From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
To: David Sterba <dsterba@suse.com>
Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com>,
Naohiro Aota <Naohiro.Aota@wdc.com>,
Josef Bacik <josef@toxicpanda.com>,
Julia Lawall <julia.lawall@inria.fr>,
linux-btrfs@vger.kernel.org, kernel test robot <lkp@intel.com>,
Julia Lawall <julia.lawall@lip6.fr>
Subject: [PATCH for-next 2/2] btrfs: fix double free in btrfs_get_dev_zone_info
Date: Sat, 30 Jan 2021 20:26:44 +0900 [thread overview]
Message-ID: <6db9da814a31858f37fd9d2236768d3b75a11342.1612005682.git.johannes.thumshirn@wdc.com> (raw)
In-Reply-To: <cover.1612005682.git.johannes.thumshirn@wdc.com>
When we end up getting an unsupported zone model in
btrfs_get_dev_zone_info() the default error handling case frees all
allocated resources, but "zones" was already freed resulting in a
double-free and "zone_info" is already assigned to device->zone_info
resulting in a potential use-after-free.
For the double free we could also set 'zones = NULL' after freeing, but I
think this way is more readable.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Fixes: 9e802babe329 ("btrfs: allow zoned mode on non-zoned block devices")
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
---
fs/btrfs/zoned.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
index 362df27040ff..fd953ec848e6 100644
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -425,7 +425,7 @@ int btrfs_get_dev_zone_info(struct btrfs_device *device)
bdev_zoned_model(bdev),
rcu_str_deref(device->name));
ret = -EOPNOTSUPP;
- goto out;
+ goto out_free_zone_info;
}
btrfs_info_in_rcu(fs_info,
@@ -437,9 +437,11 @@ int btrfs_get_dev_zone_info(struct btrfs_device *device)
out:
kfree(zones);
+out_free_zone_info:
bitmap_free(zone_info->empty_zones);
bitmap_free(zone_info->seq_zones);
kfree(zone_info);
+ device->zone_info = NULL;
return ret;
}
--
2.26.2
next prev parent reply other threads:[~2021-01-30 11:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-30 11:26 [PATCH for-next 0/2] Fix compilation and checker errors in zoned series Johannes Thumshirn
2021-01-30 11:26 ` [PATCH for-next 1/2] btrfs: fix compilation error for !CONFIG_BLK_DEV_ZONED Johannes Thumshirn
2021-01-30 11:26 ` Johannes Thumshirn [this message]
2021-02-01 17:42 ` [PATCH for-next 0/2] Fix compilation and checker errors in zoned series David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6db9da814a31858f37fd9d2236768d3b75a11342.1612005682.git.johannes.thumshirn@wdc.com \
--to=johannes.thumshirn@wdc.com \
--cc=Naohiro.Aota@wdc.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=julia.lawall@inria.fr \
--cc=julia.lawall@lip6.fr \
--cc=linux-btrfs@vger.kernel.org \
--cc=lkp@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.