Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5761899imm; Mon, 23 Jul 2018 05:45:31 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfFk0Oou00wLl9XCS55J75cgRs0TgDklzQuuTF99xlYBKbcGn/oWvZvG/NFuNSKDF5ENfrg X-Received: by 2002:a62:9849:: with SMTP id q70-v6mr13058933pfd.178.1532349931383; Mon, 23 Jul 2018 05:45:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532349931; cv=none; d=google.com; s=arc-20160816; b=D7JTxd6uQXd+eWI9kMgNsZvZHGvjOUEbWhHj8DqBG+sw0ZBWHFgi0mGhF0qXdP3GFD rFPYhmc/EXNrsyUDdyy/y0jquWaZBFTQXwr0XWPm2wkrR0vM7beSjU0d/dMkjR9XQF8x xqW6MCEUHsyXrkHIo7Yvcb61cDqGBTE8+q1W8ljGJYk+8aZ5XjMU3eyU3syy9IgRK0vk PhWVFhM01tT/MbF7Tiz4NzC+qobagISjjSytq3UYKN3F2a6x3ONuG08L4vre7CPUakQo wAJ8sjJgkHz9zeZK0qa88xeN/VkjzkdeuEJldMQ2Jmusi7y2soFDD70bRAJt33g4f5Gu KVSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=yprDBN7HgGhlepYKVN+md1YFyl/rLETSLGHY4MOaX3c=; b=C/oN82h3cDOgF9gobmU/UAoPo+E/l+nY7gM1/hdYNi/vLk8BRLnYkqJXW8glDTCqqf VRmQEKFVgdLrbtZ4SIyRyCfBuNnV9zzcXXV0BKrb/5wHESoIQsL5VxkhLzIxLEcka2TA 2d8gsd5XXA2no9SkB6JYxcJqaJwwo5pm1U64DYtpqcrIh+gehDNapUeO8JDreBQPoVD2 UCtbAiiqihGUP5os91HPtXsO+lLE3Hc+ROAX1xVqUoFEp4XLCjbftT33F6pVodOMNDf4 XNoiDGH2DKN8pJnnSzaw7Uj1cIrmHZHFNVd1QMkCEJYH6PVYYvRVDUEVfnfzxUNUORjJ NMqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d190-v6si9286291pfd.113.2018.07.23.05.45.16; Mon, 23 Jul 2018 05:45:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388894AbeGWNo0 (ORCPT + 99 others); Mon, 23 Jul 2018 09:44:26 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48088 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388318AbeGWNoZ (ORCPT ); Mon, 23 Jul 2018 09:44:25 -0400 Received: from localhost (LFbn-1-12238-233.w90-92.abo.wanadoo.fr [90.92.53.233]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 43F44C83; Mon, 23 Jul 2018 12:43:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, OGAWA Hirofumi , syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com, Andrew Morton , Linus Torvalds Subject: [PATCH 4.4 003/107] fat: fix memory allocation failure handling of match_strdup() Date: Mon, 23 Jul 2018 14:40:57 +0200 Message-Id: <20180723122413.127871500@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180723122413.003644357@linuxfoundation.org> References: <20180723122413.003644357@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: OGAWA Hirofumi commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream. In parse_options(), if match_strdup() failed, parse_options() leaves opts->iocharset in unexpected state (i.e. still pointing the freed string). And this can be the cause of double free. To fix, this initialize opts->iocharset always when freeing. Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp Signed-off-by: OGAWA Hirofumi Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/fat/inode.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) --- a/fs/fat/inode.c +++ b/fs/fat/inode.c @@ -613,13 +613,21 @@ static void fat_set_state(struct super_b brelse(bh); } +static void fat_reset_iocharset(struct fat_mount_options *opts) +{ + if (opts->iocharset != fat_default_iocharset) { + /* Note: opts->iocharset can be NULL here */ + kfree(opts->iocharset); + opts->iocharset = fat_default_iocharset; + } +} + static void delayed_free(struct rcu_head *p) { struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu); unload_nls(sbi->nls_disk); unload_nls(sbi->nls_io); - if (sbi->options.iocharset != fat_default_iocharset) - kfree(sbi->options.iocharset); + fat_reset_iocharset(&sbi->options); kfree(sbi); } @@ -1034,7 +1042,7 @@ static int parse_options(struct super_bl opts->fs_fmask = opts->fs_dmask = current_umask(); opts->allow_utime = -1; opts->codepage = fat_default_codepage; - opts->iocharset = fat_default_iocharset; + fat_reset_iocharset(opts); if (is_vfat) { opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95; opts->rodir = 0; @@ -1184,8 +1192,7 @@ static int parse_options(struct super_bl /* vfat specific */ case Opt_charset: - if (opts->iocharset != fat_default_iocharset) - kfree(opts->iocharset); + fat_reset_iocharset(opts); iocharset = match_strdup(&args[0]); if (!iocharset) return -ENOMEM; @@ -1776,8 +1783,7 @@ out_fail: iput(fat_inode); unload_nls(sbi->nls_io); unload_nls(sbi->nls_disk); - if (sbi->options.iocharset != fat_default_iocharset) - kfree(sbi->options.iocharset); + fat_reset_iocharset(&sbi->options); sb->s_fs_info = NULL; kfree(sbi); return error;