udf: Fix error handling in udf_new_inode()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When memory allocation of iinfo or block allocation fails, already
allocated struct udf_inode_info gets freed with iput() and
udf_evict_inode() may look at inode fields which are not properly
initialized. Fix it by marking inode bad before dropping reference to it
in udf_new_inode().

Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

Jan Kara 4 years ago f05f2429 b831281b

1 changed file

expand all

udf

ialloc.c

fs/udf/ialloc.c

··· 77 77 GFP_KERNEL); 78 78 } 79 79 if (!iinfo->i_data) { 80 + make_bad_inode(inode); 80 81 iput(inode); 81 82 return ERR_PTR(-ENOMEM); 82 83 } ··· 87 86 dinfo->i_location.partitionReferenceNum, 88 87 start, &err); 89 88 if (err) { 89 + make_bad_inode(inode); 90 90 iput(inode); 91 91 return ERR_PTR(err); 92 92 }