fs/adfs: super: fix use-after-free bug

Fix a use-after-free bug during filesystem initialisation, where we access the disc record (which is stored in a buffer) after we have released the buffer. Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Russell King <rmk+kernel@armlinux.org.uk> 2019-06-04 09:50:14 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2019-06-26 20:14:14 -0400
commit: 5808b14a1f52554de612fee85ef517199855e310 (patch)
tree: 6aa2ac442dde17775864cc712af6c38b3c674eca /fs/adfs/super.c
parent: 4c5762f5f5e31d493678b0ee6f73585355dd3638 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index 2f81c1c29757..b1243433add7 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -378,6 +378,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
        struct buffer_head *bh;
        struct object_info root_obj;
        unsigned char *b_data;
+        unsigned int blocksize;
        struct adfs_sb_info *asb;
        struct inode *root;
        int ret = -EINVAL;
@@ -423,8 +424,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
                goto error_badfs;
        }
+        blocksize = 1 << dr->log2secsize;
        brelse(bh);
-        if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
+        if (sb_set_blocksize(sb, blocksize)) {
                bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
                if (!bh) {
                        adfs_msg(sb, KERN_ERR,
author	Russell King <rmk+kernel@armlinux.org.uk>	2019-06-04 09:50:14 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2019-06-26 20:14:14 -0400
commit	5808b14a1f52554de612fee85ef517199855e310 (patch)
tree	6aa2ac442dde17775864cc712af6c38b3c674eca /fs/adfs/super.c
parent	4c5762f5f5e31d493678b0ee6f73585355dd3638 (diff)

diff --git a/fs/adfs/super.c b/fs/adfs/super.c index 2f81c1c29757..b1243433add7 100644 --- a/fs/adfs/super.c +++ b/fs/adfs/super.c
@@ -378,6 +378,7 @@ static int adfs_fill_super(struct super_block sb, void data, int silent)
378	struct buffer_head *bh;	378	struct buffer_head *bh;
379	struct object_info root_obj;	379	struct object_info root_obj;
380	unsigned char *b_data;	380	unsigned char *b_data;
		381	unsigned int blocksize;
381	struct adfs_sb_info *asb;	382	struct adfs_sb_info *asb;
382	struct inode *root;	383	struct inode *root;
383	int ret = -EINVAL;	384	int ret = -EINVAL;
@@ -423,8 +424,10 @@ static int adfs_fill_super(struct super_block sb, void data, int silent)
423	goto error_badfs;	424	goto error_badfs;
424	}	425	}
425		426
		427	blocksize = 1 << dr->log2secsize;
426	brelse(bh);	428	brelse(bh);
427	if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {	429
		430	if (sb_set_blocksize(sb, blocksize)) {
428	bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);	431	bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
429	if (!bh) {	432	if (!bh) {
430	adfs_msg(sb, KERN_ERR,	433	adfs_msg(sb, KERN_ERR,