diff options
author | Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com> | 2008-10-27 22:53:05 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2008-10-27 22:53:05 -0400 |
commit | ef2cabf7c6d838eb0ee2b4fb8ef84f7c06ce16d9 (patch) | |
tree | 64c3c14ae4a3717c6c193773d87e31f5facc569e | |
parent | 44d6f78756560e95903de239e10f8a40a6eae444 (diff) |
ext4: fix a bug accessing freed memory in ext4_abort
Vegard Nossum reported a bug which accesses freed memory (found via
kmemcheck). When journal has been aborted, ext4_put_super() calls
ext4_abort() after freeing the journal_t object, and then ext4_abort()
accesses it. This patch fix it.
Signed-off-by: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>
Acked-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-rw-r--r-- | fs/ext4/super.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index bdddea14e782..994859df010e 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c | |||
@@ -333,7 +333,8 @@ void ext4_abort(struct super_block *sb, const char *function, | |||
333 | EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS; | 333 | EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS; |
334 | sb->s_flags |= MS_RDONLY; | 334 | sb->s_flags |= MS_RDONLY; |
335 | EXT4_SB(sb)->s_mount_opt |= EXT4_MOUNT_ABORT; | 335 | EXT4_SB(sb)->s_mount_opt |= EXT4_MOUNT_ABORT; |
336 | jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); | 336 | if (EXT4_SB(sb)->s_journal) |
337 | jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO); | ||
337 | } | 338 | } |
338 | 339 | ||
339 | void ext4_warning(struct super_block *sb, const char *function, | 340 | void ext4_warning(struct super_block *sb, const char *function, |
@@ -442,14 +443,16 @@ static void ext4_put_super(struct super_block *sb) | |||
442 | { | 443 | { |
443 | struct ext4_sb_info *sbi = EXT4_SB(sb); | 444 | struct ext4_sb_info *sbi = EXT4_SB(sb); |
444 | struct ext4_super_block *es = sbi->s_es; | 445 | struct ext4_super_block *es = sbi->s_es; |
445 | int i; | 446 | int i, err; |
446 | 447 | ||
447 | ext4_mb_release(sb); | 448 | ext4_mb_release(sb); |
448 | ext4_ext_release(sb); | 449 | ext4_ext_release(sb); |
449 | ext4_xattr_put_super(sb); | 450 | ext4_xattr_put_super(sb); |
450 | if (jbd2_journal_destroy(sbi->s_journal) < 0) | 451 | err = jbd2_journal_destroy(sbi->s_journal); |
451 | ext4_abort(sb, __func__, "Couldn't clean up the journal"); | ||
452 | sbi->s_journal = NULL; | 452 | sbi->s_journal = NULL; |
453 | if (err < 0) | ||
454 | ext4_abort(sb, __func__, "Couldn't clean up the journal"); | ||
455 | |||
453 | if (!(sb->s_flags & MS_RDONLY)) { | 456 | if (!(sb->s_flags & MS_RDONLY)) { |
454 | EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); | 457 | EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER); |
455 | es->s_state = cpu_to_le16(sbi->s_mount_state); | 458 | es->s_state = cpu_to_le16(sbi->s_mount_state); |