Commit 8440da93 authored by Kent Overstreet's avatar Kent Overstreet
Browse files

bcachefs: Fix UAF in __promote_alloc() error path 



If we error in data_update_init() after adding to the rhashtable of
outstanding promotes, kfree_rcu() is required.

Reported-by: default avatarReed Riley <reed@riley.engineer>
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent f9f0a539

fs/bcachefs/io_read.c

+2 −1
Original line number Diff line number Diff line
@@ -262,7 +262,8 @@ static struct promote_op *__promote_alloc(struct btree_trans *trans, 
		bio_free_pages(&(*rbio)->bio);

	kfree(*rbio);

	*rbio = NULL;

	kfree(op);

	/* We may have added to the rhashtable and thus need rcu freeing: */

	kfree_rcu(op, rcu);

	bch2_write_ref_put(c, BCH_WRITE_REF_promote);

	return ERR_PTR(ret);

}