Commit 164f7e58 authored by Pan Bian's avatar Pan Bian Committed by Linus Torvalds
Browse files

ocfs2: fix potential use after free

ocfs2_get_dentry() calls iput(inode) to drop the reference count of
inode, and if the reference count hits 0, inode is freed.  However, in
this function, it then reads inode->i_generation, which may result in a
use after free bug.  Move the put operation later.

Fixes: 781f200c

("ocfs2: Remove masklog ML_EXPORT.")
Signed-off-by: default avatarPan Bian <>
Reviewed-by: default avatarAndrew Morton <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Cc: Junxiao Bi <>
Cc: Joseph Qi <>
Cc: Changwei Ge <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 95feeabb
...@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb, ...@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb,
check_gen: check_gen:
if (handle->ih_generation != inode->i_generation) { if (handle->ih_generation != inode->i_generation) {
trace_ocfs2_get_dentry_generation((unsigned long long)blkno, trace_ocfs2_get_dentry_generation((unsigned long long)blkno,
handle->ih_generation, handle->ih_generation,
inode->i_generation); inode->i_generation);
result = ERR_PTR(-ESTALE); result = ERR_PTR(-ESTALE);
goto bail; goto bail;
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment