[PATCH] UBIFS: add missing znode freeing in tcn_insert()
Richard Weinberger
richard.weinberger at gmail.com
Sat Mar 8 05:46:20 EST 2014
On Sat, Mar 8, 2014 at 1:11 AM, Florian Fainelli <f.fainelli at gmail.com> wrote:
> In case the zi allocation fails in the do_split label, we will fail
> freeing zn that we allocated before, add a missing kfree.
>
> Signed-off-by: Florian Fainelli <f.fainelli at gmail.com>
> ---
> fs/ubifs/tnc.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
> index 9083bc7ed4ae..9b84d91ea530 100644
> --- a/fs/ubifs/tnc.c
> +++ b/fs/ubifs/tnc.c
> @@ -2105,8 +2105,10 @@ do_split:
> dbg_tnc("creating new zroot at level %d", znode->level + 1);
>
> zi = kzalloc(c->max_znode_sz, GFP_NOFS);
> - if (!zi)
> + if (!zi) {
> + kfree(zn);
> return -ENOMEM;
> + }
>
I'm not sure whether this is correct.
Around line 2050 we have:
... else {
/* Insert into new znode */
zi = zn; <---------
n -= keep;
/* Re-parent */
if (zn->level != 0)
zbr->znode->parent = zn;
}
And later:
insert_zbranch(zi, zbr, n);
By freeing zn you may introduce a use after free bug.
--
Thanks,
//richard
More information about the linux-mtd
mailing list