mtd/fs/jffs2 readinode.c,1.107,1.108
David Woodhouse
dwmw2 at infradead.org
Fri Oct 24 09:55:26 EDT 2003
Update of /home/cvs/mtd/fs/jffs2
In directory phoenix.infradead.org:/tmp/cvs-serv9326
Modified Files:
readinode.c
Log Message:
Fix use-after-free bug in a code path which shouldn't have existed.
Index: readinode.c
===================================================================
RCS file: /home/cvs/mtd/fs/jffs2/readinode.c,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- readinode.c 4 Oct 2003 08:33:06 -0000 1.107
+++ readinode.c 24 Oct 2003 13:55:23 -0000 1.108
@@ -460,7 +460,7 @@
fn = tn->fn;
if (f->metadata) {
- if (tn->version > mdata_ver) {
+ if (likely(tn->version >= mdata_ver)) {
D1(printk(KERN_DEBUG "Obsoleting old metadata at 0x%08x\n", ref_offset(f->metadata->raw)));
jffs2_mark_node_obsolete(c, f->metadata->raw);
jffs2_free_full_dnode(f->metadata);
@@ -468,10 +468,13 @@
mdata_ver = 0;
} else {
- D1(printk(KERN_DEBUG "Er. New metadata at 0x%08x with ver %d is actually older than previous %d\n",
- ref_offset(f->metadata->raw), tn->version, mdata_ver));
+ /* This should never happen. */
+ printk(KERN_WARNING "Er. New metadata at 0x%08x with ver %d is actually older than previous ver %d at 0x%08x\n",
+ ref_offset(fn->raw), tn->version, mdata_ver, ref_offset(f->metadata->raw));
jffs2_mark_node_obsolete(c, fn->raw);
jffs2_free_full_dnode(fn);
+ /* Fill in latest_node from the metadata, not this one we're about to free... */
+ fn = f->metadata;
goto next_tn;
}
}
More information about the linux-mtd-cvs
mailing list