Re: [linux-next:master 8625/10077] fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'

Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx> · Wed, 25 Aug 2021 19:54:30 +0800

Hi Dan,

On Wed, Aug 25, 2021 at 10:14:27AM +0300, Dan Carpenter wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
> head:   372b2891c15acbf7b90d948b08ac174bde77102c
> commit: c5aa903a59db274554718cddfda9039913409ec9 [8625/10077] erofs: support reading chunk-based uncompressed files
> config: openrisc-randconfig-m031-20210824 (attached as .config)
> compiler: or1k-linux-gcc (GCC) 11.2.0
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> 
> New smatch warnings:
> fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'
> 
> vim +/copied +210 fs/erofs/inode.c
> 
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   16  static struct page *erofs_read_inode(struct inode *inode,
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   17  				     unsigned int *ofs)
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   18  {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   19  	struct super_block *sb = inode->i_sb;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   20  	struct erofs_sb_info *sbi = EROFS_SB(sb);
> a5876e24f13f134 fs/erofs/inode.c              Gao Xiang 2019-09-04   21  	struct erofs_inode *vi = EROFS_I(inode);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   22  	const erofs_off_t inode_loc = iloc(sbi, vi->nid);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   23  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   24  	erofs_blk_t blkaddr, nblks = 0;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   25  	struct page *page;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   26  	struct erofs_inode_compact *dic;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   27  	struct erofs_inode_extended *die, *copied = NULL;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   28  	unsigned int ifmt;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   29  	int err;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   30  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   31  	blkaddr = erofs_blknr(inode_loc);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   32  	*ofs = erofs_blkoff(inode_loc);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   33  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   34  	erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u",
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   35  		  __func__, vi->nid, *ofs, blkaddr);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   36  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   37  	page = erofs_get_meta_page(sb, blkaddr);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   38  	if (IS_ERR(page)) {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   39  		erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld",
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   40  			  vi->nid, PTR_ERR(page));
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   41  		return page;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   42  	}
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   43  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   44  	dic = page_address(page) + *ofs;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   45  	ifmt = le16_to_cpu(dic->i_format);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   46  
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   47  	if (ifmt & ~EROFS_I_ALL) {
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   48  		erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   49  			  ifmt, vi->nid);
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   50  		err = -EOPNOTSUPP;
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   51  		goto err_out;
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   52  	}
> 24a806d849c0b0c fs/erofs/inode.c              Gao Xiang 2021-03-29   53  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   54  	vi->datalayout = erofs_inode_datalayout(ifmt);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   55  	if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
> 4f761fa253b49f6 fs/erofs/inode.c              Gao Xiang 2019-09-04   56  		erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   57  			  vi->datalayout, vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   58  		err = -EOPNOTSUPP;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   59  		goto err_out;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   60  	}
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   61  
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   62  	switch (erofs_inode_version(ifmt)) {
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   63  	case EROFS_INODE_LAYOUT_EXTENDED:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   64  		vi->inode_isize = sizeof(struct erofs_inode_extended);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   65  		/* check if the inode acrosses page boundary */
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   66  		if (*ofs + vi->inode_isize <= PAGE_SIZE) {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   67  			*ofs += vi->inode_isize;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   68  			die = (struct erofs_inode_extended *)dic;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   69  		} else {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   70  			const unsigned int gotten = PAGE_SIZE - *ofs;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   71  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   72  			copied = kmalloc(vi->inode_isize, GFP_NOFS);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   73  			if (!copied) {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   74  				err = -ENOMEM;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   75  				goto err_out;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   76  			}
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   77  			memcpy(copied, dic, gotten);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   78  			unlock_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   79  			put_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   80  
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   81  			page = erofs_get_meta_page(sb, blkaddr + 1);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   82  			if (IS_ERR(page)) {
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   83  				erofs_err(sb, "failed to get inode payload page (nid: %llu), err %ld",
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   84  					  vi->nid, PTR_ERR(page));
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   85  				kfree(copied);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   86  				return page;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   87  			}
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   88  			*ofs = vi->inode_isize - gotten;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   89  			memcpy((u8 *)copied + gotten, page_address(page), *ofs);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   90  			die = copied;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30   91  		}
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   92  		vi->xattr_isize = erofs_xattr_ibody_size(die->i_xattr_icount);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26   93  
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   94  		inode->i_mode = le16_to_cpu(die->i_mode);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   95  		switch (inode->i_mode & S_IFMT) {
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   96  		case S_IFREG:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   97  		case S_IFDIR:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   98  		case S_IFLNK:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04   99  			vi->raw_blkaddr = le32_to_cpu(die->i_u.raw_blkaddr);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  100  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  101  		case S_IFCHR:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  102  		case S_IFBLK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu   2018-07-26  103  			inode->i_rdev =
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  104  				new_decode_dev(le32_to_cpu(die->i_u.rdev));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  105  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  106  		case S_IFIFO:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  107  		case S_IFSOCK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu   2018-07-26  108  			inode->i_rdev = 0;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  109  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  110  		default:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14  111  			goto bogusimode;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  112  		}
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  113  		i_uid_write(inode, le32_to_cpu(die->i_uid));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  114  		i_gid_write(inode, le32_to_cpu(die->i_gid));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  115  		set_nlink(inode, le32_to_cpu(die->i_nlink));
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  116  
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  117  		/* extended inode has its own timestamp */
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  118  		inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime);
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  119  		inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  120  
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  121  		inode->i_size = le64_to_cpu(die->i_size);
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  122  
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  123  		/* total blocks for compressed files */
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  124  		if (erofs_inode_is_data_compressed(vi->datalayout))
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  125  			nblks = le32_to_cpu(die->i_u.compressed_blocks);
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  126  		else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  127  			/* fill chunked inode summary info */
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  128  			vi->chunkformat = le16_to_cpu(die->i_u.c.format);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  129  		kfree(copied);
>                                                                                         ^^^^^^^^^^^^^^
> Free

Yeah, thanks for pointing out, due to new chunk-based format, line 183
will reuse use-after-free `copied'.

I think it can be fixed with copied = NULL; here.

Many thanks for reporting!

Thanks,
Gao Xiang

> 
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  130  		break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  131  	case EROFS_INODE_LAYOUT_COMPACT:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  132  		vi->inode_isize = sizeof(struct erofs_inode_compact);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  133  		*ofs += vi->inode_isize;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  134  		vi->xattr_isize = erofs_xattr_ibody_size(dic->i_xattr_icount);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  135  
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  136  		inode->i_mode = le16_to_cpu(dic->i_mode);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  137  		switch (inode->i_mode & S_IFMT) {
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  138  		case S_IFREG:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  139  		case S_IFDIR:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  140  		case S_IFLNK:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  141  			vi->raw_blkaddr = le32_to_cpu(dic->i_u.raw_blkaddr);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  142  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  143  		case S_IFCHR:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  144  		case S_IFBLK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu   2018-07-26  145  			inode->i_rdev =
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  146  				new_decode_dev(le32_to_cpu(dic->i_u.rdev));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  147  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  148  		case S_IFIFO:
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  149  		case S_IFSOCK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu   2018-07-26  150  			inode->i_rdev = 0;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  151  			break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  152  		default:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14  153  			goto bogusimode;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  154  		}
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  155  		i_uid_write(inode, le16_to_cpu(dic->i_uid));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  156  		i_gid_write(inode, le16_to_cpu(dic->i_gid));
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  157  		set_nlink(inode, le16_to_cpu(dic->i_nlink));
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  158  
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  159  		/* use build time for compact inodes */
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  160  		inode->i_ctime.tv_sec = sbi->build_time;
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  161  		inode->i_ctime.tv_nsec = sbi->build_time_nsec;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  162  
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  163  		inode->i_size = le32_to_cpu(dic->i_size);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  164  		if (erofs_inode_is_data_compressed(vi->datalayout))
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  165  			nblks = le32_to_cpu(dic->i_u.compressed_blocks);
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  166  		else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  167  			vi->chunkformat = le16_to_cpu(dic->i_u.c.format);
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  168  		break;
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  169  	default:
> 4f761fa253b49f6 fs/erofs/inode.c              Gao Xiang 2019-09-04  170  		erofs_err(inode->i_sb,
> 4f761fa253b49f6 fs/erofs/inode.c              Gao Xiang 2019-09-04  171  			  "unsupported on-disk inode version %u of nid %llu",
> 8a76568225deae1 fs/erofs/inode.c              Gao Xiang 2019-09-04  172  			  erofs_inode_version(ifmt), vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  173  		err = -EOPNOTSUPP;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  174  		goto err_out;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  175  	}
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  176  
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  177  	if (vi->datalayout == EROFS_INODE_CHUNK_BASED) {
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  178  		if (!(vi->chunkformat & EROFS_CHUNK_FORMAT_ALL)) {
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  179  			erofs_err(inode->i_sb,
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  180  				  "unsupported chunk format %x of nid %llu",
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  181  				  vi->chunkformat, vi->nid);
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  182  			err = -EOPNOTSUPP;
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  183  			goto err_out;
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  184  		}
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  185  		vi->chunkbits = LOG_BLOCK_SIZE +
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  186  			(vi->chunkformat & EROFS_CHUNK_FORMAT_BLKBITS_MASK);
> c5aa903a59db274 fs/erofs/inode.c              Gao Xiang 2021-08-20  187  	}
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  188  	inode->i_mtime.tv_sec = inode->i_ctime.tv_sec;
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  189  	inode->i_atime.tv_sec = inode->i_ctime.tv_sec;
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  190  	inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec;
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  191  	inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec;
> d3938ee23e97bfc fs/erofs/inode.c              Gao Xiang 2020-11-01  192  
> 06252e9ce05b94b fs/erofs/inode.c              Gao Xiang 2021-08-05  193  	inode->i_flags &= ~S_DAX;
> 06252e9ce05b94b fs/erofs/inode.c              Gao Xiang 2021-08-05  194  	if (test_opt(&sbi->ctx, DAX_ALWAYS) && S_ISREG(inode->i_mode) &&
> 06252e9ce05b94b fs/erofs/inode.c              Gao Xiang 2021-08-05  195  	    vi->datalayout == EROFS_INODE_FLAT_PLAIN)
> 06252e9ce05b94b fs/erofs/inode.c              Gao Xiang 2021-08-05  196  		inode->i_flags |= S_DAX;
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  197  	if (!nblks)
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  198  		/* measure inode.i_blocks as generic filesystems */
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  199  		inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9;
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  200  	else
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28  201  		inode->i_blocks = nblks << LOG_SECTORS_PER_BLOCK;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  202  	return page;
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14  203  
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14  204  bogusimode:
> 4f761fa253b49f6 fs/erofs/inode.c              Gao Xiang 2019-09-04  205  	erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu",
> 4f761fa253b49f6 fs/erofs/inode.c              Gao Xiang 2019-09-04  206  		  inode->i_mode, vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  207  	err = -EFSCORRUPTED;
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  208  err_out:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14  209  	DBG_BUGON(1);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30 @210  	kfree(copied);
>                                                                                 ^^^^^^^^^^^^^
> Double free.
> 
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  211  	unlock_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  212  	put_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c              Gao Xiang 2020-07-30  213  	return ERR_PTR(err);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  214  }
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26  215  
> 
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx