From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755269AbcCBQTg (ORCPT ); Wed, 2 Mar 2016 11:19:36 -0500 Received: from mail-wm0-f50.google.com ([74.125.82.50]:33679 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752046AbcCBQTe (ORCPT ); Wed, 2 Mar 2016 11:19:34 -0500 From: Nikolay Borisov To: jack@suse.com Cc: linux-kernel@vger.kernel.org Subject: [RFC PATCH] quota: Fix possible GFP due to uninitialised pointers Date: Wed, 2 Mar 2016 18:19:29 +0200 Message-Id: <1456935569-20053-1-git-send-email-kernel@kyup.com> X-Mailer: git-send-email 1.7.1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org While debugging some issues with quota I realized that it's possible to pass array with bogus dquot pointers from __dquot_initialize to dqput. This can happen if the initialisation of the dquot objects for an inode fail and the control flow is transferred to the out_put label. In case only the USR or GRP quota are initialised then the PRJ pointer in the "got" array would remain uninitialised. This will cause the NULL ptr check in dqput to pass but actually the pointer is going to be invalid. Eventually this would cause a GFP. To fix this just zero out the got array Signed-off-by: Nikolay Borisov --- fs/quota/dquot.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index ef0d64b2a6d9..a0ab58fd85ae 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -1408,6 +1408,8 @@ static int __dquot_initialize(struct inode *inode, int type) dquots = i_dquot(inode); + memset(got, 0, 3 * sizeof(struct dquot *)); + /* First get references to structures we might need. */ for (cnt = 0; cnt < MAXQUOTAS; cnt++) { struct kqid qid; -- 2.5.0