ext4: fix potential use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the case that we free the handle in the first jbd2_journal_stop() because we're referencing handle->h_err afterwards. This was introduced in 9705acd6 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle. Fixes: 9705acd6Signed-off-by: N Lukas Czerner <lczerner@redhat.com> Reviewed-by: N Andreas Dilger <adilger@dilger.ca> Cc: stable@vger.kernel.org

ext4: fix potential use after free in __ext4_journal_stop
There is a use-after-free possibility in __ext4_journal_stop() in the case that we free the handle in the first jbd2_journal_stop() because we're referencing handle->h_err afterwards. This was introduced in 9705acd6 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle. Fixes: 9705acd6Signed-off-by: N Lukas Czerner <lczerner@redhat.com> Reviewed-by: N Andreas Dilger <adilger@dilger.ca> Cc: stable@vger.kernel.org
6934da92 · Lukas Czerner · Theodore Ts'o · 33d14975 · 6934da92
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

fs/ext4/ext4_jbd2.c fs/ext4/ext4_jbd2.c +3 -3

未找到文件。
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
 		return 0;
 	}

+	err = handle->h_err;
 	if (!handle->h_transaction) {
-		err = jbd2_journal_stop(handle);
-		return handle->h_err ? handle->h_err : err;
+		rc = jbd2_journal_stop(handle);
+		return err ? err : rc;
 	}

 	sb = handle->h_transaction->t_journal->j_private;
-	err = handle->h_err;
 	rc = jbd2_journal_stop(handle);

 	if (!err)