tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'v6.5/vfs.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs

Pull vfs fix from Christian Brauner:
"A fix for the backing file work from this cycle.

When init_file() failed it would call file_free_rcu() on the file
allocated by the caller of init_file(). It naively assumed that the
correct cleanup operation would be called depending on whether it is a
regular file or a backing file. However, that presupposes that the
FMODE_BACKING flag would already be set which it won't be as that is
done in the caller of init_file().

Fix that bug by moving the cleanup of the allocated file into the
caller where it belongs in the first place. There's no good reason for
init_file() to consume resources it didn't allocate. This is a
mainline only fix and was reported by syzbot. The fix was validated by
syzbot against the provided reproducer"

* tag 'v6.5/vfs.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
fs: move cleanup from init_file() into its callers

Linus Torvalds 28c7980f 5def00ca

+10 -4
+10 -4
fs/file_table.c
··· 160 160 f->f_cred = get_cred(cred); 161 161 error = security_file_alloc(f); 162 162 if (unlikely(error)) { 163 - file_free_rcu(&f->f_rcuhead); 163 + put_cred(f->f_cred); 164 164 return error; 165 165 } 166 166 ··· 208 208 return ERR_PTR(-ENOMEM); 209 209 210 210 error = init_file(f, flags, cred); 211 - if (unlikely(error)) 211 + if (unlikely(error)) { 212 + kmem_cache_free(filp_cachep, f); 212 213 return ERR_PTR(error); 214 + } 213 215 214 216 percpu_counter_inc(&nr_files); 215 217 ··· 242 240 return ERR_PTR(-ENOMEM); 243 241 244 242 error = init_file(f, flags, cred); 245 - if (unlikely(error)) 243 + if (unlikely(error)) { 244 + kmem_cache_free(filp_cachep, f); 246 245 return ERR_PTR(error); 246 + } 247 247 248 248 f->f_mode |= FMODE_NOACCOUNT; 249 249 ··· 269 265 return ERR_PTR(-ENOMEM); 270 266 271 267 error = init_file(&ff->file, flags, cred); 272 - if (unlikely(error)) 268 + if (unlikely(error)) { 269 + kfree(ff); 273 270 return ERR_PTR(error); 271 + } 274 272 275 273 ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT; 276 274 return &ff->file;