From patchwork Tue Aug 27 21:05:11 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 2850356
Return-Path: <ocfs2-devel-bounces@oss.oracle.com>
X-Original-To: patchwork-ocfs2-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 28519BF546
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue, 27 Aug 2013 21:06:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 60F0F2041C
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue, 27 Aug 2013 21:06:43 +0000 (UTC)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 7334D20413
	for <patchwork-ocfs2-devel@patchwork.kernel.org>;
	Tue, 27 Aug 2013 21:06:42 +0000 (UTC)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237])
	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1)
	with ESMTP id r7RL6Xqf016191
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 27 Aug 2013 21:06:34 GMT
Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r7RL6XmD013606
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 27 Aug 2013 21:06:33 GMT
Received: from localhost ([127.0.0.1] helo=oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <ocfs2-devel-bounces@oss.oracle.com>)
	id 1VEQTB-0001pN-F7; Tue, 27 Aug 2013 14:06:33 -0700
Received: from ucsinet21.oracle.com ([156.151.31.93])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <akpm@linux-foundation.org>) id 1VEQRt-0001dF-VW
	for ocfs2-devel@oss.oracle.com; Tue, 27 Aug 2013 14:05:14 -0700
Received: from userp1030.oracle.com (userp1030.oracle.com [156.151.31.80])
	by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r7RL5DGG020526
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <ocfs2-devel@oss.oracle.com>; Tue, 27 Aug 2013 21:05:13 GMT
Received: from mail-qa0-f74.google.com (mail-qa0-f74.google.com
	[209.85.216.74])
	by userp1030.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
	ESMTP id r7RL5CmL029662
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK)
	for <ocfs2-devel@oss.oracle.com>; Tue, 27 Aug 2013 21:05:13 GMT
Received: by mail-qa0-f74.google.com with SMTP id i13so356429qae.1
	for <ocfs2-devel@oss.oracle.com>;
	Tue, 27 Aug 2013 14:05:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-gm-message-state:subject:to:cc:from:date:mime-version
	:content-type:content-transfer-encoding:message-id;
	bh=b83yZZBkvHuVq62IPeuM4hBMlZkyZmmJN5ogATZGQRk=;
	b=TI2UQbftAGRxaXonNU/fHCHg3j5VMGl7+I0V4Skf17YCrtdg6ZqFN7ehOaGyUF2zEv
	KeuMVgMd9M+vnZD3yHhYlhvn2X91dQlR4jluITnGF890qiFsRB47/VhvpyN0eSIo/jFC
	EJLFYF8tcSLJ4h0g4k/ueBaV6mtlQsTjEZUVjea+T4p01LHmbiaOZEXSNt6GeqSOCvQP
	qRGZovcLE4lZyx8cerQN9LxP8ilCb8ktTA9Pl0ON1mqHztSn5tcnfm+3Fkw3suGdRPeG
	MV3qfynTdERJKl5bOiovHBgyC9z7nECcnlK4A/0LonJTY5LMY2gRwEHijT7RLvkHeAXl
	to3w==
X-Gm-Message-State: 
 ALoCoQnH1vBjqEaZErU3vO5Rg13VR/Zplbcf8L9geNtCqx24uII5jlqWc8tKboiYx+1kYE0AwVxH
X-Received: by 10.236.189.37 with SMTP id b25mr8259346yhn.48.1377637512065;
	Tue, 27 Aug 2013 14:05:12 -0700 (PDT)
Received: from corp2gmr1-2.hot.corp.google.com
	(corp2gmr1-2.hot.corp.google.com [172.24.189.93])
	by gmr-mx.google.com with ESMTPS id
	z45si1405787yha.7.1969.12.31.16.00.00
	(version=TLSv1.1 cipher=AES128-SHA bits=128/128);
	Tue, 27 Aug 2013 14:05:12 -0700 (PDT)
Received: from localhost.localdomain (akpm3.mtv.corp.google.com
	[172.17.131.127])
	by corp2gmr1-2.hot.corp.google.com (Postfix) with ESMTP id
	6BC765A4276; Tue, 27 Aug 2013 14:05:11 -0700 (PDT)
To: ocfs2-devel@oss.oracle.com
From: akpm@linux-foundation.org
Date: Tue, 27 Aug 2013 14:05:11 -0700
MIME-Version: 1.0
Message-Id: <20130827210511.6BC765A4276@corp2gmr1-2.hot.corp.google.com>
X-Flow-Control-Info: class=Pass-to-MM reputation=ipRisk-All ip=209.85.216.74
	ct-class=R6 ct-vol1=0 ct-vol2=0 ct-vol3=0 ct-risk=68
	ct-spam1=0 ct-spam2=0 ct-bulk=0 rcpts=1 size=1158
X-Sendmail-CM-Score: 0.00%
X-Sendmail-CM-Analysis: v=2.1 cv=aehYw3Yt c=1 sm=1 tr=0
	a=I+46lcx7QeHoTsbBDLhT1Q==:117 a=z-5JaG4f0vwA:10
	a=NEiEQogP1MkA:10 a=os2CZ2fo8YAA:10 a=Z4Rwk6OoAAAA:8
	a=1XWaLZrsAAAA:8 a=yPCof4ZbAAAA:8 a=-nRJw5Bo1QEA:10
	a=i0EeH86SAAAA:8 a=iox4zFpeAAAA:8 a=IXr_WNlcAAAA:8
	a=78LkSXE5g9PRZDScd8oA:9 a=e4xtJxf3HDoA:10 a=hPjdaMEvmhQA:10
	a=7DSvI1NPTFQA:10 a=n9GBPR9yFnkA:10 a=T5ZRoNnfl4MA:10
	a=jbrJJM5MRmoA:10
X-Sendmail-CT-Classification: not spam
X-Sendmail-CT-RefID: str=0001.0A090207.521D1489.0090, ss=1, re=0.000,
	recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
Cc: mfasheh@suse.com
Subject: [Ocfs2-devel] [patch 17/22] ocfs2: fix possible double free in
	ocfs2_reflink_xattr_rec
X-BeenThere: ocfs2-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <ocfs2-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/ocfs2-devel>
List-Post: <mailto:ocfs2-devel@oss.oracle.com>
List-Help: <mailto:ocfs2-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/ocfs2-devel>,
	<mailto:ocfs2-devel-request@oss.oracle.com?subject=subscribe>
Sender: ocfs2-devel-bounces@oss.oracle.com
Errors-To: ocfs2-devel-bounces@oss.oracle.com
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Joseph Qi <joseph.qi@huawei.com>
Subject: ocfs2: fix possible double free in ocfs2_reflink_xattr_rec

In ocfs2_reflink_xattr_rec(), meta_ac and data_ac are allocated by calling
ocfs2_lock_reflink_xattr_rec_allocators().

Once an error occurs when allocating *data_ac, it frees *meta_ac which is
allocated before.  Here it mistakenly sets meta_ac to NULL but *meta_ac. 
Then ocfs2_reflink_xattr_rec() will try to free meta_ac again which is
already invalid.

Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Reviewed-by: Jie Liu <jeff.liu@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/ocfs2/xattr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN fs/ocfs2/xattr.c~ocfs2-fix-possible-double-free-in-ocfs2_reflink_xattr_rec fs/ocfs2/xattr.c
--- a/fs/ocfs2/xattr.c~ocfs2-fix-possible-double-free-in-ocfs2_reflink_xattr_rec
+++ a/fs/ocfs2/xattr.c
@@ -6802,7 +6802,7 @@ out:
 	if (ret) {
 		if (*meta_ac) {
 			ocfs2_free_alloc_context(*meta_ac);
-			meta_ac = NULL;
+			*meta_ac = NULL;
 		}
 	}