ext4: fix possible use after free in ext4_quota_enable

commit 61157b24 upstream. The function frees qf_inode via iput but then pass qf_inode to lockdep_set_quota_inode on the failure path. This may result in a use-after-free bug. The patch frees df_inode only when it is never used. Fixes: daf647d2 ("ext4: add lockdep annotations for i_data_sem") Cc: stable@kernel.org # 4.6 Reviewed-by: N Jan Kara <jack@suse.cz> Signed-off-by: N Pan Bian <bianpan2016@163.com> Signed-off-by: N Theodore Ts'o <tytso@mit.edu> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

ext4: fix possible use after free in ext4_quota_enable
commit 61157b24 upstream. The function frees qf_inode via iput but then pass qf_inode to lockdep_set_quota_inode on the failure path. This may result in a use-after-free bug. The patch frees df_inode only when it is never used. Fixes: daf647d2 ("ext4: add lockdep annotations for i_data_sem") Cc: stable@kernel.org # 4.6 Reviewed-by: N Jan Kara <jack@suse.cz> Signed-off-by: N Pan Bian <bianpan2016@163.com> Signed-off-by: N Theodore Ts'o <tytso@mit.edu> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
71177429 · Pan Bian · Xie XiuQi · 7d6be24b · 71177429
显示空白变更内容
内联并排

Showing with 1 addition and 1 deletion

fs/ext4/super.c fs/ext4/super.c +1 -1

未找到文件。
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5712,9 +5712,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
 	qf_inode->i_flags |= S_NOQUOTA;
 	lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
 	err = dquot_enable(qf_inode, type, format_id, flags);
-	iput(qf_inode);
 	if (err)
 		lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
+	iput(qf_inode);

 	return err;
 }