From: Konstantin Meskhidze konstantin.meskhidze@huawei.com
mainline inclusion from mainline-v6.7-rc1 commit d81efd66106c03771ffc8637855a6ec24caa6350 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8ZCT1
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
'old_idx' could be dereferenced after free via 'rb_link_node' function call.
Fixes: b5fda08ef213 ("ubifs: Fix memleak when insert_old_idx() failed") Co-developed-by: Ivanov Mikhail ivanov.mikhail1@huawei-partners.com Signed-off-by: Konstantin Meskhidze konstantin.meskhidze@huawei.com Reviewed-by: Zhihao Cheng chengzhihao1@huawei.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: ZhaoLong Wang wangzhaolong1@huawei.com --- fs/ubifs/tnc.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c index 6b7d95b65f4b..f4728e65d1bd 100644 --- a/fs/ubifs/tnc.c +++ b/fs/ubifs/tnc.c @@ -65,6 +65,7 @@ static void do_insert_old_idx(struct ubifs_info *c, else { ubifs_err(c, "old idx added twice!"); kfree(old_idx); + return; } } rb_link_node(&old_idx->rb, parent, p);