| Message ID | x49a75q1fg8.fsf@segfault.boston.devel.redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fs: fix use after free in get_tree_bdev | expand |
On Mon, 2020-02-10 at 13:10 -0500, Jeff Moyer wrote: > Commit 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in > get_tree_bdev()") > introduced a use-after-free of the bdev. This was caught by fstests > generic/085, which now results in a kernel panic. Fix it. Oops! Thanks Jeff. Acked-by: Ian Kent <raven@themaw.net> > > Cc: stable@vger.kernel.org # v5.4+ > Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in > get_tree_bdev()") > Signed-off-by: Jeff Moyer <jmoyer@redhat.com> > > diff --git a/fs/super.c b/fs/super.c > index cd352530eca9..a288cd60d2ae 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc, > mutex_lock(&bdev->bd_fsfreeze_mutex); > if (bdev->bd_fsfreeze_count > 0) { > mutex_unlock(&bdev->bd_fsfreeze_mutex); > - blkdev_put(bdev, mode); > warnf(fc, "%pg: Can't mount, blockdev is frozen", > bdev); > + blkdev_put(bdev, mode); > return -EBUSY; > } > >
diff --git a/fs/super.c b/fs/super.c index cd352530eca9..a288cd60d2ae 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc, mutex_lock(&bdev->bd_fsfreeze_mutex); if (bdev->bd_fsfreeze_count > 0) { mutex_unlock(&bdev->bd_fsfreeze_mutex); - blkdev_put(bdev, mode); warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev); + blkdev_put(bdev, mode); return -EBUSY; }
Commit 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()") introduced a use-after-free of the bdev. This was caught by fstests generic/085, which now results in a kernel panic. Fix it. Cc: stable@vger.kernel.org # v5.4+ Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()") Signed-off-by: Jeff Moyer <jmoyer@redhat.com>