android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

quota: Fix memory leak when handling corrupted quota file

Browse Source 
[ Upstream commit a4db1072e1a3bd7a8d9c356e1902b13ac5deb8ef ]

When checking corrupted quota file we can bail out and leak allocated
info structure. Properly free info structure on error return.

Reported-by: syzbot+77779c9b52ab78154b08@syzkaller.appspotmail.com
Fixes: 11c514a99bb9 ("quota: Sanity-check quota file headers on load")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Jan Kara 2020-12-22 12:09:53 +01:00 committed by Greg Kroah-Hartman
parent 623c86840e
commit 8b63c0cbc7
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fs/quota/quota_v2.c
View File

@ -166,19 +166,24 @@ static int v2_read_file_info(struct super_block *sb, int type)
quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).", quota_error(sb, "Number of blocks too big for quota file size (%llu > %llu).",
(loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits, (loff_t)qinfo->dqi_blocks << qinfo->dqi_blocksize_bits,
i_size_read(sb_dqopt(sb)->files[type])); i_size_read(sb_dqopt(sb)->files[type]));
goto out; goto out_free;
} }
if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) { if (qinfo->dqi_free_blk >= qinfo->dqi_blocks) {
quota_error(sb, "Free block number too big (%u >= %u).", quota_error(sb, "Free block number too big (%u >= %u).",
qinfo->dqi_free_blk, qinfo->dqi_blocks); qinfo->dqi_free_blk, qinfo->dqi_blocks);
goto out; goto out_free;
} }
if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) { if (qinfo->dqi_free_entry >= qinfo->dqi_blocks) {
quota_error(sb, "Block with free entry too big (%u >= %u).", quota_error(sb, "Block with free entry too big (%u >= %u).",
qinfo->dqi_free_entry, qinfo->dqi_blocks); qinfo->dqi_free_entry, qinfo->dqi_blocks);
goto out; goto out_free;
} }
ret = 0; ret = 0;
out_free:
if (ret) {
kfree(info->dqi_priv);
info->dqi_priv = NULL;
}
out: out:
up_read(&dqopt->dqio_sem); up_read(&dqopt->dqio_sem);
return ret; return ret;