mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-31 22:15:38 +00:00
44b8db1386
This patch fixes buffer_head double free in following code path: gfs2_block_map => gfs2_meta_inode_buffer => gfs2_meta_indirect_buffer => gfs2_meta_read => release_metapath gfs2_block_map calls gfs2_meta_inode_buffer with &mp.mp_bh[0] as an argument. mp.mp_bh are filled with zero at the beginning of gfs2_block_map. If gfs2_meta_inode_buffer returns non-zero value, gfs2_block_map calls release_metapath to free buffers chained to mp.mp_bh. release_metapath checks each slot of mp.mp_bh[i] and free(with brelse) unless the slot is filled with NULL. &mp.mp_bh[0] passed to gfs2_meta_inode_buffer is filled at gfs2_meta_read. gfs2_meta_read is filled a buffer allocated with gfs2_getbuf even if EIO occurs. When EIO occurs, the allocated buffer is brelse'ed though the pointer(wrong poiner) points the brelse'ed is passed back to caller via an argument bhp. gfs2_meta_indirect_buffer, the caller also pass the wrong pointer to its caller with EIO. Finally gfs2_block_map gets both EIO and &mp.mp_bh[0] filled with the wrong pointer. release_metapath calls brelse again on the wrong pointer. Signed-off-by: Masatake YAMATO <yamato@redhat.com> Signed-off-by: Steven Whitehouse <swhiteho@redhat.com> |
||
---|---|---|
.. | ||
acl.c | ||
acl.h | ||
aops.c | ||
bmap.c | ||
bmap.h | ||
dentry.c | ||
dir.c | ||
dir.h | ||
export.c | ||
file.c | ||
gfs2.h | ||
glock.c | ||
glock.h | ||
glops.c | ||
glops.h | ||
incore.h | ||
inode.c | ||
inode.h | ||
Kconfig | ||
lock_dlm.c | ||
log.c | ||
log.h | ||
lops.c | ||
lops.h | ||
main.c | ||
Makefile | ||
meta_io.c | ||
meta_io.h | ||
ops_fstype.c | ||
quota.c | ||
quota.h | ||
recovery.c | ||
recovery.h | ||
rgrp.c | ||
rgrp.h | ||
super.c | ||
super.h | ||
sys.c | ||
sys.h | ||
trace_gfs2.h | ||
trans.c | ||
trans.h | ||
util.c | ||
util.h | ||
xattr.c | ||
xattr.h |