releases/5.9.5/ubifs-xattr-fix-some-potential-memory-leaks-while-iterating-entries.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f2aae745b82c842221f4f233051f9ac641790959 Mon Sep 17 00:00:00 2001
 From: Zhihao Cheng <chengzhihao1@huawei.com>
 Date: Mon, 1 Jun 2020 17:10:36 +0800
 Subject: ubifs: xattr: Fix some potential memory leaks while iterating entries

 From: Zhihao Cheng <chengzhihao1@huawei.com>

 commit f2aae745b82c842221f4f233051f9ac641790959 upstream.

 Fix some potential memory leaks in error handling branches while
 iterating xattr entries. For example, function ubifs_tnc_remove_ino()
 forgets to free pxent if it exists. Similar problems also exist in
 ubifs_purge_xattrs(), ubifs_add_orphan() and ubifs_jnl_write_inode().

 Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
 Cc: <stable@vger.kernel.org>
 Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system")
 Signed-off-by: Richard Weinberger <richard@nod.at>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  fs/ubifs/journal.c |    2 ++
  fs/ubifs/orphan.c  |    2 ++
  fs/ubifs/tnc.c     |    3 +++
  fs/ubifs/xattr.c   |    2 ++
  4 files changed, 9 insertions(+)

 --- a/fs/ubifs/journal.c
 +++ b/fs/ubifs/journal.c
 @@ -894,6 +894,7 @@ int ubifs_jnl_write_inode(struct ubifs_i
  				if (err == -ENOENT)
  					break;

 +				kfree(pxent);
  				goto out_release;
  			}

 @@ -906,6 +907,7 @@ int ubifs_jnl_write_inode(struct ubifs_i
  				ubifs_err(c, "dead directory entry '%s', error %d",
  					  xent->name, err);
  				ubifs_ro_mode(c, err);
 +				kfree(pxent);
  				kfree(xent);
  				goto out_release;
  			}
 --- a/fs/ubifs/orphan.c
 +++ b/fs/ubifs/orphan.c
 @@ -173,6 +173,7 @@ int ubifs_add_orphan(struct ubifs_info *
  			err = PTR_ERR(xent);
  			if (err == -ENOENT)
  				break;
 +			kfree(pxent);
  			return err;
  		}

 @@ -182,6 +183,7 @@ int ubifs_add_orphan(struct ubifs_info *

  		xattr_orphan = orphan_add(c, xattr_inum, orphan);
  		if (IS_ERR(xattr_orphan)) {
 +			kfree(pxent);
  			kfree(xent);
  			return PTR_ERR(xattr_orphan);
  		}
 --- a/fs/ubifs/tnc.c
 +++ b/fs/ubifs/tnc.c
 @@ -2885,6 +2885,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
  			err = PTR_ERR(xent);
  			if (err == -ENOENT)
  				break;
 +			kfree(pxent);
  			return err;
  		}

 @@ -2898,6 +2899,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
  		fname_len(&nm) = le16_to_cpu(xent->nlen);
  		err = ubifs_tnc_remove_nm(c, &key1, &nm);
  		if (err) {
 +			kfree(pxent);
  			kfree(xent);
  			return err;
  		}
 @@ -2906,6 +2908,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
  		highest_ino_key(c, &key2, xattr_inum);
  		err = ubifs_tnc_remove_range(c, &key1, &key2);
  		if (err) {
 +			kfree(pxent);
  			kfree(xent);
  			return err;
  		}
 --- a/fs/ubifs/xattr.c
 +++ b/fs/ubifs/xattr.c
 @@ -522,6 +522,7 @@ int ubifs_purge_xattrs(struct inode *hos
  				  xent->name, err);
  			ubifs_ro_mode(c, err);
  			kfree(pxent);
 +			kfree(xent);
  			return err;
  		}

 @@ -531,6 +532,7 @@ int ubifs_purge_xattrs(struct inode *hos
  		err = remove_xattr(c, host, xino, &nm);
  		if (err) {
  			kfree(pxent);
 +			kfree(xent);
  			iput(xino);
  			ubifs_err(c, "cannot remove xattr, error %d", err);
  			return err;
	From f2aae745b82c842221f4f233051f9ac641790959 Mon Sep 17 00:00:00 2001
	From: Zhihao Cheng <chengzhihao1@huawei.com>
	Date: Mon, 1 Jun 2020 17:10:36 +0800
	Subject: ubifs: xattr: Fix some potential memory leaks while iterating entries

	From: Zhihao Cheng <chengzhihao1@huawei.com>

	commit f2aae745b82c842221f4f233051f9ac641790959 upstream.

	Fix some potential memory leaks in error handling branches while
	iterating xattr entries. For example, function ubifs_tnc_remove_ino()
	forgets to free pxent if it exists. Similar problems also exist in
	ubifs_purge_xattrs(), ubifs_add_orphan() and ubifs_jnl_write_inode().

	Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
	Cc: <stable@vger.kernel.org>
	Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system")
	Signed-off-by: Richard Weinberger <richard@nod.at>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	fs/ubifs/journal.c \| 2 ++
	fs/ubifs/orphan.c \| 2 ++
	fs/ubifs/tnc.c \| 3 +++
	fs/ubifs/xattr.c \| 2 ++
	4 files changed, 9 insertions(+)

	--- a/fs/ubifs/journal.c
	+++ b/fs/ubifs/journal.c
	@@ -894,6 +894,7 @@ int ubifs_jnl_write_inode(struct ubifs_i
	if (err == -ENOENT)
	break;

	+ kfree(pxent);
	goto out_release;
	}

	@@ -906,6 +907,7 @@ int ubifs_jnl_write_inode(struct ubifs_i
	ubifs_err(c, "dead directory entry '%s', error %d",
	xent->name, err);
	ubifs_ro_mode(c, err);
	+ kfree(pxent);
	kfree(xent);
	goto out_release;
	}
	--- a/fs/ubifs/orphan.c
	+++ b/fs/ubifs/orphan.c
	@@ -173,6 +173,7 @@ int ubifs_add_orphan(struct ubifs_info *
	err = PTR_ERR(xent);
	if (err == -ENOENT)
	break;
	+ kfree(pxent);
	return err;
	}

	@@ -182,6 +183,7 @@ int ubifs_add_orphan(struct ubifs_info *

	xattr_orphan = orphan_add(c, xattr_inum, orphan);
	if (IS_ERR(xattr_orphan)) {
	+ kfree(pxent);
	kfree(xent);
	return PTR_ERR(xattr_orphan);
	}
	--- a/fs/ubifs/tnc.c
	+++ b/fs/ubifs/tnc.c
	@@ -2885,6 +2885,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
	err = PTR_ERR(xent);
	if (err == -ENOENT)
	break;
	+ kfree(pxent);
	return err;
	}

	@@ -2898,6 +2899,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
	fname_len(&nm) = le16_to_cpu(xent->nlen);
	err = ubifs_tnc_remove_nm(c, &key1, &nm);
	if (err) {
	+ kfree(pxent);
	kfree(xent);
	return err;
	}
	@@ -2906,6 +2908,7 @@ int ubifs_tnc_remove_ino(struct ubifs_in
	highest_ino_key(c, &key2, xattr_inum);
	err = ubifs_tnc_remove_range(c, &key1, &key2);
	if (err) {
	+ kfree(pxent);
	kfree(xent);
	return err;
	}
	--- a/fs/ubifs/xattr.c
	+++ b/fs/ubifs/xattr.c
	@@ -522,6 +522,7 @@ int ubifs_purge_xattrs(struct inode *hos
	xent->name, err);
	ubifs_ro_mode(c, err);
	kfree(pxent);
	+ kfree(xent);
	return err;
	}

	@@ -531,6 +532,7 @@ int ubifs_purge_xattrs(struct inode *hos
	err = remove_xattr(c, host, xino, &nm);
	if (err) {
	kfree(pxent);
	+ kfree(xent);
	iput(xino);
	ubifs_err(c, "cannot remove xattr, error %d", err);
	return err;