Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9941580ybi;
        Wed, 24 Jul 2019 12:44:16 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzXKishWKqUePw6lv1tDr8ox1fY7YmE6UDYpWgmzpTH5TNnO35tQY/64x958gt2DyPZbwGC
X-Received: by 2002:a17:90a:bb01:: with SMTP id u1mr87609629pjr.92.1563997455994;
        Wed, 24 Jul 2019 12:44:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1563997455; cv=none;
        d=google.com; s=arc-20160816;
        b=gDBehzG38XCxhXO+nk57yv5pzfNgXUIm1QX6n2szWxt6zRoaB/RBTF9IoV4+P+scER
         d3CUm7CxPE4KiLJbbJDJDtelaENmjkti13NmyQkzmdiA1e49Vn9pEyiL9L29q29Pmdm9
         3tRNAtEM0bSQAVVm+5DMEmLI8XvsYV3yYGta2OThKhZke2qzPP1xB8oCJwE2QqiF2lYC
         8g8h9DZlsH5+VPZpFAt8sJtMjoHH/rrbdmZ/d39MbozhLEAtd9UwynE9V/lpmgkPOkeD
         oOQhdBx5Ro7mloDEBmddj9P5rsw2lEWsPGdEQvCAqP+UFSWajS8MLdJt7UxI2YeQrs6l
         omUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=VZ3ZP+/24ikV77dcYsIh21tZx3XpuqbDwWqkt7qaqF4=;
        b=0dUL6ucNH0J5moYe7ndhudyhLOeRZYRjlzKdGKSwXcFFKsMUA/30hfHeV/dkbvmGN9
         hxaz2pVKAshWM/fXLyTeb2SD8lWQlRKpD10ebMEYRk+8+xQVSF0HeT8c9tucI2KZLVrK
         aM7/E5cUNb/Ovxb4f4zhT70urwkC8WhwqBBgFFOLmA4tkKehqD2FwoxjY1llM1MA9ogT
         R+w7383tya0S3KmtqRnIW8TRyQYpDiPMklSBd7DKmGJQIvSZDdRDhh+aCad5iUNiL2m3
         xZqdt6sYP6hywbXZo7FrVKPMjSGu6N5CVxIMyXLFdROMaEK8P0lfJgJ7SHaqvdnu+Onl
         YH9g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zOPZ3g03;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j25si14435289pfr.11.2019.07.24.12.44.01;
        Wed, 24 Jul 2019 12:44:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=zOPZ3g03;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390404AbfGXTmn (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Wed, 24 Jul 2019 15:42:43 -0400
Received: from mail.kernel.org ([198.145.29.99]:44492 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2390390AbfGXTmm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Jul 2019 15:42:42 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id CCAEE20665;
        Wed, 24 Jul 2019 19:42:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1563997361;
        bh=/zhBCj3h6caXg5rH3pT7ahpvIlBiUroBgdvUBDusOLI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=zOPZ3g03PLkhy2XFEqwWC60mDRG/Tm2Jp4lq5lyC97F+ius3P8g+7lVr019zAYb3o
         aQtBky+or0dl+daar6XoU09k+XNnseVH/+CuZV5r2WVIwXL2/MIdS2W3M9XKMKk3wi
         GpaNhJ2TQq+z18zpIsmZS/f3EM6wXYbnlLuVpzNA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Norbert Manthey <nmanthey@amazon.de>,
        Kees Cook <keescook@chromium.org>
Subject: [PATCH 5.2 410/413] pstore: Fix double-free in pstore_mkfile() failure path
Date:   Wed, 24 Jul 2019 21:21:41 +0200
Message-Id: <20190724191803.854994213@linuxfoundation.org>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190724191735.096702571@linuxfoundation.org>
References: <20190724191735.096702571@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Norbert Manthey <nmanthey@amazon.de>

commit 4c6d80e1144bdf48cae6b602ae30d41f3e5c76a9 upstream.

The pstore_mkfile() function is passed a pointer to a struct
pstore_record. On success it consumes this 'record' pointer and
references it from the created inode.

On failure, however, it may or may not free the record. There are even
two different code paths which return -ENOMEM -- one of which does and
the other doesn't free the record.

Make the behaviour deterministic by never consuming and freeing the
record when returning failure, allowing the caller to do the cleanup
consistently.

Signed-off-by: Norbert Manthey <nmanthey@amazon.de>
Link: https://lore.kernel.org/r/1562331960-26198-1-git-send-email-nmanthey@amazon.de
Fixes: 83f70f0769ddd ("pstore: Do not duplicate record metadata")
Fixes: 1dfff7dd67d1a ("pstore: Pass record contents instead of copying")
Cc: stable@vger.kernel.org
[kees: also move "private" allocation location, rename inode cleanup label]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/pstore/inode.c |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/fs/pstore/inode.c
+++ b/fs/pstore/inode.c
@@ -318,22 +318,21 @@ int pstore_mkfile(struct dentry *root, s
 		goto fail;
 	inode->i_mode = S_IFREG | 0444;
 	inode->i_fop = &pstore_file_operations;
-	private = kzalloc(sizeof(*private), GFP_KERNEL);
-	if (!private)
-		goto fail_alloc;
-	private->record = record;
-
 	scnprintf(name, sizeof(name), "%s-%s-%llu%s",
 			pstore_type_to_name(record->type),
 			record->psi->name, record->id,
 			record->compressed ? ".enc.z" : "");
 
+	private = kzalloc(sizeof(*private), GFP_KERNEL);
+	if (!private)
+		goto fail_inode;
+
 	dentry = d_alloc_name(root, name);
 	if (!dentry)
 		goto fail_private;
 
+	private->record = record;
 	inode->i_size = private->total_size = size;
-
 	inode->i_private = private;
 
 	if (record->time.tv_sec)
@@ -349,7 +348,7 @@ int pstore_mkfile(struct dentry *root, s
 
 fail_private:
 	free_pstore_private(private);
-fail_alloc:
+fail_inode:
 	iput(inode);
 
 fail: