Re: [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers
From: Jan Kara
Date: Thu Mar 03 2016 - 05:00:11 EST
On Wed 02-03-16 18:19:29, Nikolay Borisov wrote:
> While debugging some issues with quota I realized that
> it's possible to pass array with bogus dquot pointers from
> __dquot_initialize to dqput. This can happen if the initialisation
> of the dquot objects for an inode fail and the control flow is
> transferred to the out_put label. In case only the USR or GRP quota
> are initialised then the PRJ pointer in the "got" array would remain
> uninitialised. This will cause the NULL ptr check in dqput to pass
> but actually the pointer is going to be invalid. Eventually this would
> cause a GFP.
>
> To fix this just zero out the got array
>
> Signed-off-by: Nikolay Borisov <kernel@xxxxxxxx>
Thanks for spotting this and for the fix. There are couple of issues with
your patch:
a) You should use MAXQUOTAS instead of hardcoded 3 in the memset(). Even
better just leave, specify proper initializer directly.
b) You could remove the array initialization from the for loop.
I have cleaned up the patch as attached and merged it into my tree.
Honza
> ---
> fs/quota/dquot.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> index ef0d64b2a6d9..a0ab58fd85ae 100644
> --- a/fs/quota/dquot.c
> +++ b/fs/quota/dquot.c
> @@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type)
>
> dquots = i_dquot(inode);
>
> + memset(got, 0, 3 * sizeof(struct dquot *));
> +
> /* First get references to structures we might need. */
> for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
> struct kqid qid;
> --
> 2.5.0
>
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR