exfat: fix the infinite loop in __exfat_free_cluster()

In __exfat_free_cluster(), the cluster chain is traversed until the
EOF cluster. If the cluster chain includes a loop due to file system
corruption, the EOF cluster cannot be traversed, resulting in an
infinite loop.

This commit uses the total number of clusters to prevent this infinite
loop.

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330
Tested-by: [email protected]
Fixes: 31023864e67a ("exfat: add fat entry operations")
Signed-off-by: Yuezhang Mo <[email protected]>
Reviewed-by: Sungjong Seo <[email protected]>
Signed-off-by: Namjae Jeon <[email protected]>

diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
index 773c320d68f3f2bb2d0de9a051cdbb3de9e132eb..9e5492ac409b07485e276a99ddcd98afc2dd5639 100644 (file)
--- a/fs/exfat/fatent.c
+++ b/fs/exfat/fatent.c
@@ -216,6 +216,16 @@ static int __exfat_free_cluster(struct inode *inode, struct exfat_chain *p_chain
 
                        if (err)
                                goto dec_used_clus;
+
+                       if (num_clusters >= sbi->num_clusters - EXFAT_FIRST_CLUSTER) {
+                               /*
+                                * The cluster chain includes a loop, scan the
+                                * bitmap to get the number of used clusters.
+                                */
+                               exfat_count_used_clusters(sb, &sbi->used_clusters);
+
+                               return 0;
+                       }
                } while (clu != EXFAT_EOF_CLUSTER);
        }