From patchwork Tue May 9 14:42:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98920 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857404qge; Tue, 9 May 2017 07:43:12 -0700 (PDT) X-Received: by 10.84.248.73 with SMTP id e9mr710816pln.76.1494340992036; Tue, 09 May 2017 07:43:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340992; cv=none; d=google.com; s=arc-20160816; b=UFLXnGf+Q7KpiXEEWVzLzkEsNjBIL9oHNhgCiGTsG3hosPWEokhjtd7gTAIg4ap+5z g9lWbBTma7d5RGv3IUAa+39rmbuE63HjdB48uz4simtSvGzy+IMpK0PNOCumSddq3ONh SEZ45rPvDVMOBtpr5ZL3riuosSx8QgqFu3txtBcLfxN7BwsfmvHkKXDRqVczdmMmHBqE PXLvsq+f19wKN5XGZHEvzsJ5PGkHMTxy73NHpfkjFTxhE4OGdfClEFA3sgbjZsdVRTTu xQVwheFy3iO3lTIWrMmKpkiAB1pY88guQb96tZBeLooqfzO5JFuRpRW2q1smGpSr1GYW OVGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=rlw/LPKVCM0TZdOLqytj8TF8WrwJY2ZA9+1vsL2WFGe7XUQqTOBhQi4Y4KLffTEuGf HRqLZR/tV6f8sjzxfTj9AfRMIYQnPwlg6j2XinAfRftY3bNDrUmmEVmAlPYqXsbiySv9 daprmGf9FK4VPIV7LMWfaaod0cMjDOgFcph20WusfJ1yxSCFnyvRCo7BugpxdqqS417c O7e6oTaDmKdfn4mk5bUseUV4gSCi/qmPs3lunu07Ur0YnQxv94AfMAn+X9hbmYzihaet FODPEx/mWYJGL/GZtywalojGQSoTDD4YvDipGF0Va0zxh9xaDzQaja+X0PFIz/uOQ1aq 8XxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.11; Tue, 09 May 2017 07:43:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753737AbdEIOnL (ORCPT + 6 others); Tue, 9 May 2017 10:43:11 -0400 Received: from mail-pg0-f49.google.com ([74.125.83.49]:34694 "EHLO mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753358AbdEIOnK (ORCPT ); Tue, 9 May 2017 10:43:10 -0400 Received: by mail-pg0-f49.google.com with SMTP id u28so766875pgn.1 for ; Tue, 09 May 2017 07:43:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=eFXH+mXfSd01m2CIv7vFrjDlIas6EfAplM8YhWhwDo5DEkYtrLrSi2EYJ0QTF1KmPD 9GcwNZXqY3bEfVtvKeGj3dCYIDu84dsmEBrJvAZQwPJ+vruz3f5LYTczj7O5LLli0T3+ HPaK0EFlhpFn78cixtZUONynBoLiOi6fp1Qe4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=o5E76HviSgR7+pCcFX9DLM+EmatALrZnKpZrisIDDv0=; b=Vu5QptGJ8wQJpqMuu8jTShmxjBqcacmSAo5DKRWdDYPALx3YL/0eQniVs0O32RWH7G mr4pRLuKP4v/Up23ml8SPUdvzMAJGzjZhvmpQzRtMkMaZR/bD1C8REl0kpSDhLhWPDOx pKuDgHyI2wEqugCvZHuj58ZjO89ZW0QtBoJa8PNyj5U/ki5YYDC+b2Z1QfPRXLdZIDOz gYEx5Iy+v9ISt5eJDfJVZV0ONqmM3rhJ2Pmo+BJEuyHEe8GxB9hXrgDglrMFpO3jeTzb sqf4ptqkM8PkdhB5jXLOl/rECb97PJSV+kPDnJGDSHKE8ugboDPRzZl4cqpzfDZXOz0H 4kJw== X-Gm-Message-State: AODbwcB/MPTM62gjZKEhMoImZ2jNc0q6ussgNMZsNuVIIOD8CSJLSWz9 n1gHkJSKaQM2r89h X-Received: by 10.84.130.7 with SMTP id 7mr651540plc.35.1494340990028; Tue, 09 May 2017 07:43:10 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:09 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Lukas Czerner Subject: [PATCH for-3.18 07/24] ext4: fix potential use after free in __ext4_journal_stop Date: Tue, 9 May 2017 20:12:31 +0530 Message-Id: <1494340968-17152-8-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Lukas Czerner commit 6934da9238da947628be83635e365df41064b09b upstream. There is a use-after-free possibility in __ext4_journal_stop() in the case that we free the handle in the first jbd2_journal_stop() because we're referencing handle->h_err afterwards. This was introduced in 9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by storing the handle->h_err value beforehand and avoid referencing potentially freed handle. Fixes: 9705acd63b125dee8b15c705216d7186daea4625 Signed-off-by: Lukas Czerner Reviewed-by: Andreas Dilger Cc: stable@vger.kernel.org Signed-off-by: Amit Pundir --- fs/ext4/ext4_jbd2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c index d41843181818..e770c1ee4613 100644 --- a/fs/ext4/ext4_jbd2.c +++ b/fs/ext4/ext4_jbd2.c @@ -88,13 +88,13 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle) return 0; } + err = handle->h_err; if (!handle->h_transaction) { - err = jbd2_journal_stop(handle); - return handle->h_err ? handle->h_err : err; + rc = jbd2_journal_stop(handle); + return err ? err : rc; } sb = handle->h_transaction->t_journal->j_private; - err = handle->h_err; rc = jbd2_journal_stop(handle); if (!err)