diff mbox

jffs2: fix double free jffs2_sb_info when jffs2_parse_options failed

Message ID 1448630130-8640-1-git-send-email-panxuesong@huawei.com
State Not Applicable
Delegated to: David Woodhouse
Headers show

Commit Message

panxuesong@huawei.com Nov. 27, 2015, 1:15 p.m. UTC
From: panxuesong <panxuesong@huawei.com>

When mount jffs2 passing a invalid argument, such as "compr=xxx". 
In jffs2_fill_super , function jffs2_parse_options will return failed 
and then will free jffs2_sb_info for the first time.

While jffs2_fill_super failed, would call jffs2_kill_sb, 
which will free jffs2_sb_info for the second time.

static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
{
	......
	ret = jffs2_parse_options(c, data);
	if (ret) {
		kfree(c);
		return -EINVAL;
	}

	......
}

static void jffs2_kill_sb(struct super_block *sb)
{
	struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
	if (!(sb->s_flags & MS_RDONLY))
		jffs2_stop_garbage_collect_thread(c);
	kill_mtd_super(sb);
	kfree(c);
}

Cc: <stable@vger.kernel.org>
Signed-off-by: Pan Xuesong <panxuesong@huawei.com>

---
 fs/jffs2/super.c | 1 -
 1 file changed, 1 deletion(-)
diff mbox

Patch

diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index d86c5e3..20b4d84 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -286,7 +286,6 @@  static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
 
 	ret = jffs2_parse_options(c, data);
 	if (ret) {
-		kfree(c);
 		return -EINVAL;
 	}