btrfs: fix use-after-free in mount_subvol()
authorChristoph Jaeger <christophjaeger@linux.com>
Sat, 12 Apr 2014 11:33:13 +0000 (13:33 +0200)
committerChris Mason <clm@fb.com>
Mon, 14 Apr 2014 18:31:08 +0000 (11:31 -0700)
Pointer 'newargs' is used after the memory that it points to has already
been freed.

Picked up by Coverity - CID 1201425.

Fixes: 0723a0473f ("btrfs: allow mounting btrfs subvolumes with
different ro/rw options")
Signed-off-by: Christoph Jaeger <christophjaeger@linux.com>
Signed-off-by: Chris Mason <clm@fb.com>
fs/btrfs/super.c

index 994c409553150eac353bc32ba6bcc5bc4bbdf465..53bc3733d4835b444b897c00837b7ac3badafa43 100644 (file)
@@ -1186,7 +1186,6 @@ static struct dentry *mount_subvol(const char *subvol_name, int flags,
                return ERR_PTR(-ENOMEM);
        mnt = vfs_kern_mount(&btrfs_fs_type, flags, device_name,
                             newargs);
-       kfree(newargs);
 
        if (PTR_RET(mnt) == -EBUSY) {
                if (flags & MS_RDONLY) {
@@ -1196,17 +1195,22 @@ static struct dentry *mount_subvol(const char *subvol_name, int flags,
                        int r;
                        mnt = vfs_kern_mount(&btrfs_fs_type, flags | MS_RDONLY, device_name,
                                             newargs);
-                       if (IS_ERR(mnt))
+                       if (IS_ERR(mnt)) {
+                               kfree(newargs);
                                return ERR_CAST(mnt);
+                       }
 
                        r = btrfs_remount(mnt->mnt_sb, &flags, NULL);
                        if (r < 0) {
                                /* FIXME: release vfsmount mnt ??*/
+                               kfree(newargs);
                                return ERR_PTR(r);
                        }
                }
        }
 
+       kfree(newargs);
+
        if (IS_ERR(mnt))
                return ERR_CAST(mnt);