From 30c97ad161dd88baf935d8aa97084dcae0fa8ae0 Mon Sep 17 00:00:00 2001 From: "zhangyi (F)" Date: Wed, 3 Jan 2024 17:22:56 +0800 Subject: [PATCH] jffs2: move jffs2_init_inode_info() just after allocating inode hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8TC11 CVE: NA --------------------------- After commit 4fdcfab5b553 ("jffs2: fix use-after-free on symlink traversal"), it expose a freeing uninitialized memory problem due to this commit move the operaion of freeing f->target to jffs2_i_callback(), which may not be initialized in some error path of allocating jffs2 inode (eg: jffs2_iget()->iget_locked()-> destroy_inode()->..->jffs2_i_callback()->kfree(f->target)). Fix this by initialize the jffs2_inode_info just after allocating it. Signed-off-by: zhangyi (F) Conflicts: fs/jffs2/super.c Signed-off-by: ZhaoLong Wang --- fs/jffs2/fs.c | 2 -- fs/jffs2/super.c | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index 0403efab4089..6bd79128404b 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -271,7 +271,6 @@ struct inode *jffs2_iget(struct super_block *sb, unsigned long ino) f = JFFS2_INODE_INFO(inode); c = JFFS2_SB_INFO(inode->i_sb); - jffs2_init_inode_info(f); mutex_lock(&f->sem); ret = jffs2_do_read_inode(c, f, inode->i_ino, &latest_node); @@ -439,7 +438,6 @@ struct inode *jffs2_new_inode (struct inode *dir_i, umode_t mode, struct jffs2_r return ERR_PTR(-ENOMEM); f = JFFS2_INODE_INFO(inode); - jffs2_init_inode_info(f); mutex_lock(&f->sem); memset(ri, 0, sizeof(*ri)); diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c index 7ea37f49f1e1..4b3f0fcdeab5 100644 --- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -42,6 +42,8 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) f = alloc_inode_sb(sb, jffs2_inode_cachep, GFP_KERNEL); if (!f) return NULL; + + jffs2_init_inode_info(f); return &f->vfs_inode; } -- Gitee