Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3308669imu; Sun, 11 Nov 2018 12:05:01 -0800 (PST) X-Google-Smtp-Source: AJdET5cN6klBhoD6ZZa22p8LGZd/qTdv5V/j2qp6smrykDWu6XdSJE1pXM/1Gxr7poC2zjHhIHLL X-Received: by 2002:a17:902:6e17:: with SMTP id u23-v6mr17603881plk.127.1541966701379; Sun, 11 Nov 2018 12:05:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541966701; cv=none; d=google.com; s=arc-20160816; b=tQMuN1PYzIVrmrF0t4nutAh9zTD0sS7lE+sUA6Ti+ZDOmp6gDjbxn1XjGC4nOnoEkV Ba/3mU+0o1ZMdiTjwt4xQXEMMc9d0L0hE61ljMlJZjGqtzqYuOg4DXYjOGVlQ6w2DULv OTDSnNYn4OBVesV+N0LvKHbgOoCHugZFYSpLDm/jEZ5KWT5E+IChTpP27IvsCVHKnYtA Vbpm6zFyaoENhvwE1CefBJ91Yq9ciEnd4Hq3eqZLLT6VlNgeYFNSa4rvQarKMP+gzdg/ eV9pSf9ggkYywQCG1cBU6+X16FY34YLsSBDocZaEE1wkie8GoJM1zPfaG+vqZtw8kLF7 dFxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=fZlYyWYbdLyHjwBxbuGhuXLGWFcaHXWbLVtR2erslN4=; b=bQOm5aNTj/Hk4xWhyuchR9/qE1ywneF94Pn5sKjpxR2ixCzmzM7YHMeSMHIvEmX1+X MjlBg0O1r+xjTG+O2kGHwHXhiMVd7LxrYHXzT/nB+MdMEWGSQcTWRjmAi5zo55Jd3P9i 3kIpEk2QWqkx8TulNNpFjZSXuzdLj3VaxLfWWH15lQPmWF4noKz8bpx8UHng841sphxz ziReHSbZC0f/GYJAEeH0LFcte497Z242a2l4aeGvP0YWMBOXhsxf4iHbDwkwuoAgh8p8 JVJTMBRA5UcJZ8fz1PuPc0/gqQANzG3h7/qwzUQSt0bJWMpOTpX4Xuvy2xc734JMyCvf JJzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f184-v6si723294pfc.224.2018.11.11.12.04.46; Sun, 11 Nov 2018 12:05:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731031AbeKLFxL (ORCPT + 99 others); Mon, 12 Nov 2018 00:53:11 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:51102 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730699AbeKLFsa (ORCPT ); Mon, 12 Nov 2018 00:48:30 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsp-0000lJ-0U; Sun, 11 Nov 2018 19:58:59 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsX-0001ku-GQ; Sun, 11 Nov 2018 19:58:41 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "OGAWA Hirofumi" , "Linus Torvalds" , syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: OGAWA Hirofumi commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream. In parse_options(), if match_strdup() failed, parse_options() leaves opts->iocharset in unexpected state (i.e. still pointing the freed string). And this can be the cause of double free. To fix, this initialize opts->iocharset always when freeing. Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp Signed-off-by: OGAWA Hirofumi Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- fs/fat/inode.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) --- a/fs/fat/inode.c +++ b/fs/fat/inode.c @@ -610,13 +610,21 @@ static void fat_set_state(struct super_b brelse(bh); } +static void fat_reset_iocharset(struct fat_mount_options *opts) +{ + if (opts->iocharset != fat_default_iocharset) { + /* Note: opts->iocharset can be NULL here */ + kfree(opts->iocharset); + opts->iocharset = fat_default_iocharset; + } +} + static void delayed_free(struct rcu_head *p) { struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu); unload_nls(sbi->nls_disk); unload_nls(sbi->nls_io); - if (sbi->options.iocharset != fat_default_iocharset) - kfree(sbi->options.iocharset); + fat_reset_iocharset(&sbi->options); kfree(sbi); } @@ -1031,7 +1039,7 @@ static int parse_options(struct super_bl opts->fs_fmask = opts->fs_dmask = current_umask(); opts->allow_utime = -1; opts->codepage = fat_default_codepage; - opts->iocharset = fat_default_iocharset; + fat_reset_iocharset(opts); if (is_vfat) { opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95; opts->rodir = 0; @@ -1181,8 +1189,7 @@ static int parse_options(struct super_bl /* vfat specific */ case Opt_charset: - if (opts->iocharset != fat_default_iocharset) - kfree(opts->iocharset); + fat_reset_iocharset(opts); iocharset = match_strdup(&args[0]); if (!iocharset) return -ENOMEM; @@ -1763,8 +1770,7 @@ out_fail: iput(fat_inode); unload_nls(sbi->nls_io); unload_nls(sbi->nls_disk); - if (sbi->options.iocharset != fat_default_iocharset) - kfree(sbi->options.iocharset); + fat_reset_iocharset(&sbi->options); sb->s_fs_info = NULL; kfree(sbi); return error;