| From dc5f5683c76aac062ccf78e69d4591d2432be3fa Mon Sep 17 00:00:00 2001 |
| From: Russell King <rmk+kernel@armlinux.org.uk> |
| Date: Tue, 4 Jun 2019 14:50:14 +0100 |
| Subject: fs/adfs: super: fix use-after-free bug |
| |
| [ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ] |
| |
| Fix a use-after-free bug during filesystem initialisation, where we |
| access the disc record (which is stored in a buffer) after we have |
| released the buffer. |
| |
| Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> |
| Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/adfs/super.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| diff --git a/fs/adfs/super.c b/fs/adfs/super.c |
| index c9fdfb1129335..e42c300015090 100644 |
| --- a/fs/adfs/super.c |
| +++ b/fs/adfs/super.c |
| @@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) |
| struct buffer_head *bh; |
| struct object_info root_obj; |
| unsigned char *b_data; |
| + unsigned int blocksize; |
| struct adfs_sb_info *asb; |
| struct inode *root; |
| int ret = -EINVAL; |
| @@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) |
| goto error_free_bh; |
| } |
| |
| + blocksize = 1 << dr->log2secsize; |
| brelse(bh); |
| - if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { |
| + |
| + if (sb_set_blocksize(sb, blocksize)) { |
| bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); |
| if (!bh) { |
| adfs_error(sb, "couldn't read superblock on " |
| -- |
| 2.20.1 |
| |