Merge tag '9p-fixes-for-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull 9p fixes from Eric Van Hensbergen:
 "Two of these fix syzbot reported issues, and the other fixes a unused
  variable in some configurations"

* tag '9p-fixes-for-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
  fs/9p: fix uninitialized values during inode evict
  fs/9p: remove redundant pointer v9ses
  fs/9p: fix uaf in in v9fs_stat2inode_dotl

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 360a5304ec03ce53e5bab61e2177a5f325569ebf..b01b1bbf24937168f6fdabe920ddbad0bae3e5d9 100644 (file)
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -344,17 +344,21 @@ void v9fs_evict_inode(struct inode *inode)
        struct v9fs_inode __maybe_unused *v9inode = V9FS_I(inode);
        __le32 __maybe_unused version;
 
-       truncate_inode_pages_final(&inode->i_data);
+       if (!is_bad_inode(inode)) {
+               truncate_inode_pages_final(&inode->i_data);
 
-       version = cpu_to_le32(v9inode->qid.version);
-       netfs_clear_inode_writeback(inode, &version);
+               version = cpu_to_le32(v9inode->qid.version);
+               netfs_clear_inode_writeback(inode, &version);
 
-       clear_inode(inode);
-       filemap_fdatawrite(&inode->i_data);
+               clear_inode(inode);
+               filemap_fdatawrite(&inode->i_data);
 
 #ifdef CONFIG_9P_FSCACHE
-       fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
+               if (v9fs_inode_cookie(v9inode))
+                       fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
 #endif
+       } else
+               clear_inode(inode);
 }
 
 struct inode *v9fs_fid_iget(struct super_block *sb, struct p9_fid *fid)

diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index ef9db3e035062b189be8e408c15372e0dd11b3c6..55dde186041a38d98c997e2ea728e2004c2a9606 100644 (file)
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -78,11 +78,11 @@ struct inode *v9fs_fid_iget_dotl(struct super_block *sb, struct p9_fid *fid)
 
        retval = v9fs_init_inode(v9ses, inode, &fid->qid,
                                 st->st_mode, new_decode_dev(st->st_rdev));
+       v9fs_stat2inode_dotl(st, inode, 0);
        kfree(st);
        if (retval)
                goto error;
 
-       v9fs_stat2inode_dotl(st, inode, 0);
        v9fs_set_netfs_context(inode);
        v9fs_cache_inode_get_cookie(inode);
        retval = v9fs_get_acl(inode, fid);
@@ -297,7 +297,6 @@ static int v9fs_vfs_mkdir_dotl(struct mnt_idmap *idmap,
                               umode_t omode)
 {
        int err;
-       struct v9fs_session_info *v9ses;
        struct p9_fid *fid = NULL, *dfid = NULL;
        kgid_t gid;
        const unsigned char *name;
@@ -307,7 +306,6 @@ static int v9fs_vfs_mkdir_dotl(struct mnt_idmap *idmap,
        struct posix_acl *dacl = NULL, *pacl = NULL;
 
        p9_debug(P9_DEBUG_VFS, "name %pd\n", dentry);
-       v9ses = v9fs_inode2v9ses(dir);
 
        omode |= S_IFDIR;
        if (dir->i_mode & S_ISGID)
@@ -739,7 +737,6 @@ v9fs_vfs_mknod_dotl(struct mnt_idmap *idmap, struct inode *dir,
        kgid_t gid;
        const unsigned char *name;
        umode_t mode;
-       struct v9fs_session_info *v9ses;
        struct p9_fid *fid = NULL, *dfid = NULL;
        struct inode *inode;
        struct p9_qid qid;
@@ -749,7 +746,6 @@ v9fs_vfs_mknod_dotl(struct mnt_idmap *idmap, struct inode *dir,
                 dir->i_ino, dentry, omode,
                 MAJOR(rdev), MINOR(rdev));
 
-       v9ses = v9fs_inode2v9ses(dir);
        dfid = v9fs_parent_fid(dentry);
        if (IS_ERR(dfid)) {
                err = PTR_ERR(dfid);