udf: Fix error handling in udf_new_inode()

jankara · jankara · commit f05f2429eec6 · 2021-12-15T13:08:34.000+01:00
When memory allocation of iinfo or block allocation fails, already
allocated struct udf_inode_info gets freed with iput() and
udf_evict_inode() may look at inode fields which are not properly
initialized. Fix it by marking inode bad before dropping reference to it
in udf_new_inode().

Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com
Signed-off-by: Jan Kara &lt;jack@suse.cz&gt;
diff --git a/fs/udf/ialloc.c b/fs/udf/ialloc.c
@@ -77,6 +77,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode)
 					GFP_KERNEL);
 	}
 	if (!iinfo->i_data) {
+		make_bad_inode(inode);
 		iput(inode);
 		return ERR_PTR(-ENOMEM);
 	}
@@ -86,6 +87,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode)
 			      dinfo->i_location.partitionReferenceNum,
 			      start, &err);
 	if (err) {
+		make_bad_inode(inode);
 		iput(inode);
 		return ERR_PTR(err);
 	}

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ struct inode udf_new_inode(struct inode dir, umode_t mode)`
`77`	`77`	`GFP_KERNEL);`
`78`	`78`	`}`
`79`	`79`	`if (!iinfo->i_data) {`
	`80`	`+ make_bad_inode(inode);`
`80`	`81`	`iput(inode);`
`81`	`82`	`return ERR_PTR(-ENOMEM);`
`82`	`83`	`}`
`@@ -86,6 +87,7 @@ struct inode udf_new_inode(struct inode dir, umode_t mode)`
`86`	`87`	`dinfo->i_location.partitionReferenceNum,`
`87`	`88`	`start, &err);`
`88`	`89`	`if (err) {`
	`90`	`+ make_bad_inode(inode);`
`89`	`91`	`iput(inode);`
`90`	`92`	`return ERR_PTR(err);`
`91`	`93`	`}`