From patchwork Wed Aug 31 15:57:24 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tao Ma X-Patchwork-Id: 112602 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 50031B6F7C for ; Thu, 1 Sep 2011 01:59:40 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756378Ab1HaP7i (ORCPT ); Wed, 31 Aug 2011 11:59:38 -0400 Received: from oproxy6-pub.bluehost.com ([67.222.54.6]:43402 "HELO oproxy6-pub.bluehost.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1755985Ab1HaP7i (ORCPT ); Wed, 31 Aug 2011 11:59:38 -0400 Received: (qmail 14771 invoked by uid 0); 31 Aug 2011 15:59:37 -0000 Received: from unknown (HELO box585.bluehost.com) (66.147.242.185) by cpoproxy3.bluehost.com with SMTP; 31 Aug 2011 15:59:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tao.ma; s=default; h=Message-Id:Date:Subject:Cc:To:From; bh=5HrB8MRM7vC6L63k2bh97LzKGFJ4f68IJ8MHjeDXf1c=; b=AYwbnmX1QY2O6Bj/nevxlZuRS7rfcV0423viCv4lbakSrdqYIbf9PokxWKgAoYlhV3AwjTaVoqeqsMCxFlK60vZAVo2lkGtIvk4/dAYNUjU1r6OIOfjQ4RX/jhL53vKJ; Received: from [114.245.225.29] (helo=localhost.localdomain) by box585.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1QynCS-00019L-Vs; Wed, 31 Aug 2011 09:59:37 -0600 From: Tao Ma To: linux-ext4@vger.kernel.org Cc: Jan Kara Subject: [PATCH ] ext3: Fix a possible corruption in dx_probe. Date: Wed, 31 Aug 2011 23:57:24 +0800 Message-Id: <1314806244-8434-1-git-send-email-tm@tao.ma> X-Mailer: git-send-email 1.7.4.1 X-Identified-User: {1390:box585.bluehost.com:colyli:tao.ma} {sentby:smtp auth 114.245.225.29 authed with tm@tao.ma} Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Tao Ma For all the callers of dx_probe, frame_in is passed in uninitialized. So we should set frame->bh to NULL in the beginning of while, not the end. Otherwise, the first "goto fail2" will try to brelse(frame->bh) while frame->bh is still invalid. Cc: Jan Kara Signed-off-by: Tao Ma --- fs/ext3/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c index 34b6d9b..45468b9 100644 --- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c @@ -404,6 +404,7 @@ dx_probe(struct qstr *entry, struct inode *dir, dxtrace (printk("Look up %x", hash)); while (1) { + frame->bh = NULL; count = dx_get_count(entries); if (!count || count > dx_get_limit(entries)) { ext3_warning(dir->i_sb, __func__, @@ -458,7 +459,6 @@ dx_probe(struct qstr *entry, struct inode *dir, goto fail2; } frame++; - frame->bh = NULL; } fail2: while (frame >= frame_in) {