| From c9fe24911bf3001db0f699c4054231aa15d6350b Mon Sep 17 00:00:00 2001 |
| From: Pan Bian <bianpan2016@163.com> |
| Date: Fri, 30 Nov 2018 14:09:18 -0800 |
| Subject: hfsplus: do not free node before using |
| |
| [ Upstream commit c7d7d620dcbd2a1c595092280ca943f2fced7bbd ] |
| |
| hfs_bmap_free() frees node via hfs_bnode_put(node). However it then |
| reads node->this when dumping error message on an error path, which may |
| result in a use-after-free bug. This patch frees node only when it is |
| never used. |
| |
| Link: http://lkml.kernel.org/r/1543053441-66942-1-git-send-email-bianpan2016@163.com |
| Signed-off-by: Pan Bian <bianpan2016@163.com> |
| Reviewed-by: Andrew Morton <akpm@linux-foundation.org> |
| Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com> |
| Cc: Joe Perches <joe@perches.com> |
| Cc: Viacheslav Dubeyko <slava@dubeyko.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/hfsplus/btree.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c |
| index 3345c7553edc..7adc8a327e03 100644 |
| --- a/fs/hfsplus/btree.c |
| +++ b/fs/hfsplus/btree.c |
| @@ -453,14 +453,15 @@ void hfs_bmap_free(struct hfs_bnode *node) |
| |
| nidx -= len * 8; |
| i = node->next; |
| - hfs_bnode_put(node); |
| if (!i) { |
| /* panic */; |
| pr_crit("unable to free bnode %u. " |
| "bmap not found!\n", |
| node->this); |
| + hfs_bnode_put(node); |
| return; |
| } |
| + hfs_bnode_put(node); |
| node = hfs_bnode_find(tree, i); |
| if (IS_ERR(node)) |
| return; |
| -- |
| 2.19.1 |
| |
