From: Kent Overstreet <kent.overstreet@linux.dev>
Date: Wed, 6 Nov 2024 21:40:08 +0000 (-0500)
Subject: bcachefs: Fix UAF in __promote_alloc() error path
X-Git-Tag: v6.12-rc7~21^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8440da933127fc5330c3d1090cdd612fddbc40eb;p=thirdparty%2Flinux.git

bcachefs: Fix UAF in __promote_alloc() error path

If we error in data_update_init() after adding to the rhashtable of
outstanding promotes, kfree_rcu() is required.

Reported-by: Reed Riley <reed@riley.engineer>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/io_read.c b/fs/bcachefs/io_read.c
index ac6a6fcc2bb8f..b3b934a87c6de 100644
--- a/fs/bcachefs/io_read.c
+++ b/fs/bcachefs/io_read.c
@@ -262,7 +262,8 @@ err:
 		bio_free_pages(&(*rbio)->bio);
 	kfree(*rbio);
 	*rbio = NULL;
-	kfree(op);
+	/* We may have added to the rhashtable and thus need rcu freeing: */
+	kfree_rcu(op, rcu);
 	bch2_write_ref_put(c, BCH_WRITE_REF_promote);
 	return ERR_PTR(ret);
 }