[PATCH] jffs2:freely allocate memory when parameters are invalid

[Xiaoming Ni <nixiaoming@xxxxxxxxxx>]

Use kzalloc() to allocate memory in jffs2_fill_super().
Freeing memory when jffs2_parse_options() fails will cause
use-after-free and double-free in jffs2_kill_sb()

Reference: commit 92e2921f7eee6345 ("jffs2: free jffs2_sb_info through
 jffs2_kill_sb()")

This makes the code difficult to understand
the code path between memory allocation and free is too long

The reason for this problem is:
Before the jffs2_parse_options() check,
"sb->s_fs_info = c;" has been executed,
so jffs2_sb_info has been assigned to super_block.

we can move "sb->s_fs_info = c;" to the success branch of the
function jffs2_parse_options() and free jffs2_sb_info in the failure branch
make the code easier to understand.

Signed-off-by: Xiaoming Ni <nixiaoming@xxxxxxxxxx>
---
 fs/jffs2/super.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index af4aa65..bbdae72 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -280,11 +280,13 @@ static int jffs2_fill_super(struct super_block *sb, void *data, int silent)
 
 	c->mtd = sb->s_mtd;
 	c->os_priv = sb;
-	sb->s_fs_info = c;
 
 	ret = jffs2_parse_options(c, data);
-	if (ret)
+	if (ret) {
+		kfree(c);
 		return -EINVAL;
+	}
+	sb->s_fs_info = c;
 
 	/* Initialize JFFS2 superblock locks, the further initialization will
 	 * be done later */
-- 
1.8.5.6


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/