From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from userp1040.oracle.com ([156.151.31.81]:51708 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753733AbcESESq (ORCPT
	<rfc822;stable@vger.kernel.org>); Thu, 19 May 2016 00:18:46 -0400
From: Sasha Levin <sasha.levin@oracle.com>
To: stable@vger.kernel.org, stable-commits@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	Joel Becker <jlbec@evilplan.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Sasha Levin <sasha.levin@oracle.com>
Subject: [added to the 3.18 stable tree] ocfs2: dereferencing freed pointers in ocfs2_reflink()
Date: Thu, 19 May 2016 00:15:47 -0400
Message-Id: <1463631350-32182-58-git-send-email-sasha.levin@oracle.com>
In-Reply-To: <1463631350-32182-1-git-send-email-sasha.levin@oracle.com>
References: <1463631350-32182-1-git-send-email-sasha.levin@oracle.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Dan Carpenter <dan.carpenter@oracle.com>

This patch has been added to the 3.18 stable tree. If you have any
objections, please let us know.

===============

[ Upstream commit e073fc58dfe6a4c9b614320c1d56bb71cb213ec4 ]

The code at the "out" label assumes that "default_acl" and "acl" are NULL,
but actually the pointers can be NULL, unitialized, or freed.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
 fs/ocfs2/refcounttree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
index d81f6e2..e794c38 100644
--- a/fs/ocfs2/refcounttree.c
+++ b/fs/ocfs2/refcounttree.c
@@ -4278,7 +4278,7 @@ static int ocfs2_reflink(struct dentry *old_dentry, struct inode *dir,
 	error = posix_acl_create(dir, &mode, &default_acl, &acl);
 	if (error) {
 		mlog_errno(error);
-		goto out;
+		return error;
 	}
 
 	error = ocfs2_create_inode_in_orphan(dir, mode,
-- 
2.5.0