mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
From 6934da9238da947628be83635e365df41064b09b Mon Sep 17 00:00:00 2001
|
|
From: Lukas Czerner <lczerner@redhat.com>
|
|
Date: Sat, 17 Oct 2015 22:57:06 -0400
|
|
Subject: ext4: fix potential use after free in __ext4_journal_stop
|
|
|
|
There is a use-after-free possibility in __ext4_journal_stop() in the
|
|
case that we free the handle in the first jbd2_journal_stop() because
|
|
we're referencing handle->h_err afterwards. This was introduced in
|
|
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
|
|
storing the handle->h_err value beforehand and avoid referencing
|
|
potentially freed handle.
|
|
|
|
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
|
|
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
|
|
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
|
Cc: stable@vger.kernel.org
|
|
---
|
|
fs/ext4/ext4_jbd2.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
|
|
index d418431..e770c1ee 100644
|
|
--- a/fs/ext4/ext4_jbd2.c
|
|
+++ b/fs/ext4/ext4_jbd2.c
|
|
@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
|
|
return 0;
|
|
}
|
|
|
|
+ err = handle->h_err;
|
|
if (!handle->h_transaction) {
|
|
- err = jbd2_journal_stop(handle);
|
|
- return handle->h_err ? handle->h_err : err;
|
|
+ rc = jbd2_journal_stop(handle);
|
|
+ return err ? err : rc;
|
|
}
|
|
|
|
sb = handle->h_transaction->t_journal->j_private;
|
|
- err = handle->h_err;
|
|
rc = jbd2_journal_stop(handle);
|
|
|
|
if (!err)
|
|
--
|
|
cgit v1.1
|
|
|