fs/adfs: super: fix use-after-free bug [Linux 4.9.188]

This Linux kernel change "fs/adfs: super: fix use-after-free bug" is included in the Linux 4.9.188 release. This change is authored by Russell King <rmk+kernel [at] armlinux.org.uk> on Tue Jun 4 14:50:14 2019 +0100. The commit for this change in Linux stable tree is 820402d (patch) which is from upstream commit 5808b14. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 5808b14.

fs/adfs: super: fix use-after-free bug

[ Upstream commit 5808b14a1f52554de612fee85ef517199855e310 ]

Fix a use-after-free bug during filesystem initialisation, where we
access the disc record (which is stored in a buffer) after we have
released the buffer.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 5 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 fs/adfs/super.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/adfs/super.c b/fs/adfs/super.c
index c9fdfb1..e42c300 100644
--- a/fs/adfs/super.c
+++ b/fs/adfs/super.c
@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
    struct buffer_head *bh;
    struct object_info root_obj;
    unsigned char *b_data;
+   unsigned int blocksize;
    struct adfs_sb_info *asb;
    struct inode *root;
    int ret = -EINVAL;
@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
        goto error_free_bh;

+   blocksize = 1 << dr->log2secsize;
-   if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
+   if (sb_set_blocksize(sb, blocksize)) {
        bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
        if (!bh) {
            adfs_error(sb, "couldn't read superblock on "

Leave a Reply

Your email address will not be published. Required fields are marked *