hfs: do not free node before using

hfs_bmap_free() frees the node via hfs_bnode_put(node).  However, it
then reads node->this when dumping error message on an error path, which
may result in a use-after-free bug.  This patch frees the node only when
it is never again used.

Link: http://lkml.kernel.org/r/[email protected]
Fixes: a1185ffa2fc ("HFS rewrite")
Signed-off-by: Pan Bian <[email protected]>
Reviewed-by: Andrew Morton <[email protected]>
Cc: Joe Perches <[email protected]>
Cc: Ernesto A. Fernandez <[email protected]>
Cc: Viacheslav Dubeyko <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
index 98b96ffb95ed3d71dbf598b9aadc1e4363ce68da..19017d2961734fd7701aa1ac31c6a94d8a65c71b 100644 (file)
--- a/fs/hfs/btree.c
+++ b/fs/hfs/btree.c
@@ -338,13 +338,14 @@ void hfs_bmap_free(struct hfs_bnode *node)
 
                nidx -= len * 8;
                i = node->next;
-               hfs_bnode_put(node);
                if (!i) {
                        /* panic */;
                        pr_crit("unable to free bnode %u. bmap not found!\n",
                                node->this);
+                       hfs_bnode_put(node);
                        return;
                }
+               hfs_bnode_put(node);
                node = hfs_bnode_find(tree, i);
                if (IS_ERR(node))
                        return;