--- /dev/null
+From ecebf55d27a11538ea84aee0be643dd953f830d5 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 25 Nov 2018 08:58:02 +0800
+Subject: ext2: fix potential use after free
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit ecebf55d27a11538ea84aee0be643dd953f830d5 upstream.
+
+The function ext2_xattr_set calls brelse(bh) to drop the reference count
+of bh. After that, bh may be freed. However, following brelse(bh),
+it reads bh->b_data via macro HDR(bh). This may result in a
+use-after-free bug. This patch moves brelse(bh) after reading field.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext2/xattr.c
++++ b/fs/ext2/xattr.c
+@@ -606,9 +606,9 @@ skip_replace:
+ }
+
+ cleanup:
+- brelse(bh);
+ if (!(bh && header == HDR(bh)))
+ kfree(header);
++ brelse(bh);
+ up_write(&EXT2_I(inode)->xattr_sem);
+
+ return error;
alsa-wss-fix-invalid-snd_free_pages-at-error-path.patch
alsa-ac97-fix-incorrect-bit-shift-at-ac97-spsa-control-write.patch
alsa-sparc-fix-invalid-snd_free_pages-at-error-path.patch
+ext2-fix-potential-use-after-free.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
