From: Richard Weinberger <richard.weinberger@gmail.com>
To: houtao1@huawei.com
Cc: "linux-mtd @ lists . infradead . org"
<linux-mtd@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
David Woodhouse <dwmw2@infradead.org>,
stable@kernel.org, Arnd Bergmann <arnd@arndb.de>,
Al Viro <viro@zeniv.linux.org.uk>,
Brian Norris <computersforpeace@gmail.com>
Subject: Re: [PATCH] jffs2: free jffs2_sb_info through jffs2_kill_sb()
Date: Tue, 16 Oct 2018 08:41:02 +0200 [thread overview]
Message-ID: <CAFLxGvw+=gfrm3SH4Hu9bt0sa6s+X=3cCjkDLvWusqhHH10yEQ@mail.gmail.com> (raw)
In-Reply-To: <6401cb90-a1fe-afd5-c302-ddae40876736@huawei.com>
On Tue, Oct 16, 2018 at 7:53 AM Hou Tao <houtao1@huawei.com> wrote:
>
> ping ?
>
> On 2018/10/6 17:09, Hou Tao wrote:
> > When an invalid mount option is passed to jffs2, jffs2_parse_options()
> > will fail and jffs2_sb_info will be freed, but then jffs2_sb_info will
> > be used (use-after-free) and freeed (double-free) in jffs2_kill_sb().
> >
> > Fix it by removing the buggy invocation of kfree() when getting invalid
> > mount options.
> >
> > Cc: stable@kernel.org
> > Signed-off-by: Hou Tao <houtao1@huawei.com>
> > ---
> > fs/jffs2/super.c | 4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
> > index 87bdf0f4cba1..902a7dd10e5c 100644
> > --- a/fs/jffs2/super.c
> > +++ b/fs/jffs2/super.c
> > @@ -285,10 +285,8 @@ static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
> > sb->s_fs_info = c;
> >
> > ret = jffs2_parse_options(c, data);
> > - if (ret) {
> > - kfree(c);
> > + if (ret)
> > return -EINVAL;
> > - }
Reviewed-by: Richard Weinberger <richard@nod.at>
We can carry this via the MTD tree.
--
Thanks,
//richard
next prev parent reply other threads:[~2018-10-16 6:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-06 9:09 [PATCH] jffs2: free jffs2_sb_info through jffs2_kill_sb() Hou Tao
2018-10-16 5:52 ` Hou Tao
2018-10-16 6:41 ` Richard Weinberger [this message]
2018-10-16 10:26 ` Hou Tao
2018-10-16 11:49 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFLxGvw+=gfrm3SH4Hu9bt0sa6s+X=3cCjkDLvWusqhHH10yEQ@mail.gmail.com' \
--to=richard.weinberger@gmail.com \
--cc=arnd@arndb.de \
--cc=computersforpeace@gmail.com \
--cc=dwmw2@infradead.org \
--cc=houtao1@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=stable@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.