Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninititialized value in 'ext4_evict_inode' Syzbot found the following issue: ===================================================== BUG: KMSAN: uninit-value in ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 ext4_evict_inode+0xdd/0x26b0 fs/ext4/inode.c:180 evict+0x365/0x9a0 fs/inode.c:664 iput_final fs/inode.c:1747 [inline] iput+0x985/0xdd0 fs/inode.c:1773 __ext4_new_inode+0xe54/0x7ec0 fs/ext4/ialloc.c:1361 ext4_mknod+0x376/0x840 fs/ext4/namei.c:2844 vfs_mknod+0x79d/0x830 fs/namei.c:3914 do_mknodat+0x47d/0xaa0 __do_sys_mknodat fs/namei.c:3992 [inline] __se_sys_mknodat fs/namei.c:3989 [inline] __ia32_sys_mknodat+0xeb/0x150 fs/namei.c:3989 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9f1/0xe80 mm/page_alloc.c:5578 alloc_pages+0xaae/0xd80 mm/mempolicy.c:2285 alloc_slab_page mm/slub.c:1794 [inline] allocate_slab+0x1b5/0x1010 mm/slub.c:1939 new_slab mm/slub.c:1992 [inline] ___slab_alloc+0x10c3/0x2d60 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x6f3/0xb30 mm/slub.c:3429 alloc_inode_sb include/linux/fs.h:3117 [inline] ext4_alloc_inode+0x5f/0x860 fs/ext4/super.c:1321 alloc_inode+0x83/0x440 fs/inode.c:259 new_inode_pseudo fs/inode.c:1018 [inline] new_inode+0x3b/0x430 fs/inode.c:1046 __ext4_new_inode+0x2a7/0x7ec0 fs/ext4/ialloc.c:959 ext4_mkdir+0x4d5/0x1560 fs/ext4/namei.c:2992 vfs_mkdir+0x62a/0x870 fs/namei.c:4035 do_mkdirat+0x466/0x7b0 fs/namei.c:4060 __do_sys_mkdirat fs/namei.c:4075 [inline] __se_sys_mkdirat fs/namei.c:4073 [inline] __ia32_sys_mkdirat+0xc4/0x120 fs/namei.c:4073 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 CPU: 1 PID: 4625 Comm: syz-executor.2 Not tainted 6.1.0-rc4-syzkaller-62821-gcb231e2f67ec #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 ===================================================== Now, 'ext4_alloc_inode()' didn't init 'ei->i_flags'. If new inode failed before set 'ei->i_flags' in '__ext4_new_inode()', then do 'iput()'. As after 6bc0d63dad7f commit will access 'ei->i_flags' in 'ext4_evict_inode()' which will lead to access uninit-value. To solve above issue just init 'ei->i_flags' in 'ext4_alloc_inode()'.
Product status
bb337d8dd1e1d6b7719872e45e36392f3ab14b4f before f0bffdcc7cb14598af2aa706f1e0f2a9054154ba
a5f9bd4beae8553480d02b569d4aabee1b49345d before e431b4fb1fb8c2654b808086e9747a000adb9655
0e6fbc566fcc4c230bf80f76cf5df26b42142d8a before 091f85db4c3fb1734a6d7fb4777a2b2831da6631
0b885394fd009aa0b46d81b496a816ab11309f8a before 3c31d8d3ad95aef8cc17a4fcf317e46217148439
6bc0d63dad7f9f54d381925ee855b402f652fa39 before 56491d60ddca9c697d885394cb0173675b9ab81f
6bc0d63dad7f9f54d381925ee855b402f652fa39 before 9f966e021c20caae639dd0e404c8761e8281a2c4
6bc0d63dad7f9f54d381925ee855b402f652fa39 before 7ea71af94eaaaf6d9aed24bc94a05b977a741cb9
819d16f7feaca0f2ed3409be14fe953127fc51b6
458aee4a6e5be7ad862ee27dfaf07ce552d84f32
6.0
Any version before 6.0
5.10.164
5.15.87
6.0.18
6.1.4
6.2
References
git.kernel.org/...c/f0bffdcc7cb14598af2aa706f1e0f2a9054154ba
git.kernel.org/...c/e431b4fb1fb8c2654b808086e9747a000adb9655
git.kernel.org/...c/091f85db4c3fb1734a6d7fb4777a2b2831da6631
git.kernel.org/...c/3c31d8d3ad95aef8cc17a4fcf317e46217148439
git.kernel.org/...c/56491d60ddca9c697d885394cb0173675b9ab81f
git.kernel.org/...c/9f966e021c20caae639dd0e404c8761e8281a2c4
git.kernel.org/...c/7ea71af94eaaaf6d9aed24bc94a05b977a741cb9
