* [linux-next:master 8625/10077] fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'
@ 2021-08-25 7:14 Dan Carpenter
2021-08-25 11:54 ` Gao Xiang
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2021-08-25 7:14 UTC (permalink / raw)
To: kbuild, Gao Xiang
Cc: lkp, kbuild-all, Linux Memory Management List, Liu Bo, Chao Yu,
Chao Yu
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: 372b2891c15acbf7b90d948b08ac174bde77102c
commit: c5aa903a59db274554718cddfda9039913409ec9 [8625/10077] erofs: support reading chunk-based uncompressed files
config: openrisc-randconfig-m031-20210824 (attached as .config)
compiler: or1k-linux-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'
vim +/copied +210 fs/erofs/inode.c
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 16 static struct page *erofs_read_inode(struct inode *inode,
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 17 unsigned int *ofs)
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 18 {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 19 struct super_block *sb = inode->i_sb;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 20 struct erofs_sb_info *sbi = EROFS_SB(sb);
a5876e24f13f134 fs/erofs/inode.c Gao Xiang 2019-09-04 21 struct erofs_inode *vi = EROFS_I(inode);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 22 const erofs_off_t inode_loc = iloc(sbi, vi->nid);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 23
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 24 erofs_blk_t blkaddr, nblks = 0;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 25 struct page *page;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 26 struct erofs_inode_compact *dic;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 27 struct erofs_inode_extended *die, *copied = NULL;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 28 unsigned int ifmt;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 29 int err;
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 30
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 31 blkaddr = erofs_blknr(inode_loc);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 32 *ofs = erofs_blkoff(inode_loc);
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 33
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 34 erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u",
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 35 __func__, vi->nid, *ofs, blkaddr);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 36
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 37 page = erofs_get_meta_page(sb, blkaddr);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 38 if (IS_ERR(page)) {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 39 erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld",
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 40 vi->nid, PTR_ERR(page));
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 41 return page;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 42 }
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 43
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 44 dic = page_address(page) + *ofs;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 45 ifmt = le16_to_cpu(dic->i_format);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 46
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 47 if (ifmt & ~EROFS_I_ALL) {
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 48 erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 49 ifmt, vi->nid);
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 50 err = -EOPNOTSUPP;
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 51 goto err_out;
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 52 }
24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 53
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 54 vi->datalayout = erofs_inode_datalayout(ifmt);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 55 if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 56 erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 57 vi->datalayout, vi->nid);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 58 err = -EOPNOTSUPP;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 59 goto err_out;
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 60 }
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 61
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 62 switch (erofs_inode_version(ifmt)) {
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 63 case EROFS_INODE_LAYOUT_EXTENDED:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 64 vi->inode_isize = sizeof(struct erofs_inode_extended);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 65 /* check if the inode acrosses page boundary */
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 66 if (*ofs + vi->inode_isize <= PAGE_SIZE) {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 67 *ofs += vi->inode_isize;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 68 die = (struct erofs_inode_extended *)dic;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 69 } else {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 70 const unsigned int gotten = PAGE_SIZE - *ofs;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 71
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 72 copied = kmalloc(vi->inode_isize, GFP_NOFS);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 73 if (!copied) {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 74 err = -ENOMEM;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 75 goto err_out;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 76 }
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 77 memcpy(copied, dic, gotten);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 78 unlock_page(page);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 79 put_page(page);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 80
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 81 page = erofs_get_meta_page(sb, blkaddr + 1);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 82 if (IS_ERR(page)) {
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 83 erofs_err(sb, "failed to get inode payload page (nid: %llu), err %ld",
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 84 vi->nid, PTR_ERR(page));
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 85 kfree(copied);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 86 return page;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 87 }
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 88 *ofs = vi->inode_isize - gotten;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 89 memcpy((u8 *)copied + gotten, page_address(page), *ofs);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 90 die = copied;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 91 }
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 92 vi->xattr_isize = erofs_xattr_ibody_size(die->i_xattr_icount);
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 93
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 94 inode->i_mode = le16_to_cpu(die->i_mode);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 95 switch (inode->i_mode & S_IFMT) {
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 96 case S_IFREG:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 97 case S_IFDIR:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 98 case S_IFLNK:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 99 vi->raw_blkaddr = le32_to_cpu(die->i_u.raw_blkaddr);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 100 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 101 case S_IFCHR:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 102 case S_IFBLK:
d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 103 inode->i_rdev =
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 104 new_decode_dev(le32_to_cpu(die->i_u.rdev));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 105 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 106 case S_IFIFO:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 107 case S_IFSOCK:
d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 108 inode->i_rdev = 0;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 109 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 110 default:
a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 111 goto bogusimode;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 112 }
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 113 i_uid_write(inode, le32_to_cpu(die->i_uid));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 114 i_gid_write(inode, le32_to_cpu(die->i_gid));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 115 set_nlink(inode, le32_to_cpu(die->i_nlink));
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 116
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 117 /* extended inode has its own timestamp */
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 118 inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime);
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 119 inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec);
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 120
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 121 inode->i_size = le64_to_cpu(die->i_size);
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 122
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 123 /* total blocks for compressed files */
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 124 if (erofs_inode_is_data_compressed(vi->datalayout))
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 125 nblks = le32_to_cpu(die->i_u.compressed_blocks);
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 126 else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 127 /* fill chunked inode summary info */
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 128 vi->chunkformat = le16_to_cpu(die->i_u.c.format);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 129 kfree(copied);
^^^^^^^^^^^^^^
Free
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 130 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 131 case EROFS_INODE_LAYOUT_COMPACT:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 132 vi->inode_isize = sizeof(struct erofs_inode_compact);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 133 *ofs += vi->inode_isize;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 134 vi->xattr_isize = erofs_xattr_ibody_size(dic->i_xattr_icount);
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 135
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 136 inode->i_mode = le16_to_cpu(dic->i_mode);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 137 switch (inode->i_mode & S_IFMT) {
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 138 case S_IFREG:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 139 case S_IFDIR:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 140 case S_IFLNK:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 141 vi->raw_blkaddr = le32_to_cpu(dic->i_u.raw_blkaddr);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 142 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 143 case S_IFCHR:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 144 case S_IFBLK:
d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 145 inode->i_rdev =
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 146 new_decode_dev(le32_to_cpu(dic->i_u.rdev));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 147 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 148 case S_IFIFO:
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 149 case S_IFSOCK:
d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 150 inode->i_rdev = 0;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 151 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 152 default:
a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 153 goto bogusimode;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 154 }
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 155 i_uid_write(inode, le16_to_cpu(dic->i_uid));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 156 i_gid_write(inode, le16_to_cpu(dic->i_gid));
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 157 set_nlink(inode, le16_to_cpu(dic->i_nlink));
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 158
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 159 /* use build time for compact inodes */
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 160 inode->i_ctime.tv_sec = sbi->build_time;
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 161 inode->i_ctime.tv_nsec = sbi->build_time_nsec;
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 162
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 163 inode->i_size = le32_to_cpu(dic->i_size);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 164 if (erofs_inode_is_data_compressed(vi->datalayout))
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 165 nblks = le32_to_cpu(dic->i_u.compressed_blocks);
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 166 else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 167 vi->chunkformat = le16_to_cpu(dic->i_u.c.format);
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 168 break;
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 169 default:
4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 170 erofs_err(inode->i_sb,
4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 171 "unsupported on-disk inode version %u of nid %llu",
8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 172 erofs_inode_version(ifmt), vi->nid);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 173 err = -EOPNOTSUPP;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 174 goto err_out;
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 175 }
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 176
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 177 if (vi->datalayout == EROFS_INODE_CHUNK_BASED) {
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 178 if (!(vi->chunkformat & EROFS_CHUNK_FORMAT_ALL)) {
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 179 erofs_err(inode->i_sb,
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 180 "unsupported chunk format %x of nid %llu",
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 181 vi->chunkformat, vi->nid);
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 182 err = -EOPNOTSUPP;
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 183 goto err_out;
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 184 }
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 185 vi->chunkbits = LOG_BLOCK_SIZE +
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 186 (vi->chunkformat & EROFS_CHUNK_FORMAT_BLKBITS_MASK);
c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 187 }
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 188 inode->i_mtime.tv_sec = inode->i_ctime.tv_sec;
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 189 inode->i_atime.tv_sec = inode->i_ctime.tv_sec;
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 190 inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec;
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 191 inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec;
d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 192
06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 193 inode->i_flags &= ~S_DAX;
06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 194 if (test_opt(&sbi->ctx, DAX_ALWAYS) && S_ISREG(inode->i_mode) &&
06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 195 vi->datalayout == EROFS_INODE_FLAT_PLAIN)
06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 196 inode->i_flags |= S_DAX;
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 197 if (!nblks)
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 198 /* measure inode.i_blocks as generic filesystems */
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 199 inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9;
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 200 else
fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 201 inode->i_blocks = nblks << LOG_SECTORS_PER_BLOCK;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 202 return page;
a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 203
a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 204 bogusimode:
4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 205 erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu",
4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 206 inode->i_mode, vi->nid);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 207 err = -EFSCORRUPTED;
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 208 err_out:
a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 209 DBG_BUGON(1);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 @210 kfree(copied);
^^^^^^^^^^^^^
Double free.
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 211 unlock_page(page);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 212 put_page(page);
0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 213 return ERR_PTR(err);
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 214 }
431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 215
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [linux-next:master 8625/10077] fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'
2021-08-25 7:14 [linux-next:master 8625/10077] fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied' Dan Carpenter
@ 2021-08-25 11:54 ` Gao Xiang
0 siblings, 0 replies; 2+ messages in thread
From: Gao Xiang @ 2021-08-25 11:54 UTC (permalink / raw)
To: Dan Carpenter
Cc: kbuild, lkp, kbuild-all, Linux Memory Management List, Liu Bo,
Chao Yu, Chao Yu
Hi Dan,
On Wed, Aug 25, 2021 at 10:14:27AM +0300, Dan Carpenter wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
> head: 372b2891c15acbf7b90d948b08ac174bde77102c
> commit: c5aa903a59db274554718cddfda9039913409ec9 [8625/10077] erofs: support reading chunk-based uncompressed files
> config: openrisc-randconfig-m031-20210824 (attached as .config)
> compiler: or1k-linux-gcc (GCC) 11.2.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> New smatch warnings:
> fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'
>
> vim +/copied +210 fs/erofs/inode.c
>
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 16 static struct page *erofs_read_inode(struct inode *inode,
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 17 unsigned int *ofs)
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 18 {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 19 struct super_block *sb = inode->i_sb;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 20 struct erofs_sb_info *sbi = EROFS_SB(sb);
> a5876e24f13f134 fs/erofs/inode.c Gao Xiang 2019-09-04 21 struct erofs_inode *vi = EROFS_I(inode);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 22 const erofs_off_t inode_loc = iloc(sbi, vi->nid);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 23
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 24 erofs_blk_t blkaddr, nblks = 0;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 25 struct page *page;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 26 struct erofs_inode_compact *dic;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 27 struct erofs_inode_extended *die, *copied = NULL;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 28 unsigned int ifmt;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 29 int err;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 30
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 31 blkaddr = erofs_blknr(inode_loc);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 32 *ofs = erofs_blkoff(inode_loc);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 33
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 34 erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u",
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 35 __func__, vi->nid, *ofs, blkaddr);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 36
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 37 page = erofs_get_meta_page(sb, blkaddr);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 38 if (IS_ERR(page)) {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 39 erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld",
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 40 vi->nid, PTR_ERR(page));
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 41 return page;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 42 }
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 43
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 44 dic = page_address(page) + *ofs;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 45 ifmt = le16_to_cpu(dic->i_format);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 46
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 47 if (ifmt & ~EROFS_I_ALL) {
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 48 erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 49 ifmt, vi->nid);
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 50 err = -EOPNOTSUPP;
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 51 goto err_out;
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 52 }
> 24a806d849c0b0c fs/erofs/inode.c Gao Xiang 2021-03-29 53
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 54 vi->datalayout = erofs_inode_datalayout(ifmt);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 55 if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
> 4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 56 erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 57 vi->datalayout, vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 58 err = -EOPNOTSUPP;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 59 goto err_out;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 60 }
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 61
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 62 switch (erofs_inode_version(ifmt)) {
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 63 case EROFS_INODE_LAYOUT_EXTENDED:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 64 vi->inode_isize = sizeof(struct erofs_inode_extended);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 65 /* check if the inode acrosses page boundary */
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 66 if (*ofs + vi->inode_isize <= PAGE_SIZE) {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 67 *ofs += vi->inode_isize;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 68 die = (struct erofs_inode_extended *)dic;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 69 } else {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 70 const unsigned int gotten = PAGE_SIZE - *ofs;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 71
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 72 copied = kmalloc(vi->inode_isize, GFP_NOFS);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 73 if (!copied) {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 74 err = -ENOMEM;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 75 goto err_out;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 76 }
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 77 memcpy(copied, dic, gotten);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 78 unlock_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 79 put_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 80
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 81 page = erofs_get_meta_page(sb, blkaddr + 1);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 82 if (IS_ERR(page)) {
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 83 erofs_err(sb, "failed to get inode payload page (nid: %llu), err %ld",
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 84 vi->nid, PTR_ERR(page));
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 85 kfree(copied);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 86 return page;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 87 }
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 88 *ofs = vi->inode_isize - gotten;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 89 memcpy((u8 *)copied + gotten, page_address(page), *ofs);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 90 die = copied;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 91 }
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 92 vi->xattr_isize = erofs_xattr_ibody_size(die->i_xattr_icount);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 93
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 94 inode->i_mode = le16_to_cpu(die->i_mode);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 95 switch (inode->i_mode & S_IFMT) {
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 96 case S_IFREG:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 97 case S_IFDIR:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 98 case S_IFLNK:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 99 vi->raw_blkaddr = le32_to_cpu(die->i_u.raw_blkaddr);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 100 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 101 case S_IFCHR:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 102 case S_IFBLK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 103 inode->i_rdev =
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 104 new_decode_dev(le32_to_cpu(die->i_u.rdev));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 105 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 106 case S_IFIFO:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 107 case S_IFSOCK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 108 inode->i_rdev = 0;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 109 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 110 default:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 111 goto bogusimode;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 112 }
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 113 i_uid_write(inode, le32_to_cpu(die->i_uid));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 114 i_gid_write(inode, le32_to_cpu(die->i_gid));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 115 set_nlink(inode, le32_to_cpu(die->i_nlink));
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 116
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 117 /* extended inode has its own timestamp */
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 118 inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime);
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 119 inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 120
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 121 inode->i_size = le64_to_cpu(die->i_size);
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 122
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 123 /* total blocks for compressed files */
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 124 if (erofs_inode_is_data_compressed(vi->datalayout))
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 125 nblks = le32_to_cpu(die->i_u.compressed_blocks);
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 126 else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 127 /* fill chunked inode summary info */
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 128 vi->chunkformat = le16_to_cpu(die->i_u.c.format);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 129 kfree(copied);
> ^^^^^^^^^^^^^^
> Free
Yeah, thanks for pointing out, due to new chunk-based format, line 183
will reuse use-after-free `copied'.
I think it can be fixed with copied = NULL; here.
Many thanks for reporting!
Thanks,
Gao Xiang
>
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 130 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 131 case EROFS_INODE_LAYOUT_COMPACT:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 132 vi->inode_isize = sizeof(struct erofs_inode_compact);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 133 *ofs += vi->inode_isize;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 134 vi->xattr_isize = erofs_xattr_ibody_size(dic->i_xattr_icount);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 135
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 136 inode->i_mode = le16_to_cpu(dic->i_mode);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 137 switch (inode->i_mode & S_IFMT) {
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 138 case S_IFREG:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 139 case S_IFDIR:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 140 case S_IFLNK:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 141 vi->raw_blkaddr = le32_to_cpu(dic->i_u.raw_blkaddr);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 142 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 143 case S_IFCHR:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 144 case S_IFBLK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 145 inode->i_rdev =
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 146 new_decode_dev(le32_to_cpu(dic->i_u.rdev));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 147 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 148 case S_IFIFO:
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 149 case S_IFSOCK:
> d5beb31b6b1c0a3 drivers/staging/erofs/inode.c Chao Yu 2018-07-26 150 inode->i_rdev = 0;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 151 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 152 default:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 153 goto bogusimode;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 154 }
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 155 i_uid_write(inode, le16_to_cpu(dic->i_uid));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 156 i_gid_write(inode, le16_to_cpu(dic->i_gid));
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 157 set_nlink(inode, le16_to_cpu(dic->i_nlink));
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 158
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 159 /* use build time for compact inodes */
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 160 inode->i_ctime.tv_sec = sbi->build_time;
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 161 inode->i_ctime.tv_nsec = sbi->build_time_nsec;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 162
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 163 inode->i_size = le32_to_cpu(dic->i_size);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 164 if (erofs_inode_is_data_compressed(vi->datalayout))
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 165 nblks = le32_to_cpu(dic->i_u.compressed_blocks);
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 166 else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 167 vi->chunkformat = le16_to_cpu(dic->i_u.c.format);
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 168 break;
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 169 default:
> 4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 170 erofs_err(inode->i_sb,
> 4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 171 "unsupported on-disk inode version %u of nid %llu",
> 8a76568225deae1 fs/erofs/inode.c Gao Xiang 2019-09-04 172 erofs_inode_version(ifmt), vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 173 err = -EOPNOTSUPP;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 174 goto err_out;
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 175 }
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 176
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 177 if (vi->datalayout == EROFS_INODE_CHUNK_BASED) {
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 178 if (!(vi->chunkformat & EROFS_CHUNK_FORMAT_ALL)) {
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 179 erofs_err(inode->i_sb,
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 180 "unsupported chunk format %x of nid %llu",
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 181 vi->chunkformat, vi->nid);
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 182 err = -EOPNOTSUPP;
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 183 goto err_out;
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 184 }
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 185 vi->chunkbits = LOG_BLOCK_SIZE +
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 186 (vi->chunkformat & EROFS_CHUNK_FORMAT_BLKBITS_MASK);
> c5aa903a59db274 fs/erofs/inode.c Gao Xiang 2021-08-20 187 }
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 188 inode->i_mtime.tv_sec = inode->i_ctime.tv_sec;
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 189 inode->i_atime.tv_sec = inode->i_ctime.tv_sec;
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 190 inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec;
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 191 inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec;
> d3938ee23e97bfc fs/erofs/inode.c Gao Xiang 2020-11-01 192
> 06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 193 inode->i_flags &= ~S_DAX;
> 06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 194 if (test_opt(&sbi->ctx, DAX_ALWAYS) && S_ISREG(inode->i_mode) &&
> 06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 195 vi->datalayout == EROFS_INODE_FLAT_PLAIN)
> 06252e9ce05b94b fs/erofs/inode.c Gao Xiang 2021-08-05 196 inode->i_flags |= S_DAX;
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 197 if (!nblks)
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 198 /* measure inode.i_blocks as generic filesystems */
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 199 inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9;
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 200 else
> fe6d98750cf0459 drivers/staging/erofs/inode.c Gao Xiang 2019-05-28 201 inode->i_blocks = nblks << LOG_SECTORS_PER_BLOCK;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 202 return page;
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 203
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 204 bogusimode:
> 4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 205 erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu",
> 4f761fa253b49f6 fs/erofs/inode.c Gao Xiang 2019-09-04 206 inode->i_mode, vi->nid);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 207 err = -EFSCORRUPTED;
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 208 err_out:
> a6b9b1d5eae61a6 drivers/staging/erofs/inode.c Gao Xiang 2019-08-14 209 DBG_BUGON(1);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 @210 kfree(copied);
> ^^^^^^^^^^^^^
> Double free.
>
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 211 unlock_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 212 put_page(page);
> 0dcd3c94e02438f fs/erofs/inode.c Gao Xiang 2020-07-30 213 return ERR_PTR(err);
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 214 }
> 431339ba90423a0 drivers/staging/erofs/inode.c Gao Xiang 2018-07-26 215
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-25 11:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-25 7:14 [linux-next:master 8625/10077] fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied' Dan Carpenter
2021-08-25 11:54 ` Gao Xiang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).