leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
40a8f0d5e7
linux/fs/ubifs
History
Zhihao Cheng 40a8f0d5e7 ubifs: rename_whiteout: Fix double free for whiteout_ui->data 
'whiteout_ui->data' will be freed twice if space budget fail for
rename whiteout operation as following process:

rename_whiteout
  dev = kmalloc
  whiteout_ui->data = dev
  kfree(whiteout_ui->data)  // Free first time
  iput(whiteout)
    ubifs_free_inode
      kfree(ui->data)	    // Double free!

KASAN reports:
==================================================================
BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
Call Trace:
  kfree+0x117/0x490
  ubifs_free_inode+0x4f/0x70 [ubifs]
  i_callback+0x30/0x60
  rcu_do_batch+0x366/0xac0
  __do_softirq+0x133/0x57f

Allocated by task 1506:
  kmem_cache_alloc_trace+0x3c2/0x7a0
  do_rename+0x9b7/0x1150 [ubifs]
  ubifs_rename+0x106/0x1f0 [ubifs]
  do_syscall_64+0x35/0x80

Freed by task 1506:
  kfree+0x117/0x490
  do_rename.cold+0x53/0x8a [ubifs]
  ubifs_rename+0x106/0x1f0 [ubifs]
  do_syscall_64+0x35/0x80

The buggy address belongs to the object at ffff88810238bed8 which
belongs to the cache kmalloc-8 of size 8
==================================================================

Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
 and the nlink of whiteout inode is 0).

Fixes: 9e0a1fff8d ("ubifs: Implement RENAME_WHITEOUT")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2022-01-09 21:25:01 +01:00
..
auth.c ubifs: Fix memleak in ubifs_init_authentication 2021-02-12 21:53:22 +01:00
budget.c ubifs: Limit the number of pages in shrink_liability 2019-08-22 17:25:33 +02:00
commit.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
compress.c ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
crypto.c fscrypt: remove fscrypt_operations::max_namelen 2021-09-20 19:32:33 -07:00
debug.c ubifs: fix snprintf() checking 2021-06-18 22:04:47 +02:00
debug.h ubifs: ubifs_dump_sleb: Remove unused function 2020-12-13 22:12:38 +01:00
dir.c ubifs: rename_whiteout: Fix double free for whiteout_ui->data 2022-01-09 21:25:01 +01:00
file.c ubifs: report correct st_size for encrypted symlinks 2021-07-25 20:01:07 -07:00
find.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
gc.c ubifs: read-only if LEB may always be taken in ubifs_garbage_collect 2021-12-23 22:30:38 +01:00
io.c ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
ioctl.c ubifs: convert to fileattr 2021-04-12 15:04:30 +02:00
journal.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
Kconfig fscrypt: Allow modular crypto algorithms 2019-12-31 10:33:51 -06:00
key.h ubifs: allow both hash and disk name to be provided in no-key names 2020-01-22 14:49:56 -08:00
log.c ubifs: remove unnecessary check in ubifs_log_start_commit 2019-07-08 19:43:51 +02:00
lprops.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
lpt_commit.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
lpt.c ubifs: Fix the printing type of c->big_lpt 2020-12-13 21:57:10 +01:00
Makefile ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
master.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
misc.c ubifs: Allow setting assert action as mount parameter 2018-08-15 00:25:21 +02:00
misc.h ubifs: misc.h: delete a duplicated word 2020-08-02 22:59:03 +02:00
orphan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
recovery.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
replay.c ubifs: Fix spelling mistakes 2021-12-23 20:23:40 +01:00
sb.c ubifs: Default to zstd compression 2021-04-15 22:00:26 +02:00
scan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
shrinker.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
super.c ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
sysfs.c ubifs: fix snprintf() length check 2021-12-23 22:08:19 +01:00
tnc_commit.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
tnc_misc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
tnc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
ubifs-media.h ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
ubifs.h ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
xattr.c ubifs: Remove ui_mutex in ubifs_xattr_get and change_xattr 2021-06-18 22:04:47 +02:00