mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/fs
History
Theodore Ts'o a18670395e ext4: fix invalid free tracking in ext4_xattr_move_to_block() 
commit b87c7cdf2b upstream.

In ext4_xattr_move_to_block(), the value of the extended attribute
which we need to move to an external block may be allocated by
kvmalloc() if the value is stored in an external inode.  So at the end
of the function the code tried to check if this was the case by
testing entry->e_value_inum.

However, at this point, the pointer to the xattr entry is no longer
valid, because it was removed from the original location where it had
been stored.  So we could end up calling kvfree() on a pointer which
was not allocated by kvmalloc(); or we could also potentially leak
memory by not freeing the buffer when it should be freed.  Fix this by
storing whether it should be freed in a separate variable.

Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu
Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1
Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b
Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com
Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-05-17 13:59:12 +02:00
..
9p 9p-for-6.2-rc1 2022-12-23 11:39:18 -08:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-01-10 14:55:20 +01:00
afs rxrpc: Fix timeout of a call that hasn't yet been granted a channel 2023-05-17 13:58:47 +02:00
autofs
befs
bfs
btrfs btrfs: fix backref walking not returning all inode refs 2023-05-17 13:58:58 +02:00
cachefiles
ceph ceph: fix potential use-after-free bug when trimming caps 2023-05-11 23:10:55 +09:00
cifs SMB3: force unmount was failing to close deferred close files 2023-05-17 13:59:00 +02:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-10 09:29:12 +01:00
configfs
cramfs fs/cramfs/inode.c: initialize file_ra_state 2023-03-10 09:29:31 +01:00
crypto for-6.2/block-2022-12-08 2022-12-13 10:43:59 -08:00
debugfs
devpts
dlm fs: dlm: fix DLM_IFL_CB_PENDING gets overwritten 2023-05-11 23:10:55 +09:00
ecryptfs
efivarfs
efs
erofs erofs: fix potential overflow calculating xattr_isize 2023-05-11 23:10:56 +09:00
exfat exfat: fix inode->i_blocks for non-512 byte sector size device 2023-03-10 09:29:29 +01:00
exportfs
ext2 \n 2022-12-12 20:32:50 -08:00
ext4 ext4: fix invalid free tracking in ext4_xattr_move_to_block() 2023-05-17 13:59:12 +02:00
f2fs f2fs: fix potential corruption when moving a directory 2023-05-17 13:59:04 +02:00
fat MM patches for 6.2-rc1. 2022-12-13 19:29:45 -08:00
freevxfs freevxfs: Kconfig: fix spelling 2023-01-31 16:44:08 -08:00
fscache fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work() 2023-01-30 12:51:54 +00:00
fuse fuse: add inode/permission checks to fileattr_get/fileattr_set 2023-03-10 09:29:47 +01:00
gfs2 gfs2: Improve gfs2_make_fs_rw error handling 2023-03-10 09:29:19 +01:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-10 09:29:28 +01:00
hfsplus fs: hfsplus: fix UAF issue in hfsplus_put_super 2023-03-10 09:29:28 +01:00
hostfs
hpfs
hugetlbfs
iomap New XFS code for 6.2: 2022-12-14 10:11:51 -08:00
isofs
jbd2 jdb2: Don't refuse invalidation of already invalidated buffers 2023-05-11 23:11:15 +09:00
jffs2
jfs fs/jfs: fix shift exponent db_agl2size negative 2023-03-11 13:50:20 +01:00
kernfs
ksmbd ksmbd: fix racy issue from smb2 close and logoff with multichannel 2023-05-17 13:58:55 +02:00
lockd lockd: set file_lock start and end when decoding nlm4 testargs 2023-03-30 12:51:35 +02:00
minix
netfs
nfs NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease 2023-05-11 23:11:28 +09:00
nfs_common
nfsd NFSD: callback request does not use correct credential for AUTH_SYS 2023-04-13 17:02:40 +02:00
nilfs2 nilfs2: fix infinite loop in nilfs_mdt_get_block() 2023-05-11 23:11:33 +09:00
nls
notify inotify: Avoid reporting event with invalid wd 2023-05-17 13:58:59 +02:00
ntfs
ntfs3 fs/ntfs3: Refactoring of various minor issues 2023-05-17 13:59:08 +02:00
ocfs2 ocfs2: fix data corruption after failed write 2023-03-22 13:38:06 +01:00
omfs
openpromfs
orangefs orangefs: four fixes from Zhang Xiaoxu and two from Colin Ian King 2022-12-14 11:16:33 -08:00
overlayfs ovl: fail on invalid uid/gid mapping at copy up 2023-01-27 16:17:19 +01:00
proc sysctl: clarify register_sysctl_init() base directory order 2023-05-17 13:59:01 +02:00
pstore pstore: Revert pmsg_lock back to a normal mutex 2023-05-11 23:11:20 +09:00
qnx4
qnx6
quota
ramfs
reiserfs reiserfs: Add security prefix to xattr name in reiserfs_security_write() 2023-05-11 23:10:52 +09:00
romfs
smbfs_common
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-03 17:52:25 -08:00
sysfs
sysv
tracefs
ubifs ubifs: Fix memory leak in do_rename 2023-05-11 23:10:54 +09:00
udf udf: Fix off-by-one error when discarding preallocation 2023-03-17 08:57:49 +01:00
ufs
unicode
vboxsf
verity fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY 2023-04-06 12:12:24 +02:00
xfs xfs: don't consider future format versions valid 2023-05-11 23:10:55 +09:00
zonefs zonefs: Always invalidate last cached page on append write 2023-04-06 12:12:42 +02:00
Kconfig
Kconfig.binfmt
Makefile fs: fix sysctls.c built 2023-05-11 23:10:51 +09:00
aio.c aio: fix mremap after fork null-deref 2023-02-03 17:52:24 -08:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_elf.c elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} 2023-01-05 15:12:12 +00:00
binfmt_elf_fdpic.c elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} 2023-01-05 15:12:12 +00:00
binfmt_elf_test.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
buffer.c
char_dev.c
compat_binfmt_elf.c
coredump.c coredump: Move dump_emit_page() to kill unused warning 2023-01-10 21:03:01 -05:00
d_path.c
dax.c fsdax: force clear dirty mark if CoW 2023-04-13 17:02:47 +02:00
dcache.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c
exec.c
fcntl.c
fhandle.c
file.c fs: prevent out-of-bounds array speculation when closing a file descriptor 2023-03-17 08:57:45 +01:00
file_table.c
filesystems.c
fs-writeback.c writeback: fix call of incorrect macro 2023-05-17 13:58:45 +02:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c
internal.h
ioctl.c
kernel_read_file.c
libfs.c
locks.c filelocks: use mount idmapping for setlease permission check 2023-03-17 08:58:03 +01:00
mbcache.c
mount.h
mpage.c
namei.c Landlock updates for v6.2-rc1 2022-12-13 09:14:50 -08:00
namespace.c fs: drop peer group ids under namespace lock 2023-04-13 17:02:50 +02:00
no-block.c
nsfs.c
open.c fs: Use CHECK_DATA_CORRUPTION() when kernel bugs are detected 2023-03-10 09:29:05 +01:00
pipe.c
pnode.c pnode: terminate at peers of source 2022-12-21 14:45:25 +01:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c
remap_range.c New VFS code for 6.2: 2022-12-13 10:26:38 -08:00
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c fscrypt: destroy keyring after security_sb_delete() 2023-03-30 12:51:35 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Revert "userfaultfd: don't fail on unrecognized features" 2023-04-26 14:30:01 +02:00
utimes.c
xattr.c fs.xattr.simple.rework.rbtree.rwlock.v6.2 2022-12-13 10:08:36 -08:00