From: Pan Bian <bianpan2016@163.com>
Date: Tue, 4 Dec 2018 04:28:02 +0000 (-0500)
Subject: ext4: fix possible use after free in ext4_quota_enable
X-Git-Tag: v4.14.92~37
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=34bba27d0399bee3cf65b030f2f43dde77d92248;p=platform%2Fkernel%2Flinux-rpi.git

ext4: fix possible use after free in ext4_quota_enable

commit 61157b24e60fb3cd1f85f2c76a7b1d628f970144 upstream.

The function frees qf_inode via iput but then pass qf_inode to
lockdep_set_quota_inode on the failure path. This may result in a
use-after-free bug. The patch frees df_inode only when it is never used.

Fixes: daf647d2dd5 ("ext4: add lockdep annotations for i_data_sem")
Cc: stable@kernel.org # 4.6
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 675f425..fb5ed94 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5636,9 +5636,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
 	qf_inode->i_flags |= S_NOQUOTA;
 	lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
 	err = dquot_enable(qf_inode, type, format_id, flags);
-	iput(qf_inode);
 	if (err)
 		lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
+	iput(qf_inode);
 
 	return err;
 }