[PATCH 6.6 002/143] ubifs: fix possible dereference after free

4 Mar 2024

6.6-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Konstantin Meskhidze konstantin.meskhidze@huawei.com
[ Upstream commit d81efd66106c03771ffc8637855a6ec24caa6350 ]
'old_idx' could be dereferenced after free via 'rb_link_node' function
call.
Fixes: b5fda08ef213 ("ubifs: Fix memleak when insert_old_idx() failed")
Co-developed-by: Ivanov Mikhail ivanov.mikhail1@huawei-partners.com
Signed-off-by: Konstantin Meskhidze konstantin.meskhidze@huawei.com
Reviewed-by: Zhihao Cheng chengzhihao1@huawei.com
Signed-off-by: Richard Weinberger richard@nod.at
Signed-off-by: Sasha Levin sashal@kernel.org
---
 fs/ubifs/tnc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 6b7d95b65f4b6..f4728e65d1bda 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -65,6 +65,7 @@ static void do_insert_old_idx(struct ubifs_info *c,
    	else {
    		ubifs_err(c, "old idx added twice!");
    		kfree(old_idx);
+			return;
    	}
    }
    rb_link_node(&old_idx->rb, parent, p);
-- 
2.43.0





    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 6.6 002/143] ubifs: fix possible dereference after free