[1/2] bcachefs: Fix a potential in the error handling path of use-after-free inbch2_dev_add()
| Message ID | 3ab17a294fd2b5fcb180d44955b0d76a28af11cb.1694623395.git.christophe.jaillet@wanadoo.fr |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:a8d:b0:3f2:4152:657d with SMTP id gr13csp133901vqb;
Wed, 13 Sep 2023 15:56:22 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IE7xEvY3BqUc0ud0xwTF/QKhuBIIQI09gBlOjERnD/laUSM1QqWI3I7r3VxT6QTx0pXTwCb
X-Received: by 2002:a05:6a21:7988:b0:157:609f:6057 with SMTP id
bh8-20020a056a21798800b00157609f6057mr3187449pzc.27.1694645782473;
Wed, 13 Sep 2023 15:56:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694645782; cv=none;
d=google.com; s=arc-20160816;
b=ovaZWdS/VKkh9laoY1qVf0hvZqMaZ9tnm2vuak0M8eVibOQZDon0d52X94AFJdisOl
KTUcVVpa+MQyGFz9wyHDEH7pkz9x/6SB1KY4BwJj7haLqpD9tsTjgt0x0qxTZl5lqOnf
MbhCbkFS0q8x/wnh9bK67v4zrpwgu0QLEM/4P4cM3qjdUBWKpdi2lOCGaKMoc2gAXGYy
qf66hRRSoq/9N3MWvmBW+lyiuuoE6HO83erNYlTwuHjmRqS4uVR11hW5SZbtXP507d3o
m1/z/4ZJj9YMb7XFu0EDODBepYVGkZUE/gG+e5xkFEindPE32DLc64UhNN2DKSfFo3uU
pWQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=KhBqET0/GFce4q4wy/Li4fUXHKskJM4nNy8BipmRPzo=;
fh=seHqP8aDwV4qtSdtm/JkySC7wQ/YhwMpq5sxfPUNkLQ=;
b=GTK4LpKO5q5LB4FteKQAjtYX4IQ5VmgwWv1QlpUD3F64S31RMfdppiXxzV77u0v3uF
LWE0PwTCuDXfUQXRn/b56XNcKEQcDRUa9mKbfyGnHUdunSNCOO0d1b/OFGUeQKVbSbOJ
I+Q645Rbb3dGTbB4zB5FGhLrk6nzDqWZUD83bk7hx6gaqjOA3YqBu5OrS6ivEYb4tjTU
32AdmyfNSh5dbpZL78a5Z7/azyRvIKG1Suij3YS5mNOno0UL40VWvaDKE26TN99CN7NR
4ugZf7RIOYWrI72rKbOhQvVYkhc/yFQGhoRfNODY0/qC3OhicWYixscudFy0Ew5WE75O
KNfg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=tY4NOT8k;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
by mx.google.com with ESMTPS id
i12-20020a633c4c000000b0056513361b4fsi114130pgn.741.2023.09.13.15.56.21
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 13 Sep 2023 15:56:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=tY4NOT8k;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.34 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by howler.vger.email (Postfix) with ESMTP id 45A0C801C1A4;
Wed, 13 Sep 2023 09:47:30 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231142AbjIMQrW (ORCPT <rfc822;pwkd43@gmail.com> + 35 others);
Wed, 13 Sep 2023 12:47:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55092 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230335AbjIMQrG (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 13 Sep 2023 12:47:06 -0400
Received: from smtp.smtpout.orange.fr (smtp-22.smtpout.orange.fr
[80.12.242.22])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FE121BE7
for <linux-kernel@vger.kernel.org>;
Wed, 13 Sep 2023 09:44:16 -0700 (PDT)
Received: from pop-os.home ([86.243.2.178])
by smtp.orange.fr with ESMTPA
id gSyJqOeao1XYugSyJqLbyP; Wed, 13 Sep 2023 18:44:14 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wanadoo.fr;
s=t20230301; t=1694623454;
bh=KhBqET0/GFce4q4wy/Li4fUXHKskJM4nNy8BipmRPzo=;
h=From:To:Cc:Subject:Date;
b=tY4NOT8kx5AWJLO9A13ip+OzfDc65GfRtGqE/jQh9Lho1C7UfalXDV70QsuL4sKhy
4yXHIWD5tqQh4a/JGcTZURyVkemXF4U97i4ZlNN3pxo7Q4YfjN3mwF1FBDyljIqr/g
bSk4uZQvtcvo4N5JfnOgTPZ829m0Oi7yV9FQZqh6cqegUZbFlnGAXH21ntRyImrIig
eY/GbFTuqfc+pmZcRR0ak375ydz3SeXyAEn82DQipTzZJb9usXJWoEL2slYAAR+yW6
l0QF/m3JX6tWSL6cLiXmEe4FeY+9KZthCFBo8Q/85Mnp4+zUuLXXlBgM1Vj+0kFUAS
9xsUnjVwwiZgg==
X-ME-Helo: pop-os.home
X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI=
X-ME-Date: Wed, 13 Sep 2023 18:44:14 +0200
X-ME-IP: 86.243.2.178
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To: Kent Overstreet <kent.overstreet@linux.dev>,
Brian Foster <bfoster@redhat.com>
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Kent Overstreet <kent.overstreet@gmail.com>,
linux-bcachefs@vger.kernel.org
Subject: [PATCH 1/2] bcachefs: Fix a potential in the error handling path of
use-after-free inbch2_dev_add()
Date: Wed, 13 Sep 2023 18:44:08 +0200
Message-Id:
<3ab17a294fd2b5fcb180d44955b0d76a28af11cb.1694623395.git.christophe.jaillet@wanadoo.fr>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
Wed, 13 Sep 2023 09:47:30 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1776964895881777131
X-GMAIL-MSGID: 1776964895881777131
|
| Series |
[1/2] bcachefs: Fix a potential in the error handling path of use-after-free inbch2_dev_add()
|
|
Commit Message
Christophe JAILLET
Sept. 13, 2023, 4:44 p.m. UTC
If __bch2_dev_attach_bdev() fails, bch2_dev_free() is called twice.
Once here and another time in the error handling path.
This leads to several use-after-free.
Remove the redundant call and only rely on the error handling path.
Fixes: 6a44735653d4 ("bcachefs: Improved superblock-related error messages")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
fs/bcachefs/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Comments
On Wed, Sep 13, 2023 at 06:44:08PM +0200, Christophe JAILLET wrote: > If __bch2_dev_attach_bdev() fails, bch2_dev_free() is called twice. > Once here and another time in the error handling path. > > This leads to several use-after-free. > > Remove the redundant call and only rely on the error handling path. Thanks, both applied
Le 14/09/2023 à 01:01, Kent Overstreet a écrit : > On Wed, Sep 13, 2023 at 06:44:08PM +0200, Christophe JAILLET wrote: >> If __bch2_dev_attach_bdev() fails, bch2_dev_free() is called twice. >> Once here and another time in the error handling path. >> >> This leads to several use-after-free. >> >> Remove the redundant call and only rely on the error handling path. > Thanks, both applied If not too late, it is more a double-free than a use-after-free. And I messed up the ordering of the words in the subject. Sorry about that. CJ
diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c index 29cd71445a94..7379325c428f 100644 --- a/fs/bcachefs/super.c +++ b/fs/bcachefs/super.c @@ -1617,10 +1617,8 @@ int bch2_dev_add(struct bch_fs *c, const char *path) bch2_dev_usage_init(ca); ret = __bch2_dev_attach_bdev(ca, &sb); - if (ret) { - bch2_dev_free(ca); + if (ret) goto err; - } ret = bch2_dev_journal_alloc(ca); if (ret) {