From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Russell King <rmk+kernel@armlinux.org.uk>,
Al Viro <viro@zeniv.linux.org.uk>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 10/37] fs/adfs: super: fix use-after-free bug
Date: Fri, 26 Jul 2019 09:43:05 -0400 [thread overview]
Message-ID: <20190726134332.12626-10-sashal@kernel.org> (raw)
In-Reply-To: <20190726134332.12626-1-sashal@kernel.org>
From: Russell King <rmk+kernel@armlinux.org.uk>
[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]
Fix a use-after-free bug during filesystem initialisation, where we
access the disc record (which is stored in a buffer) after we have
released the buffer.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/adfs/super.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index c9fdfb112933..e42c30001509 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
struct buffer_head *bh;
struct object_info root_obj;
unsigned char *b_data;
+ unsigned int blocksize;
struct adfs_sb_info *asb;
struct inode *root;
int ret = -EINVAL;
@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
goto error_free_bh;
}
+ blocksize = 1 << dr->log2secsize;
brelse(bh);
- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
+
+ if (sb_set_blocksize(sb, blocksize)) {
bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
if (!bh) {
adfs_error(sb, "couldn't read superblock on "
--
2.20.1
next prev parent reply other threads:[~2019-07-26 13:52 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 13:42 [PATCH AUTOSEL 4.14 01/37] ARM: riscpc: fix DMA Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 02/37] ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 03/37] ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again Sasha Levin
2019-07-26 13:42 ` [PATCH AUTOSEL 4.14 04/37] ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 05/37] ftrace: Enable trampoline when rec count returns back to one Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 06/37] kernel/module.c: Only return -EEXIST for modules that have finished loading Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 07/37] MIPS: lantiq: Fix bitfield masking Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 08/37] dmaengine: rcar-dmac: Reject zero-length slave DMA requests Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 09/37] clk: tegra210: fix PLLU and PLLU_OUT1 Sasha Levin
2019-07-26 13:43 ` Sasha Levin [this message]
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 11/37] btrfs: fix minimum number of chunk errors for DUP Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 12/37] cifs: Fix a race condition with cifs_echo_request Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 13/37] ceph: fix improper use of smp_mb__before_atomic() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 14/37] ceph: return -ERANGE if virtual xattr value didn't fit in buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 15/37] ACPI: blacklist: fix clang warning for unused DMI table Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 16/37] scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 17/37] x86: kvm: avoid constant-conversion warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 18/37] ACPI: fix false-positive -Wuninitialized warning Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 19/37] ISDN: hfcsusb: checking idx of ep configuration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 20/37] be2net: Signal that the device cannot transmit during reconfiguration Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 21/37] x86/apic: Silence -Wtype-limits compiler warnings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 22/37] x86: math-emu: Hide clang warnings for 16-bit overflow Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 23/37] mm/cma.c: fail if fixed declaration can't be honored Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 24/37] coda: add error handling for fget Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 25/37] coda: fix build using bare-metal toolchain Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 26/37] uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 27/37] drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 28/37] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 29/37] ipc/mqueue.c: only perform resource calculation if user valid Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 30/37] floppy: fix div-by-zero in setup_format_params Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 31/37] floppy: fix out-of-bounds read in copy_buffer Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 32/37] xen: let alloc_xenballooned_pages() fail if not enough memory free Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 33/37] xen/pv: Fix a boot up hang revealed by int3 self test Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 34/37] x86/kvm: Don't call kvm_spurious_fault() from .fixup Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 35/37] x86/paravirt: Fix callee-saved function ELF sizes Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 36/37] x86, boot: Remove multiple copy of static function sanitize_boot_params() Sasha Levin
2019-07-26 13:43 ` [PATCH AUTOSEL 4.14 37/37] drm/nouveau: fix memory leak in nouveau_conn_reset() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726134332.12626-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).