Unverified Commit 25bf6ba3 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!5479 jfs: fix cve-2023-52600 

Merge Pull Request from: @ci-robot 
 
PR sync from: Long Li <leo.lilong@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/VSS7WIQEECRX32K4XAM6H3XCNOMCCCNC/ 
This patch set fix cve-2023-52600

Dongliang Mu (1):
  JFS: fix memleak in jfs_mount

Edward Adam Davis (1):
  jfs: fix uaf in jfs_evict_inode


-- 
2.31.1
 
https://gitee.com/src-openeuler/kernel/issues/I96G7N 
 
Link:https://gitee.com/openeuler/kernel/pulls/5479

 

Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents b85dd9b2 68ed9177

fs/jfs/jfs_mount.c

+25 −32
Original line number Diff line number Diff line
@@ -92,14 +92,14 @@ int jfs_mount(struct super_block *sb) 
	 * (initialize mount inode from the superblock)

	 */

	if ((rc = chkSuper(sb))) {

		goto errout20;

		goto out;

	}



	ipaimap = diReadSpecial(sb, AGGREGATE_I, 0);

	if (ipaimap == NULL) {

		jfs_err("jfs_mount: Failed to read AGGREGATE_I");

		rc = -EIO;

		goto errout20;

		goto out;

	}

	sbi->ipaimap = ipaimap;
@@ -110,7 +110,7 @@ int jfs_mount(struct super_block *sb) 
	 */

	if ((rc = diMount(ipaimap))) {

		jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc);

		goto errout21;

		goto err_ipaimap;

	}



	/*
@@ -119,7 +119,7 @@ int jfs_mount(struct super_block *sb) 
	ipbmap = diReadSpecial(sb, BMAP_I, 0);

	if (ipbmap == NULL) {

		rc = -EIO;

		goto errout22;

		goto err_umount_ipaimap;

	}



	jfs_info("jfs_mount: ipbmap:0x%p", ipbmap);
@@ -131,7 +131,7 @@ int jfs_mount(struct super_block *sb) 
	 */

	if ((rc = dbMount(ipbmap))) {

		jfs_err("jfs_mount: dbMount failed w/rc = %d", rc);

		goto errout22;

		goto err_ipbmap;

	}



	/*
@@ -150,7 +150,7 @@ int jfs_mount(struct super_block *sb) 
		if (!ipaimap2) {

			jfs_err("jfs_mount: Failed to read AGGREGATE_I");

			rc = -EIO;

			goto errout35;

			goto err_umount_ipbmap;

		}

		sbi->ipaimap2 = ipaimap2;
@@ -162,7 +162,7 @@ int jfs_mount(struct super_block *sb) 
		if ((rc = diMount(ipaimap2))) {

			jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d",

				rc);

			goto errout35;

			goto err_ipaimap2;

		}

	} else

		/* Secondary aggregate inode table is not valid */
@@ -179,51 +179,44 @@ int jfs_mount(struct super_block *sb) 
		jfs_err("jfs_mount: Failed to read FILESYSTEM_I");

		/* open fileset secondary inode allocation map */

		rc = -EIO;

		goto errout40;

		goto err_umount_ipaimap2;

	}

	jfs_info("jfs_mount: ipimap:0x%p", ipimap);



	/* map further access of per fileset inodes by the fileset inode */

	sbi->ipimap = ipimap;



	/* initialize fileset inode allocation map */

	if ((rc = diMount(ipimap))) {

		jfs_err("jfs_mount: diMount failed w/rc = %d", rc);

		goto errout41;

		goto err_ipimap;

	}



	goto out;

	/* map further access of per fileset inodes by the fileset inode */

	sbi->ipimap = ipimap;



	return rc;



	/*

	 *	unwind on error

	 */

      errout41:		/* close fileset inode allocation map inode */

err_ipimap:

	/* close fileset inode allocation map inode */

	diFreeSpecial(ipimap);



      errout40:		/* fileset closed */



err_umount_ipaimap2:

	/* close secondary aggregate inode allocation map */

	if (ipaimap2) {

	if (ipaimap2)

		diUnmount(ipaimap2, 1);

err_ipaimap2:

	/* close aggregate inodes */

	if (ipaimap2)

		diFreeSpecial(ipaimap2);

	}



      errout35:



	/* close aggregate block allocation map */

err_umount_ipbmap:	/* close aggregate block allocation map */

	dbUnmount(ipbmap, 1);

err_ipbmap:		/* close aggregate inodes */

	diFreeSpecial(ipbmap);



      errout22:		/* close aggregate inode allocation map */



err_umount_ipaimap:	/* close aggregate inode allocation map */

	diUnmount(ipaimap, 1);



      errout21:		/* close aggregate inodes */

err_ipaimap:		/* close aggregate inodes */

	diFreeSpecial(ipaimap);

      errout20:		/* aggregate closed */



out:



	if (rc)

		jfs_err("Mount JFS Failure: %d", rc);