Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2563583imu; Thu, 29 Nov 2018 06:58:45 -0800 (PST) X-Google-Smtp-Source: AFSGD/UJka8omr4zJDLfmKYhqJjlmRN+HRAzkMVboq/6hlsfyoE5jRX3jYJWdLl5/avzJLopwP6p X-Received: by 2002:a63:d846:: with SMTP id k6mr326843pgj.251.1543503525801; Thu, 29 Nov 2018 06:58:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543503525; cv=none; d=google.com; s=arc-20160816; b=efPZ52XtlQkMKiW9UIGQJnburFkLXM0I53j7g4h+/ReEwGPTnvC1Th2F+0y2OiTDgE SezuG87D4qi0lylj35pQFwSisGpLwTB0Z6s/ayZhDbjEf2/BWmm+691/z8CeCiKMBozr 9jYla4CTXM6Pm3n3A88bJ3Dk2FQvr8abGEBTQR8F4Ifj3brRtqvpzIUX2YkhxzaGhE5v tJponfCI/Dze8vz1AYMWI/yfShmx5uDN3xVdgeIv1+7T3sFEkztigGWU2wwhbdxgrTHa 1o9kSkpF+S1QmXWXS5i091/OpRngzBkUAo3gfD74Zu0goZ7wHBESPOuHGrCQzvmdLG5v i6Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DJ58Udng8TtIjuS+lTTSuW8jLdEh0ikM8/JDOvPO10w=; b=toP/OTBc6zAP49//vVy/Hf64zkhDRKnhnRvfSPkRaVeD0LwgMEZB1GfgFZSGl1gdae p++VhlA1d0eS43ieJO9Ic6YJj7Qic6ReYEbldqKtBDn9qhnyh6g50NtwUAyfioo7mK6x 5Apy6PVmckxolgBWtUC2X277ztJv3wG7Uxgaw4LT2yM5PYzSNIXF0ZMVnXoFwiqaOGWX eZqb/hhxyzWwxVPnSDkBO02ykPrj3FdryhuYdcOGr8RcaIfatxv4JJULfPcYSh61gn9Q OyWaTN16fXtUI+/8E9fgJTGk1upUh4zKsaZnRdSdWn6iS8dRQ78aJ6+aKuHJKESfnS06 MO2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fhhs3efr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c37si2136252pgm.156.2018.11.29.06.58.30; Thu, 29 Nov 2018 06:58:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fhhs3efr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731411AbeK3B0L (ORCPT + 99 others); Thu, 29 Nov 2018 20:26:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:49942 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728883AbeK3B0L (ORCPT ); Thu, 29 Nov 2018 20:26:11 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9FFBA2145D; Thu, 29 Nov 2018 14:20:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543501240; bh=LESdKSvTy23YPwBJ8qdROEhFpxnm/B0dXfEBTUbnKkQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fhhs3efrZKRNJBEqUSVgAqCaaMnpJKQDcNknOL3RfEECpnHEkKRweRHXT5kdfo7+E 6Rb2EERJwE6ZNXwDCA9pU4pHA7wfion41cODnOkXpL06EtcQ3SuMKaHPHxQk35Svub tDys/esxW6NZ+tOrdYLthMTSuY/3KAWacTGUMUpk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , syzbot+d4252148d198410b864f@syzkaller.appspotmail.com Subject: [PATCH 4.9 10/92] v9fs_dir_readdir: fix double-free on p9stat_read error Date: Thu, 29 Nov 2018 15:11:39 +0100 Message-Id: <20181129140107.322382299@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181129140106.520639693@linuxfoundation.org> References: <20181129140106.520639693@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dominique Martinet commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. p9stat_read will call p9stat_free on error, we should only free the struct content on success. There also is no need to "p9stat_init" st as the read function will zero the whole struct for us anyway, so clean up the code a bit while we are here. Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org Signed-off-by: Dominique Martinet Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman --- fs/9p/vfs_dir.c | 11 ----------- 1 file changed, 11 deletions(-) --- a/fs/9p/vfs_dir.c +++ b/fs/9p/vfs_dir.c @@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta return rettype; } -static void p9stat_init(struct p9_wstat *stbuf) -{ - stbuf->name = NULL; - stbuf->uid = NULL; - stbuf->gid = NULL; - stbuf->muid = NULL; - stbuf->extension = NULL; -} - /** * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir * @filp: opened file structure @@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file rdir->tail = n; } while (rdir->head < rdir->tail) { - p9stat_init(&st); err = p9stat_read(fid->clnt, rdir->buf + rdir->head, rdir->tail - rdir->head, &st); if (err) { p9_debug(P9_DEBUG_VFS, "returned %d\n", err); - p9stat_free(&st); return -EIO; } reclen = st.size+2;