Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5177286imu; Sun, 25 Nov 2018 18:23:58 -0800 (PST) X-Google-Smtp-Source: AFSGD/VAFiXiewazpc8cmnZX/FGNb8t5V4sgA5vg+SfWnX2jp54gwQQlJtt5U/UDJIn47dJrRI4q X-Received: by 2002:a65:40c5:: with SMTP id u5mr22235429pgp.46.1543199038359; Sun, 25 Nov 2018 18:23:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543199038; cv=none; d=google.com; s=arc-20160816; b=f4bN1LbqqF7Y05jfHpfGTMyH73hFfW0nJMFYih2B7cc+4cuLGvgcyB5HGVOZep3aZz x62aI7wfaefZpc7MSgagkfN2UPS4p15EvAEHI8EIem/y2qEDTKlyU3rFP681IHOueAwy PCmjwfF1JwlZ5trN4FjRiLxlH6UrKgCVlVmNJUfLk3sw9rKWQF8lrcW1J3Na3nmijzLc ZPl9xGwzzi+qfxt0JCZDWw06yPoHsD47EP/ZpTfM8jzk2lJKinmO/jNu8fapDwZl8/hF osTDqc18bz/6PDyaOgOT6FiRDXhoGCl2o1u5UUhWyen4WILGC2OM7qpPQsDdkf5iBb7n pFXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=qorekFGeooYOSgfSgV0sCGZtcgWAK/QZ2nDNBp2VjMk=; b=bN+GofFEHYJp6owMZyLYYaGNyClrVYB/PvQcVPtBS3EwRjLuLVZuIAn9YdIa7x1A8/ EK8VQ8h/WzPrmqROsmV3Fb9AG0YMs29F/QQdkQTwhglVs1OcgSr/ZO1m8KHU5Vc2CPqU 9jOjeDD2y9osTz11yw9gGEhbD0GozlP0pUHrBaCdMugI7Or5jK9Zo9/sDNUzd+BMBIzy jpi1xIfHm7hVRqtPImK0uWxvlQI1vd9fDEMf+wAZxWKy5N6bTIiCo9QOErVWtex6w5V0 hXA6oOGNE6iOXdCgrZfIVdIreX5GR1y/3IGBftWvESMm9IdGH7DNkHllJu8yhXyxGqvo zS7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=nsHYni7l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x15si8137634pgq.378.2018.11.25.18.23.43; Sun, 25 Nov 2018 18:23:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=nsHYni7l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726949AbeKZNOT (ORCPT + 99 others); Mon, 26 Nov 2018 08:14:19 -0500 Received: from m12-18.163.com ([220.181.12.18]:57548 "EHLO m12-18.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726224AbeKZNOS (ORCPT ); Mon, 26 Nov 2018 08:14:18 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=qorekFGeooYOSgfSgV 0sCGZtcgWAK/QZ2nDNBp2VjMk=; b=nsHYni7leTFetOE3BA48JM8STyDwG7DHBj 5mSWjPMomOVS5XAJmhqjAkwgvUdkFVPMktAty7TNqnv94JOhuI6+27tB4AqWum2y ACRkKBcx5CsjUUbiJWTi5oIqUuzKC45AJdfRT9hmNVXM9GMPiW2MaRbZgbpFYpoh GBRLniw1U= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp14 (Coremail) with SMTP id EsCowACHKUCpWPtbbVFABw--.2604S3; Mon, 26 Nov 2018 10:21:31 +0800 (CST) From: Pan Bian To: linux-kernel@vger.kernel.org Cc: Kai Bankett , Pan Bian Subject: [PATCH] fs/qnx6: set and bh1 and bh2 to NULL after dropping references Date: Mon, 26 Nov 2018 10:21:28 +0800 Message-Id: <1543198888-36464-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: EsCowACHKUCpWPtbbVFABw--.2604S3 X-Coremail-Antispam: 1Uf129KBjvdXoWrKF1UuF4kGFWUJw1kuw17Wrg_yoWDurX_KF yxJr48Gw45t3Za9F45A3yjy3Wvgrnakay8Ar17Kr13u34DtF1Utan7GF90grs3W3yUXa90 yr1v9FySy3yfujkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU173v5UUUUU== X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBUQwLclaD0T4n3AAAsl Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The function qnx6_fill_super drops the reference to bh2 when superblock 1 is activated via brelse, otherwise it drops the reference to bh1 when superblock 2 is activated. If error occurs after that, it will try to drop the references to bh1 and bh2 again. This may result in use-after-free bugs. The patch sets bh1 and bh2 to NULL after their reference counts are decreased. Signed-off-by: Pan Bian --- fs/qnx6/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c index 4aeb26b..e8a8536 100644 --- a/fs/qnx6/inode.c +++ b/fs/qnx6/inode.c @@ -405,12 +405,14 @@ static int qnx6_fill_super(struct super_block *s, void *data, int silent) sbi->sb_buf = bh1; sbi->sb = (struct qnx6_super_block *)bh1->b_data; brelse(bh2); + bh2 = NULL; pr_info("superblock #1 active\n"); } else { /* superblock #2 active */ sbi->sb_buf = bh2; sbi->sb = (struct qnx6_super_block *)bh2->b_data; brelse(bh1); + bh1 = NULL; pr_info("superblock #2 active\n"); } mmi_success: -- 2.7.4