| Message ID | 26e6880fa1dabf3771519fb86ed96b15e6b292a6.1695666651.git.boris@bur.io (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: qgroup: fix use-after-free in btrfs_qgroup_inherit | expand |
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index ff470afeea7c..1a486d8a7b5a 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -3310,13 +3310,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, mutex_unlock(&fs_info->qgroup_ioctl_lock); if (need_rescan) qgroup_mark_inconsistent(fs_info); - if (free_inherit) - kfree(inherit); if (qlist_prealloc) { for (int i = 0; i < inherit->num_qgroups; i++) kfree(qlist_prealloc[i]); kfree(qlist_prealloc); } + if (free_inherit) + kfree(inherit); kfree(prealloc); return ret; }
If a new subvolume under simple quota uses the auto inherit feature, it will free the temporary auto inherit struct before freeing qlist_prealloc. The latter reads the inherit struct to see how much to free, so this is a UAF. Fix it by freeing the inherit struct after the btrfs_qgroup_list. This can be reproduced by running a simple quotas test with KASAN enabled. The test is not yet in upstream fstests, but can be found in this patch: https://lore.kernel.org/fstests/a7f4e4db-37a5-3685-4621-99b05343a864@oracle.com/T/#u Reported-by: kernel test robot <lkp@intel.com> Reported-by: Julia Lawall <julia.lawall@inria.fr> Closes: https://lore.kernel.org/r/202309230501.FnBPmnOv-lkp@intel.com/ Fixes: 356d8a464995 ("btrfs: qgroup: simple quota auto hierarchy for nested subvolumes") Signed-off-by: Boris Burkov <boris@bur.io> --- fs/btrfs/qgroup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)