diff mbox series

f2fs: fix uaf in destroy_device_list

Message ID tencent_BEF36CE365896CC3B36456B765576766C105@qq.com (mailing list archive)
State New, archived
Headers show
Series f2fs: fix uaf in destroy_device_list | expand

Commit Message

Edward Adam Davis Jan. 13, 2024, 11:28 a.m. UTC 
When the call to f2fs_fill_super() fails, only the memory occupied by sbi is 
released, but s_fs_info is not set to NULL, this will cause the current issue
to occur. 

Reported-and-tested-by: syzbot+a5e651ca75fa0260acd5@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/f2fs/super.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index d00d21a8b53a..9939e2445b1e 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4879,6 +4879,7 @@  static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 free_sbi:
 	if (sbi->s_chksum_driver)
 		crypto_free_shash(sbi->s_chksum_driver);
+	sb->s_fs_info = NULL;
 	kfree(sbi);
 
 	/* give only one another chance */