* [PATCH] fs/qnx6: set and bh1 and bh2 to NULL after dropping references
@ 2018-11-26 2:21 Pan Bian
0 siblings, 0 replies; only message in thread
From: Pan Bian @ 2018-11-26 2:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Kai Bankett, Pan Bian
The function qnx6_fill_super drops the reference to bh2 when superblock
1 is activated via brelse, otherwise it drops the reference to bh1 when
superblock 2 is activated. If error occurs after that, it will try to
drop the references to bh1 and bh2 again. This may result in
use-after-free bugs. The patch sets bh1 and bh2 to NULL after their
reference counts are decreased.
Signed-off-by: Pan Bian <bianpan2016@163.com>
---
fs/qnx6/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c
index 4aeb26b..e8a8536 100644
--- a/fs/qnx6/inode.c
+++ b/fs/qnx6/inode.c
@@ -405,12 +405,14 @@ static int qnx6_fill_super(struct super_block *s, void *data, int silent)
sbi->sb_buf = bh1;
sbi->sb = (struct qnx6_super_block *)bh1->b_data;
brelse(bh2);
+ bh2 = NULL;
pr_info("superblock #1 active\n");
} else {
/* superblock #2 active */
sbi->sb_buf = bh2;
sbi->sb = (struct qnx6_super_block *)bh2->b_data;
brelse(bh1);
+ bh1 = NULL;
pr_info("superblock #2 active\n");
}
mmi_success:
--
2.7.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2018-11-26 2:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-26 2:21 [PATCH] fs/qnx6: set and bh1 and bh2 to NULL after dropping references Pan Bian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.