| From 92e3b40537707001d17bbad800d150ab04e53bf4 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Mon, 17 Feb 2014 20:33:01 -0500 |
| Subject: jbd2: fix use after free in jbd2_journal_start_reserved() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 92e3b40537707001d17bbad800d150ab04e53bf4 upstream. |
| |
| If start_this_handle() fails then it leads to a use after free of |
| "handle". |
| |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/jbd2/transaction.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/fs/jbd2/transaction.c |
| +++ b/fs/jbd2/transaction.c |
| @@ -514,11 +514,13 @@ int jbd2_journal_start_reserved(handle_t |
| * similarly constrained call sites |
| */ |
| ret = start_this_handle(journal, handle, GFP_NOFS); |
| - if (ret < 0) |
| + if (ret < 0) { |
| jbd2_journal_free_reserved(handle); |
| + return ret; |
| + } |
| handle->h_type = type; |
| handle->h_line_no = line_no; |
| - return ret; |
| + return 0; |
| } |
| EXPORT_SYMBOL(jbd2_journal_start_reserved); |
| |
