evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fs/adfs: super: fix use-after-free bug

Browse source 
[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]

Fix a use-after-free bug during filesystem initialisation, where we
access the disc record (which is stored in a buffer) after we have
released the buffer.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Russell King 2019-06-04 14:50:14 +01:00 committed by Greg Kroah-Hartman
parent 6aaace574a
commit a5e8659098
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
fs/adfs/super.c
View file

@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
struct buffer_head *bh; struct buffer_head *bh;
struct object_info root_obj; struct object_info root_obj;
unsigned char *b_data; unsigned char *b_data;
unsigned int blocksize;
struct adfs_sb_info *asb; struct adfs_sb_info *asb;
struct inode *root; struct inode *root;
int ret = -EINVAL; int ret = -EINVAL;
@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
goto error_free_bh; goto error_free_bh;
} }
blocksize = 1 << dr->log2secsize;
brelse(bh); brelse(bh);
if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
if (sb_set_blocksize(sb, blocksize)) {
bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
if (!bh) { if (!bh) {
adfs_error(sb, "couldn't read superblock on " adfs_error(sb, "couldn't read superblock on "