exfat: fix the new buffer was not zeroed before writing

Before writing, if a buffer_head marked as new, its data must
be zeroed, otherwise uninitialized data in the page cache will
be written.

So this commit uses folio_zero_new_buffers() to zero the new
buffers before ->write_end().

Fixes: 6630ea49103c ("exfat: move extend valid_size into ->page_mkwrite()")
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=91ae49e1c1a2634d20c0
Tested-by: [email protected]
Signed-off-by: Yuezhang Mo <[email protected]>
Reviewed-by: Sungjong Seo <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>

diff --git a/fs/exfat/file.c b/fs/exfat/file.c
index fb38769c3e39d1456b95dae2aca6b4ea7bc3d22b..05b51e7217838f04fc4836a170b2b9743ecbf16c 100644 (file)
--- a/fs/exfat/file.c
+++ b/fs/exfat/file.c
@@ -545,6 +545,7 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
        while (pos < new_valid_size) {
                u32 len;
                struct folio *folio;
+               unsigned long off;
 
                len = PAGE_SIZE - (pos & (PAGE_SIZE - 1));
                if (pos + len > new_valid_size)
@@ -554,6 +555,9 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
                if (err)
                        goto out;
 
+               off = offset_in_folio(folio, pos);
+               folio_zero_new_buffers(folio, off, off + len);
+
                err = ops->write_end(file, mapping, pos, len, len, folio, NULL);
                if (err < 0)
                        goto out;
@@ -563,6 +567,8 @@ static int exfat_extend_valid_size(struct file *file, loff_t new_valid_size)
                cond_resched();
        }
 
+       return 0;
+
 out:
        return err;
 }