From: "zhangyi (F)" yi.zhang@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8TC11 CVE: NA
---------------------------
After commit 4fdcfab5b553 ("jffs2: fix use-after-free on symlink traversal"), it expose a freeing uninitialized memory problem due to this commit move the operaion of freeing f->target to jffs2_i_callback(), which may not be initialized in some error path of allocating jffs2 inode (eg: jffs2_iget()->iget_locked()-> destroy_inode()->..->jffs2_i_callback()->kfree(f->target)).
Fix this by initialize the jffs2_inode_info just after allocating it.
Signed-off-by: zhangyi (F) yi.zhang@huawei.com
Conflicts: fs/jffs2/super.c
Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com --- fs/jffs2/fs.c | 2 -- fs/jffs2/super.c | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index 0403efab4089..6bd79128404b 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -271,7 +271,6 @@ struct inode *jffs2_iget(struct super_block *sb, unsigned long ino) f = JFFS2_INODE_INFO(inode); c = JFFS2_SB_INFO(inode->i_sb);
- jffs2_init_inode_info(f); mutex_lock(&f->sem);
ret = jffs2_do_read_inode(c, f, inode->i_ino, &latest_node); @@ -439,7 +438,6 @@ struct inode *jffs2_new_inode (struct inode *dir_i, umode_t mode, struct jffs2_r return ERR_PTR(-ENOMEM);
f = JFFS2_INODE_INFO(inode); - jffs2_init_inode_info(f); mutex_lock(&f->sem);
memset(ri, 0, sizeof(*ri)); diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c index 7ea37f49f1e1..4b3f0fcdeab5 100644 --- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -42,6 +42,8 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) f = alloc_inode_sb(sb, jffs2_inode_cachep, GFP_KERNEL); if (!f) return NULL; + + jffs2_init_inode_info(f); return &f->vfs_inode; }