tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
UBI: fix use-after-free on error path
When we fail to erase a PEB, we free the corresponding erase entry object,
but then re-schedule this object if the error code was something like -EAGAIN.
Obviously, it is a bug to use the object after we have freed it.
Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: stable@kernel.org [v2.6.23+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+4
-3
+4
-3
drivers/mtd/ubi/wl.c
+4
-3
drivers/mtd/ubi/wl.c
···
1052
1052
1053
1053
ubi_err("failed to erase PEB %d, error %d", pnum, err);
1054
1054
kfree(wl_wrk);
1055
-
kmem_cache_free(ubi_wl_entry_slab, e);
1056
1055
1057
1056
if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
1058
1057
err == -EBUSY) {
···
1064
1065
goto out_ro;
1065
1066
}
1066
1067
return err;
1067
-
} else if (err != -EIO) {
1068
+
}
1069
+
1070
+
kmem_cache_free(ubi_wl_entry_slab, e);
1071
+
if (err != -EIO)
1068
1072
/*
1069
1073
* If this is not %-EIO, we have no idea what to do. Scheduling
1070
1074
* this physical eraseblock for erasure again would cause
1071
1075
* errors again and again. Well, lets switch to R/O mode.
1072
1076
*/
1073
1077
goto out_ro;
1074
-
}
1075
1078
1076
1079
/* It is %-EIO, the PEB went bad */
1077
1080