From 6b8d6d331daaa7d2118fdd61eac514363e0625e7 Mon Sep 17 00:00:00 2001
From: Amulya Y <ayarlagadda@nvidia.com>
Date: Thu, 5 Apr 2018 15:06:13 -0700
Subject: ext4:fix use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259975
(cherry picked from commit 3c15c37dc613cb75339f8e0d546ab30643e65b84)
Reviewed-on: https://git-master.nvidia.com/r/1690287
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
---
 fs/ext4/ext4_jbd2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'fs')

diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
index 1be3996b5942..3517d5af2574 100644
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -75,8 +75,14 @@ int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
 		ext4_put_nojournal(handle);
 		return 0;
 	}
-	sb = handle->h_transaction->t_journal->j_private;
+
 	err = handle->h_err;
+	if (!handle->h_transaction) {
+		rc = jbd2_journal_stop(handle);
+		return err ? err : rc;
+	}
+
+	sb = handle->h_transaction->t_journal->j_private;
 	rc = jbd2_journal_stop(handle);
 
 	if (!err)
-- 
cgit v1.2.3