From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45AA0C49ED7 for ; Fri, 13 Sep 2019 13:20:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1EB37214D8 for ; Fri, 13 Sep 2019 13:20:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568380818; bh=Xxk4RLqt7BKr2pJedTsaxPAep1BOj8v/siZqBOdY76M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=gpBo1dm87EaHKiI51HF9ru6lzq+Ms1cuVNtIj0WJOpL3a9ec7/NatWJZA15ao9MT/ Hm0stnN3mvyJOgW6LP92iGIMkNLTfWRdCrfRhjV3UVbaCaH4Wcl6iEUgH1LvoRFChU 7X2F6E0Yj9IYahcFBQV/FWSyLjBkIRqw03jLChZY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389984AbfIMNUR (ORCPT ); Fri, 13 Sep 2019 09:20:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:49042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390543AbfIMNUQ (ORCPT ); Fri, 13 Sep 2019 09:20:16 -0400 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CD61B206BB; Fri, 13 Sep 2019 13:20:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568380815; bh=Xxk4RLqt7BKr2pJedTsaxPAep1BOj8v/siZqBOdY76M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=amJB/XgJWhpy9JmytbCzMWeFP0LB8CvSvtmtN15rnCcc4j1IPvzHqdplCKIjCmfgo yWWb3ctKUjLf4l5XUspZRfTJE1QXHdYRvKGao/5WTquozuJAUXA2jIEk+kBdNEWo7F nd6gnyXoRGw330qb7sK2wGuYlDzNVeqg974bZM+Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Norbert Manthey , Kees Cook , Sasha Levin Subject: [PATCH 4.19 165/190] pstore: Fix double-free in pstore_mkfile() failure path Date: Fri, 13 Sep 2019 14:07:00 +0100 Message-Id: <20190913130613.086119385@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190913130559.669563815@linuxfoundation.org> References: <20190913130559.669563815@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org [ Upstream commit 4c6d80e1144bdf48cae6b602ae30d41f3e5c76a9 ] The pstore_mkfile() function is passed a pointer to a struct pstore_record. On success it consumes this 'record' pointer and references it from the created inode. On failure, however, it may or may not free the record. There are even two different code paths which return -ENOMEM -- one of which does and the other doesn't free the record. Make the behaviour deterministic by never consuming and freeing the record when returning failure, allowing the caller to do the cleanup consistently. Signed-off-by: Norbert Manthey Link: https://lore.kernel.org/r/1562331960-26198-1-git-send-email-nmanthey@amazon.de Fixes: 83f70f0769ddd ("pstore: Do not duplicate record metadata") Fixes: 1dfff7dd67d1a ("pstore: Pass record contents instead of copying") Cc: stable@vger.kernel.org [kees: also move "private" allocation location, rename inode cleanup label] Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/pstore/inode.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/pstore/inode.c b/fs/pstore/inode.c index 8cf2218b46a75..6f90d91a8733a 100644 --- a/fs/pstore/inode.c +++ b/fs/pstore/inode.c @@ -330,10 +330,6 @@ int pstore_mkfile(struct dentry *root, struct pstore_record *record) goto fail; inode->i_mode = S_IFREG | 0444; inode->i_fop = &pstore_file_operations; - private = kzalloc(sizeof(*private), GFP_KERNEL); - if (!private) - goto fail_alloc; - private->record = record; switch (record->type) { case PSTORE_TYPE_DMESG: @@ -383,12 +379,16 @@ int pstore_mkfile(struct dentry *root, struct pstore_record *record) break; } + private = kzalloc(sizeof(*private), GFP_KERNEL); + if (!private) + goto fail_inode; + dentry = d_alloc_name(root, name); if (!dentry) goto fail_private; + private->record = record; inode->i_size = private->total_size = size; - inode->i_private = private; if (record->time.tv_sec) @@ -404,7 +404,7 @@ int pstore_mkfile(struct dentry *root, struct pstore_record *record) fail_private: free_pstore_private(private); -fail_alloc: +fail_inode: iput(inode); fail: -- 2.20.1