If function security_inode_alloc() returns a nonzero value due to an
error (e.g. fail to allocate memory), then some of the fields, including
'i_private', will not be initialized.
After that, if the fs-specfic free_inode function is called in
i_callback(), the nonzero value of 'i_private' field can be interpreted
as initialized. As a result, this can cause dereferencing of random
value pointer (e.g. nilfs2).
In earlier versions, a similar situation could occur with the 'u' union
in 'inode' structure.
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Signed-off-by: Rustam Subkhankulov <subkhankulov@xxxxxxxxx>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
---
fs/inode.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/inode.c b/fs/inode.c
index ba1de23c13c1..a2892d85993d 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -192,8 +192,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_wb_frn_history = 0;
#endif
- if (security_inode_alloc(inode))
- goto out;
spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
@@ -228,6 +226,10 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_fsnotify_mask = 0;
#endif
inode->i_flctx = NULL;
+
+ if (security_inode_alloc(inode))
+ goto out;
+
this_cpu_inc(nr_inodes);
return 0;
--
2.34.1
