From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukas Czerner <lczerner@redhat.com>,
Andreas Dilger <adilger@dilger.ca>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 36/49] ext4: fix potential use after free in __ext4_journal_stop
Date: Thu, 18 May 2017 15:16:45 +0200 [thread overview]
Message-ID: <20170518131644.563008293@linuxfoundation.org> (raw)
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Czerner <lczerner@redhat.com>
commit 6934da9238da947628be83635e365df41064b09b upstream.
There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4_jbd2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *wher
return 0;
}
+ err = handle->h_err;
if (!handle->h_transaction) {
- err = jbd2_journal_stop(handle);
- return handle->h_err ? handle->h_err : err;
+ rc = jbd2_journal_stop(handle);
+ return err ? err : rc;
}
sb = handle->h_transaction->t_journal->j_private;
- err = handle->h_err;
rc = jbd2_journal_stop(handle);
if (!err)
next prev parent reply other threads:[~2017-05-18 13:16 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-18 13:16 [PATCH 3.18 00/49] 3.18.54-stable review Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 01/49] target/fileio: Fix zero-length READ and WRITE handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 02/49] usb: host: xhci: print correct command ring address Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 03/49] USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 04/49] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 05/49] staging: vt6656: use off stack for in buffer USB transfers Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 06/49] staging: vt6656: use off stack for out " Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 07/49] staging: gdm724x: gdm_mux: fix use-after-free on module unload Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 08/49] staging: comedi: jr3_pci: fix possible null pointer dereference Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 09/49] staging: comedi: jr3_pci: cope with jiffies wraparound Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 10/49] usb: misc: add missing continue in switch Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 11/49] usb: hub: Do not attempt to autosuspend disconnected devices Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 12/49] usb: misc: legousbtower: Fix buffers on stack Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 13/49] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 14/49] um: Fix PTRACE_POKEUSER on x86_64 Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 15/49] dm era: save spacemap metadata root after the pre-commit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 16/49] IB/IPoIB: ibX: failed to create mcg debug file Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 17/49] IB/mlx4: Fix ib device initialization error flow Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 18/49] fs/xattr.c: zero out memory copied to userspace in getxattr Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 19/49] ceph: fix memory leak in __ceph_setxattr() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 20/49] fs/block_dev: always invalidate cleancache in invalidate_bdev() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 21/49] Set unicode flag on cifs echo request to avoid Mac error Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 22/49] SMB3: Work around mount failure when using SMB3 dialect to Macs Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 25/49] padata: free correct variable Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 26/49] md/raid1: avoid reusing a resync bio after error handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 27/49] serial: omap: fix runtime-pm handling on unbind Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 28/49] serial: omap: suspend device on probe errors Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 29/49] Bluetooth: Fix user channel for 32bit userspace on 64bit kernel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 30/49] arm64: make sys_call_table const Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 31/49] perf: Fix event->ctx locking Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 32/49] arm64: perf: reject groups spanning multiple HW PMUs Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 33/49] perf: Fix race in swevent hash Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 34/49] ASN.1: Fix non-match detection failure on data overrun Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 35/49] KEYS: Fix ASN.1 indefinite length object parsing Greg Kroah-Hartman
2017-05-18 13:16 ` Greg Kroah-Hartman [this message]
2017-05-18 13:16 ` [PATCH 3.18 37/49] sg: Fix double-free when drives detach during SG_IO Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 38/49] ipv6: sctp: add rcu protection around np->opt Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 39/49] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 40/49] af_unix: Guard against other == sk in unix_dgram_sendmsg Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 41/49] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 42/49] HID: core: prevent out-of-bound readings Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 44/49] sched: panic on corrupted stack end Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 45/49] ALSA: seq: Fix race at timer setup and close Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 46/49] ALSA: timer: Fix race among timer ioctls Greg Kroah-Hartman
2017-05-18 17:29 ` [PATCH 3.18 00/49] 3.18.54-stable review Shuah Khan
2017-05-19 1:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170518131644.563008293@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger@dilger.ca \
--cc=amit.pundir@linaro.org \
--cc=lczerner@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).