Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1004906pxb;
        Wed, 1 Sep 2021 15:04:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyFjXpUU4wLKEL1vCuIZnbIt1HDOD3d8IwyGF6MN46kX0Z85BK6TEPbWg2KNGJ6+T7hkgq/
X-Received: by 2002:a92:db06:: with SMTP id b6mr1126867iln.305.1630533875258;
        Wed, 01 Sep 2021 15:04:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630533875; cv=none;
        d=google.com; s=arc-20160816;
        b=O7qcO76Djy+XcmgU2jMyNpaVpIml8NsoNdSLzQxsPCUKVzIeE+cknrIgQWCKvkc+hZ
         V4T7jZe03MqcXQXipCP/Ug9Mv8eFduSRh14TPjnSLzInon9N9V1a7NLhOs6GRqeqpZwt
         xD0RMF0DvGW/QXrchz37g+aGWm9sY2HbkqnLyg0nj/r9mNkWrDIW1cORwIgFzAj0AiCP
         gPX4wCkio7vVIf9vFVAg5qGr6f1YxMOVOAxtk+ECMObfk90pQ8UaJRvu0RaXIAV/RZwm
         Cj5a2UpB1ozcdanuObw6yma158xR7HeSUPuwQ0J05FL3yMO0lCfbrr8luYcdrilwZWN5
         CSFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dnoZOuXsiDtXCIXZ96Iwxlhq92N4uUPuVxbp/cJz0iI=;
        b=n1W14IiwNRkwFVJ/my/u9qiHor/EenjLm1MLceyTXeN0Ys2LgGlVXvTkz+dVZt6x5y
         COE9zgwipH8NnskozDWrhKINRp/EY53OGY8EkSq7C9qIxZDWU+1FY4a/TgPGN2fRsWO+
         uZiSvn0J9mEtyocdnNvrmawfRqh4VC4hwq/l/TbvS2XbOVHvHP/eS1H5g9xmExF8y2f8
         Bjct6HjQ110MaKnT2ddaRS0jW6t7MyZnpwbpyMn9D/pqB+8IvppItjsU9bYhGbLQs65Q
         OcY3TpSfp4L04W+1Icuu6wEmteewtEYl7TZfF7TahznYd2XL389Zjie+H0/6hkuDVBVm
         jp9g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rS2ZOudT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h9si630919ioh.20.2021.09.01.15.04.23;
        Wed, 01 Sep 2021 15:04:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rS2ZOudT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344194AbhIAMqw (ORCPT <rfc822;liuwei.linux@gmail.com>
        + 99 others); Wed, 1 Sep 2021 08:46:52 -0400
Received: from mail.kernel.org ([198.145.29.99]:42460 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1344437AbhIAMmR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Sep 2021 08:42:17 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 6A0A7611ED;
        Wed,  1 Sep 2021 12:37:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1630499860;
        bh=EG8oCqNCpJ9I9kaz9k9fICEPwDby1FZHFnk/nQTYB7I=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rS2ZOudT9ulJd6/MswLV3dLUmjSlVaiuOLoyKU3TQn6MasrezWiLs+WMAG/kwrQVE
         5OhlAywJkFdfB6EhdMoUV0UJt9mJK7vFxs2y9ve4D+uOvwsZFCAwEYgf5wwFFpVkIn
         2q1HwTT75njjl8ySkm+bMibuJfpcXJlmQ6FqJAMs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Colin Ian King <colin.king@canonical.com>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.13 012/113] ovl: fix uninitialized pointer read in ovl_lookup_real_one()
Date:   Wed,  1 Sep 2021 14:27:27 +0200
Message-Id: <20210901122302.391449510@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210901122301.984263453@linuxfoundation.org>
References: <20210901122301.984263453@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 580c610429b3994e8db24418927747cf28443cde ]

One error path can result in release_dentry_name_snapshot() being called
before "name" was initialized by take_dentry_name_snapshot().

Fix by moving the release_dentry_name_snapshot() to immediately after the
only use.

Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/overlayfs/export.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
index 41ebf52f1bbc..ebde05c9cf62 100644
--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -392,6 +392,7 @@ static struct dentry *ovl_lookup_real_one(struct dentry *connected,
 	 */
 	take_dentry_name_snapshot(&name, real);
 	this = lookup_one_len(name.name.name, connected, name.name.len);
+	release_dentry_name_snapshot(&name);
 	err = PTR_ERR(this);
 	if (IS_ERR(this)) {
 		goto fail;
@@ -406,7 +407,6 @@ static struct dentry *ovl_lookup_real_one(struct dentry *connected,
 	}
 
 out:
-	release_dentry_name_snapshot(&name);
 	dput(parent);
 	inode_unlock(dir);
 	return this;
-- 
2.30.2