Commit d0f17d38 authored by Bob Peterson's avatar Bob Peterson Committed by Andreas Gruenbacher
Browse files

gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free 



Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling
return_all_reservations, but return_all_reservations still dereferences
rgd->rd_bits in __rs_deltree.  Fix that by moving the call to kfree below the
call to return_all_reservations.

Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
parent 4525c878

fs/gfs2/rgrp.c

+1 −1
Original line number Diff line number Diff line
@@ -719,9 +719,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) 
		}



		gfs2_free_clones(rgd);

		return_all_reservations(rgd);

		kfree(rgd->rd_bits);

		rgd->rd_bits = NULL;

		return_all_reservations(rgd);

		kmem_cache_free(gfs2_rgrpd_cachep, rgd);

	}

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE