From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date: Wed, 13 Sep 2023 16:44:08 +0000 (+0200)
Subject: bcachefs: Fix use-after-free in bch2_dev_add()
X-Git-Tag: v6.7-rc1~201^2~59
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=71933fb69b7c5fe5efd2119b645d4fde337a6f3f;p=thirdparty%2Fkernel%2Flinux.git

bcachefs: Fix use-after-free in bch2_dev_add()

If __bch2_dev_attach_bdev() fails, bch2_dev_free() is called twice.
Once here and another time in the error handling path.

This leads to several use-after-free.

Remove the redundant call and only rely on the error handling path.

Fixes: 6a44735653d4 ("bcachefs: Improved superblock-related error messages")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c
index 94e296397e323..9f852a6dd76a1 100644
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -1613,10 +1613,8 @@ int bch2_dev_add(struct bch_fs *c, const char *path)
 	bch2_dev_usage_init(ca);
 
 	ret = __bch2_dev_attach_bdev(ca, &sb);
-	if (ret) {
-		bch2_dev_free(ca);
+	if (ret)
 		goto err;
-	}
 
 	ret = bch2_dev_journal_alloc(ca);
 	if (ret) {