Re: [syzbot] [PATCH] ocfs2: fix use-after-free due to dangling quota pointer and checking suspended flag
From: syzbot
Date: Sat Dec 14 2024 - 21:37:51 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] ocfs2: fix use-after-free due to dangling quota pointer and checking suspended flag
Author: dennis.lamerice@xxxxxxxxx
Signed-off-by: Dennis Lam <dennis.lamerice@xxxxxxxxx>
---
#syz test
fs/ocfs2/quota_global.c | 3 ++-
fs/ocfs2/quota_local.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..c6d38340d6d4 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,8 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_loaded(sb, type) ||
+ sb_dqopt(sb)->flags & DQUOT_SUSPENDED) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
--
2.47.0