This is a note to let you know that I've just added the patch titled udf: Avoid using stale lengthOfImpUse to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: udf-avoid-using-stale-lengthofimpuse.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From c1ad35dd0548ce947d97aaf92f7f2f9a202951cf Mon Sep 17 00:00:00 2001 From: Jan Kara <jack@xxxxxxx> Date: Tue, 10 May 2022 12:36:04 +0200 Subject: udf: Avoid using stale lengthOfImpUse From: Jan Kara <jack@xxxxxxx> commit c1ad35dd0548ce947d97aaf92f7f2f9a202951cf upstream. udf_write_fi() uses lengthOfImpUse of the entry it is writing to. However this field has not yet been initialized so it either contains completely bogus value or value from last directory entry at that place. In either case this is wrong and can lead to filesystem corruption or kernel crashes. Reported-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx> CC: stable@xxxxxxxxxxxxxxx Fixes: 979a6e28dd96 ("udf: Get rid of 0-length arrays in struct fileIdentDesc") Signed-off-by: Jan Kara <jack@xxxxxxx> [ This patch deviates from the original upstream patch because in the original upstream patch, udf_get_fi_ident(sfi) was being used instead of (uint8_t *)sfi->fileIdent + liu as the first arg to memcpy at line 77 and line 81. Those subsequent lines have been replaced with what the upstream patch passes in to memcpy. ] Signed-off-by: Nobel Barakat <nobelbarakat@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/udf/namei.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -75,12 +75,11 @@ int udf_write_fi(struct inode *inode, st if (fileident) { if (adinicb || (offset + lfi < 0)) { - memcpy((uint8_t *)sfi->fileIdent + liu, fileident, lfi); + memcpy(sfi->impUse + liu, fileident, lfi); } else if (offset >= 0) { memcpy(fibh->ebh->b_data + offset, fileident, lfi); } else { - memcpy((uint8_t *)sfi->fileIdent + liu, fileident, - -offset); + memcpy(sfi->impUse + liu, fileident, -offset); memcpy(fibh->ebh->b_data, fileident - offset, lfi + offset); } @@ -89,11 +88,11 @@ int udf_write_fi(struct inode *inode, st offset += lfi; if (adinicb || (offset + padlen < 0)) { - memset((uint8_t *)sfi->padding + liu + lfi, 0x00, padlen); + memset(sfi->impUse + liu + lfi, 0x00, padlen); } else if (offset >= 0) { memset(fibh->ebh->b_data + offset, 0x00, padlen); } else { - memset((uint8_t *)sfi->padding + liu + lfi, 0x00, -offset); + memset(sfi->impUse + liu + lfi, 0x00, -offset); memset(fibh->ebh->b_data, 0x00, padlen + offset); } Patches currently in stable-queue which might be from jack@xxxxxxx are queue-5.10/udf-avoid-using-stale-lengthofimpuse.patch