Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]ext4: fix use-after-free in ext4_orphan_cleanup[EOL][EOL]I caught a issue as follows:[EOL]==================================================================[EOL] BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0[EOL] Read of size 8 at addr ffff88814b13f378 by task mount/710[EOL][EOL] CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370[EOL] Call Trace:[EOL]  <TASK>[EOL]  dump_stack_lvl+0x73/0x9f[EOL]  print_report+0x25d/0x759[EOL]  kasan_report+0xc0/0x120[EOL]  __asan_load8+0x99/0x140[EOL]  __list_add_valid+0x28/0x1a0[EOL]  ext4_orphan_cleanup+0x564/0x9d0 [ext4][EOL]  __ext4_fill_super+0x48e2/0x5300 [ext4][EOL]  ext4_fill_super+0x19f/0x3a0 [ext4][EOL]  get_tree_bdev+0x27b/0x450[EOL]  ext4_get_tree+0x19/0x30 [ext4][EOL]  vfs_get_tree+0x49/0x150[EOL]  path_mount+0xaae/0x1350[EOL]  do_mount+0xe2/0x110[EOL]  __x64_sys_mount+0xf0/0x190[EOL]  do_syscall_64+0x35/0x80[EOL]  entry_SYSCALL_64_after_hwframe+0x63/0xcd[EOL]  </TASK>[EOL] [...][EOL]==================================================================[EOL][EOL]Above issue may happen as follows:[EOL]-------------------------------------[EOL]ext4_fill_super[EOL]  ext4_orphan_cleanup[EOL]   --- loop1: assume last_orphan is 12 ---[EOL]    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)[EOL]    ext4_truncate --> return 0[EOL]      ext4_inode_attach_jinode --> return -ENOMEM[EOL]    iput(inode) --> free inode<12>[EOL]   --- loop2: last_orphan is still 12 ---[EOL]    list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);[EOL]    // use inode<12> and trigger UAF[EOL][EOL]To solve this issue, we need to propagate the return value of[EOL]ext4_inode_attach_jinode() appropriately.