[3.13.y.z extended stable] Patch "KEYS: Fix use-after-free in assoc_array_gc()" has been added to staging queue

[Kamal Mostafa]

This is a note to let you know that I have just added a patch titled

    KEYS: Fix use-after-free in assoc_array_gc()

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.8.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 64ce976f814fa1134b39255f38c80a9a54e9e537 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Tue, 2 Sep 2014 13:52:20 +0100
Subject: KEYS: Fix use-after-free in assoc_array_gc()

commit 27419604f51a97d497853f14142c1059d46eb597 upstream.

An edit script should be considered inaccessible by a function once it has
called assoc_array_apply_edit() or assoc_array_cancel_edit().

However, assoc_array_gc() is accessing the edit script just after the
gc_complete: label.

Reported-by: Andreea-Cristina Bernat <bernat.ada at gmail.com>
Signed-off-by: David Howells <dhowells at redhat.com>
Reviewed-by: Andreea-Cristina Bernat <bernat.ada at gmail.com>
cc: shemming at brocade.com
cc: paulmck at linux.vnet.ibm.com
Signed-off-by: James Morris <james.l.morris at oracle.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 lib/assoc_array.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/assoc_array.c b/lib/assoc_array.c
index 76ae279..f9524b8 100644
--- a/lib/assoc_array.c
+++ b/lib/assoc_array.c
@@ -1737,7 +1737,7 @@ ascend_old_tree:
 gc_complete:
 	edit->set[0].to = new_root;
 	assoc_array_apply_edit(edit);
-	edit->array->nr_leaves_on_tree = nr_leaves_on_tree;
+	array->nr_leaves_on_tree = nr_leaves_on_tree;
 	return 0;

 enomem:
--
1.9.1