[PATCH] ubifs: fix possible dereference after free
Zhihao Cheng
chengzhihao1 at huawei.com
Tue Sep 5 18:42:27 PDT 2023
在 2023/9/5 18:12, Konstantin Meskhidze 写道:
> 'old_idx' could be dereferenced after free via 'rb_link_node' function
> call.
>
> Fixes: b5fda08ef213 ("ubifs: Fix memleak when insert_old_idx() failed")
> Co-developed-by: Ivanov Mikhail <ivanov.mikhail1 at huawei-partners.com>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
> ---
> fs/ubifs/tnc.c | 1 +
> 1 file changed, 1 insertion(+)
>
Only for static alarms,although it couldn't happen in theory.
Reviewed-by: Zhihao Cheng <chengzhihao1 at huawei.com>
> diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
> index 6b7d95b65f4b..f4728e65d1bd 100644
> --- a/fs/ubifs/tnc.c
> +++ b/fs/ubifs/tnc.c
> @@ -64,8 +64,9 @@ static void do_insert_old_idx(struct ubifs_info *c,
> p = &(*p)->rb_right;
> else {
> ubifs_err(c, "old idx added twice!");
> kfree(old_idx);
> + return;
> }
> }
> rb_link_node(&old_idx->rb, parent, p);
> rb_insert_color(&old_idx->rb, &c->old_idx);
>
More information about the linux-mtd
mailing list