| Message ID | 6db9da814a31858f37fd9d2236768d3b75a11342.1612005682.git.johannes.thumshirn@wdc.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix compilation and checker errors in zoned series | expand |
diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c index 362df27040ff..fd953ec848e6 100644 --- a/fs/btrfs/zoned.c +++ b/fs/btrfs/zoned.c @@ -425,7 +425,7 @@ int btrfs_get_dev_zone_info(struct btrfs_device *device) bdev_zoned_model(bdev), rcu_str_deref(device->name)); ret = -EOPNOTSUPP; - goto out; + goto out_free_zone_info; } btrfs_info_in_rcu(fs_info, @@ -437,9 +437,11 @@ int btrfs_get_dev_zone_info(struct btrfs_device *device) out: kfree(zones); +out_free_zone_info: bitmap_free(zone_info->empty_zones); bitmap_free(zone_info->seq_zones); kfree(zone_info); + device->zone_info = NULL; return ret; }
When we end up getting an unsupported zone model in btrfs_get_dev_zone_info() the default error handling case frees all allocated resources, but "zones" was already freed resulting in a double-free and "zone_info" is already assigned to device->zone_info resulting in a potential use-after-free. For the double free we could also set 'zones = NULL' after freeing, but I think this way is more readable. Reported-by: kernel test robot <lkp@intel.com> Reported-by: Julia Lawall <julia.lawall@lip6.fr> Fixes: 9e802babe329 ("btrfs: allow zoned mode on non-zoned block devices") Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> --- fs/btrfs/zoned.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)