fs: fix UAF/GPF bug in nilfs_mdt_destroy

jira LE-4649
cve CVE-2022-50367
Rebuild_History Non-Buildable kernel-5.14.0-570.60.1.el9_6
commit-author Dongliang Mu <mudongliangabcd@gmail.com>
commit 2e488f1

In alloc_inode, inode_init_always() could return -ENOMEM if
security_inode_alloc() fails, which causes inode->i_private
uninitialized. Then nilfs_is_metadata_file_inode() returns
true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
which frees the uninitialized inode->i_private
and leads to crashes(e.g., UAF/GPF).

Fix this by moving security_inode_alloc just prior to
this_cpu_inc(nr_inodes)

Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
	Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
	Reported-by: Hao Sun <sunhao.th@gmail.com>
	Reported-by: Jiacheng Xu <stitch@zju.edu.cn>
	Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
	Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
	Cc: Al Viro <viro@zeniv.linux.org.uk>
	Cc: stable@vger.kernel.org
	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(cherry picked from commit 2e488f1)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

fs/inode.c

@@ -191,8 +191,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
 	inode->i_wb_frn_history = 0;
 #endif
 
-	if (security_inode_alloc(inode))
-		goto out;
 	spin_lock_init(&inode->i_lock);
 	lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
 
@@ -229,11 +227,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
 	inode->i_fsnotify_mask = 0;
 #endif
 	inode->i_flctx = NULL;
+
+	if (unlikely(security_inode_alloc(inode)))
+		return -ENOMEM;
 	this_cpu_inc(nr_inodes);
 
 	return 0;
-out:
-	return -ENOMEM;
 }
 EXPORT_SYMBOL(inode_init_always);