[PATCH] jffs2: fix double free jffs2_sb_info when jffs2_parse_options failed
panxuesong at huawei.com
panxuesong at huawei.com
Fri Nov 27 08:15:30 EST 2015
From: panxuesong <panxuesong at huawei.com>
When mount jffs2 passing a invalid argument, such as "compr=xxx".
In jffs2_fill_super , function jffs2_parse_options will return failed
and then will free jffs2_sb_info for the first time.
While jffs2_fill_super failed, would call jffs2_kill_sb,
which will free jffs2_sb_info for the second time.
static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
{
......
ret = jffs2_parse_options(c, data);
if (ret) {
kfree(c);
return -EINVAL;
}
......
}
static void jffs2_kill_sb(struct super_block *sb)
{
struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
if (!(sb->s_flags & MS_RDONLY))
jffs2_stop_garbage_collect_thread(c);
kill_mtd_super(sb);
kfree(c);
}
Cc: <stable at vger.kernel.org>
Signed-off-by: Pan Xuesong <panxuesong at huawei.com>
---
fs/jffs2/super.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index d86c5e3..20b4d84 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -286,7 +286,6 @@ static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
ret = jffs2_parse_options(c, data);
if (ret) {
- kfree(c);
return -EINVAL;
}
--
1.8.0
More information about the linux-mtd
mailing list