UBI: fix use-after-free on error path

When we fail to erase a PEB, we free the corresponding erase entry object,
but then re-schedule this object if the error code was something like -EAGAIN.
Obviously, it is a bug to use the object after we have freed it.

Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: stable@kernel.org [v2.6.23+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>

1 files changed, 4 insertions, 3 deletions

diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 277c429a138..0696e36b053 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1052,7 +1052,6 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
 
         ubi_err("failed to erase PEB %d, error %d", pnum, err);
         kfree(wl_wrk);
-        kmem_cache_free(ubi_wl_entry_slab, e);
 
         if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
             err == -EBUSY) {
@@ -1065,14 +1064,16 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
                         goto out_ro;
                 }
                 return err;
-        } else if (err != -EIO) {
+        }
+
+        kmem_cache_free(ubi_wl_entry_slab, e);
+        if (err != -EIO)
                 /*
                  * If this is not %-EIO, we have no idea what to do. Scheduling
                  * this physical eraseblock for erasure again would cause
                  * errors again and again. Well, lets switch to R/O mode.
                  */
                 goto out_ro;
-        }
 
         /* It is %-EIO, the PEB went bad */