summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKent Overstreet <kent.overstreet@linux.dev>2024-11-06 16:40:08 -0500
committerKent Overstreet <kent.overstreet@linux.dev>2024-11-07 16:48:21 -0500
commit8440da933127fc5330c3d1090cdd612fddbc40eb (patch)
tree91ece521bf22f076e84a3d513998277c219e61a1
parentf9f0a5390dcef1f96cc506a2cf7d50c8e348fa3d (diff)
bcachefs: Fix UAF in __promote_alloc() error path
If we error in data_update_init() after adding to the rhashtable of outstanding promotes, kfree_rcu() is required. Reported-by: Reed Riley <reed@riley.engineer> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
-rw-r--r--fs/bcachefs/io_read.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/bcachefs/io_read.c b/fs/bcachefs/io_read.c
index ac6a6fcc2bb8..b3b934a87c6d 100644
--- a/fs/bcachefs/io_read.c
+++ b/fs/bcachefs/io_read.c
@@ -262,7 +262,8 @@ err:
bio_free_pages(&(*rbio)->bio);
kfree(*rbio);
*rbio = NULL;
- kfree(op);
+ /* We may have added to the rhashtable and thus need rcu freeing: */
+ kfree_rcu(op, rcu);
bch2_write_ref_put(c, BCH_WRITE_REF_promote);
return ERR_PTR(ret);
}