diff options
| author | Russell King <rmk+kernel@armlinux.org.uk> | 2019-06-04 14:50:14 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-06 18:28:26 +0200 |
| commit | a5e8659098aa8bc76ae056743f72c8df785c97ca (patch) | |
| tree | 7049818ba05e714f7eb254d8f4dc4567aa140971 /fs/adfs | |
| parent | 6aaace574aca86cfd79454c865abdbf8c7d890e8 (diff) | |
| download | linux-stable-a5e8659098aa8bc76ae056743f72c8df785c97ca.tar.gz linux-stable-a5e8659098aa8bc76ae056743f72c8df785c97ca.tar.bz2 linux-stable-a5e8659098aa8bc76ae056743f72c8df785c97ca.zip | |
fs/adfs: super: fix use-after-free bug
[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]
Fix a use-after-free bug during filesystem initialisation, where we
access the disc record (which is stored in a buffer) after we have
released the buffer.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs/adfs')
| -rw-r--r-- | fs/adfs/super.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/adfs/super.c b/fs/adfs/super.c index 4d4a0df8344f..b00ae922ece2 100644 --- a/fs/adfs/super.c +++ b/fs/adfs/super.c @@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) struct buffer_head *bh; struct object_info root_obj; unsigned char *b_data; + unsigned int blocksize; struct adfs_sb_info *asb; struct inode *root; int ret = -EINVAL; @@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent) goto error_free_bh; } + blocksize = 1 << dr->log2secsize; brelse(bh); - if (sb_set_blocksize(sb, 1 << dr->log2secsize)) { + + if (sb_set_blocksize(sb, blocksize)) { bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize); if (!bh) { adfs_error(sb, "couldn't read superblock on " |