[PATCH 1/2] bcachefs: Fix a potential in the error handling path of use-after-free inbch2_dev_add()

From: Christophe JAILLET
Date: Wed Sep 13 2023 - 12:47:21 EST

Next message: Christophe JAILLET: "[PATCH 2/2] bcachefs: Remove a redundant and harmless bch2_free_super() call"
Previous message: Guenter Roeck: "Re: [PATCH 2/4] dt-bindings: hwmon: Added new properties to the devicetree"
Next in thread: Christophe JAILLET: "[PATCH 2/2] bcachefs: Remove a redundant and harmless bch2_free_super() call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If __bch2_dev_attach_bdev() fails, bch2_dev_free() is called twice.
Once here and another time in the error handling path.

This leads to several use-after-free.

Remove the redundant call and only rely on the error handling path.

Fixes: 6a44735653d4 ("bcachefs: Improved superblock-related error messages")
Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
---
fs/bcachefs/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c
index 29cd71445a94..7379325c428f 100644
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -1617,10 +1617,8 @@ int bch2_dev_add(struct bch_fs *c, const char *path)
bch2_dev_usage_init(ca);

ret = __bch2_dev_attach_bdev(ca, &sb);
- if (ret) {
- bch2_dev_free(ca);
+ if (ret)
goto err;
- }

ret = bch2_dev_journal_alloc(ca);
if (ret) {
--
2.34.1

Next message: Christophe JAILLET: "[PATCH 2/2] bcachefs: Remove a redundant and harmless bch2_free_super() call"
Previous message: Guenter Roeck: "Re: [PATCH 2/4] dt-bindings: hwmon: Added new properties to the devicetree"
Next in thread: Christophe JAILLET: "[PATCH 2/2] bcachefs: Remove a redundant and harmless bch2_free_super() call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]