Patch "ext4: avoid potential buffer_head leak in __ext4_new_inode()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 30 Sep 2024 20:26:47 -0400

This is a note to let you know that I've just added the patch titled

    ext4: avoid potential buffer_head leak in __ext4_new_inode()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ext4-avoid-potential-buffer_head-leak-in-__ext4_new_.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7b96ba6845ea51e6a901658ff884310e951f262d
Author: Kemeng Shi <shikemeng@xxxxxxxxxxxxxxx>
Date:   Tue Aug 20 21:22:29 2024 +0800

    ext4: avoid potential buffer_head leak in __ext4_new_inode()
    
    [ Upstream commit 227d31b9214d1b9513383cf6c7180628d4b3b61f ]
    
    If a group is marked EXT4_GROUP_INFO_IBITMAP_CORRUPT after it's inode
    bitmap buffer_head was successfully verified, then __ext4_new_inode()
    will get a valid inode_bitmap_bh of a corrupted group from
    ext4_read_inode_bitmap() in which case inode_bitmap_bh misses a release.
    Hnadle "IS_ERR(inode_bitmap_bh)" and group corruption separately like
    how ext4_free_inode() does to avoid buffer_head leak.
    
    Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes")
    Signed-off-by: Kemeng Shi <shikemeng@xxxxxxxxxxxxxxx>
    Link: https://patch.msgid.link/20240820132234.2759926-3-shikemeng@xxxxxxxxxxxxxxx
    Signed-off-by: Theodore Ts'o <tytso@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index 4478ba2e8cc54..a00c91aa755c4 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1056,12 +1056,13 @@ struct inode *__ext4_new_inode(struct user_namespace *mnt_userns,
 		brelse(inode_bitmap_bh);
 		inode_bitmap_bh = ext4_read_inode_bitmap(sb, group);
 		/* Skip groups with suspicious inode tables */
-		if (((!(sbi->s_mount_state & EXT4_FC_REPLAY))
-		     && EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) ||
-		    IS_ERR(inode_bitmap_bh)) {
+		if (IS_ERR(inode_bitmap_bh)) {
 			inode_bitmap_bh = NULL;
 			goto next_group;
 		}
+		if (!(sbi->s_mount_state & EXT4_FC_REPLAY) &&
+		    EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
+			goto next_group;
 
 repeat_in_this_group:
 		ret2 = find_inode_bit(sb, group, inode_bitmap_bh, &ino);







