-
Masatake YAMATO authored
This patch fixes buffer_head double free in following code path: gfs2_block_map => gfs2_meta_inode_buffer => gfs2_meta_indirect_buffer => gfs2_meta_read => release_metapath gfs2_block_map calls gfs2_meta_inode_buffer with &mp.mp_bh[0] as an argument. mp.mp_bh are filled with zero at the beginning of gfs2_block_map. If gfs2_meta_inode_buffer returns non-zero value, gfs2_block_map calls release_metapath to free buffers chained to mp.mp_bh. release_metapath checks each slot of mp.mp_bh[i] and free(with brelse) unless the slot is filled with NULL. &mp.mp_bh[0] passed to gfs2_meta_inode_buffer is filled at gfs2_meta_read. gfs2_meta_read is filled a buffer allocated with gfs2_getbuf even if EIO occurs. When EIO occurs, the allocated buffer is brelse'ed though the pointer(wrong poiner) points the brelse'ed is passed back to caller via an argument bhp. gfs2_meta_indirect_buffer, the caller also pass the wrong pointer to its caller with EIO. Finally gfs2_block_map gets both EIO and &mp.mp_bh[0] filled with the wrong pointer. release_metapath calls brelse again on the wrong pointer. Signed-off-by:
Masatake YAMATO <yamato@redhat.com> Signed-off-by:
Steven Whitehouse <swhiteho@redhat.com>
44b8db13
