goto out;

	}



	if (len == PAGE_SIZE)

		SetPageUptodate(page);



	if (!PagePrivate(page)) {

		attach_page_private(page, (void *)1);

		atomic_long_inc(&c->dirty_pg_cnt);