When dquot_resume() was last updated, the argument that got passed
to vfs_cleanup_quota_inode was incorrectly set.
If type = -1 and dquot_load_quota_sb() returns a negative value,
then vfs_cleanup_quota_inode() gets called with -1 passed as an
argument, and this leads to an array-index-out-of-bounds bug.
Fix this issue by correctly passing the arguments.
Fixes: ae45f07d47cc ("quota: Simplify dquot_resume()")
Reported-by: syzbot+2643e825238d7aabb...@syzkaller.appspotmail.com
Tested-by: syzbot+2643e825238d7aabb...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhema...@gmail.com>
---
If type = -1 is passed as an argument to vfs_cleanup_quota_inode(),
it causes an array-index-out-of-bounds error since dqopt->files[-1]
can be potentially attempted to be accessed.
Before the bisected commit introduced this bug, vfs_load_quota_inode()
was being directly called in dquot_resume(), and subsequently
vfs_cleanup_quota_inode() was called with the cnt value as argument.
fs/quota/dquot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index bb02989d92b6..4f1373463766 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -2455,7 +2455,7 @@ int dquot_resume(struct super_block *sb, int type)
ret = dquot_load_quota_sb(sb, cnt, dqopt->info[cnt].dqi_fmt_id,
flags);
if (ret < 0)
- vfs_cleanup_quota_inode(sb, type);
+ vfs_cleanup_quota_inode(sb, cnt);
}
return ret;
--
2.25.1
