hfs: fix potential use after free in hfs_correct_next_unused_CNID()

This code calls hfs_bnode_put(node) which drops the refcount and then
dreferences "node" on the next line.  It's only safe to use "node"
when we're holding a reference so flip these two lines around.

Fixes: a06ec283e125 ("hfs: add logic of correcting a next unused CNID")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/aN-Xw8KnbSnuIcLk@stanley.mountain
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>

diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
index caebabb6642f165f9e32ade2c84219cde939254d..b80ba40e38776123759df4b85c7f65daa19c6436 100644 (file)
--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -322,9 +322,9 @@ int hfs_correct_next_unused_CNID(struct super_block *sb, u32 cnid)
                        }
                }
 
+               node_id = node->prev;
                hfs_bnode_put(node);
 
-               node_id = node->prev;
        } while (node_id >= leaf_head);
 
        return -ENOENT;