From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Coly Li <colyli@suse.de>, Christoph Hellwig <hch@lst.de>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-bcache@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 454/542] bcache: fix use-after-free in register_bcache()
Date: Fri, 14 Feb 2020 10:47:26 -0500 [thread overview]
Message-ID: <20200214154854.6746-454-sashal@kernel.org> (raw)
In-Reply-To: <20200214154854.6746-1-sashal@kernel.org>
From: Coly Li <colyli@suse.de>
[ Upstream commit ae3cd299919af6eb670d5af0bc9d7ba14086bd8e ]
The patch "bcache: rework error unwinding in register_bcache" introduces
a use-after-free regression in register_bcache(). Here are current code,
2510 out_free_path:
2511 kfree(path);
2512 out_module_put:
2513 module_put(THIS_MODULE);
2514 out:
2515 pr_info("error %s: %s", path, err);
2516 return ret;
If some error happens and the above code path is executed, at line 2511
path is released, but referenced at line 2515. Then KASAN reports a use-
after-free error message.
This patch changes line 2515 in the following way to fix the problem,
2515 pr_info("error %s: %s", path?path:"", err);
Signed-off-by: Coly Li <colyli@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index bd2ae1d78fe15..05cb94664efee 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -2475,10 +2475,11 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr,
kfree(sb);
out_free_path:
kfree(path);
+ path = NULL;
out_module_put:
module_put(THIS_MODULE);
out:
- pr_info("error %s: %s", path, err);
+ pr_info("error %s: %s", path?path:"", err);
return ret;
}
--
2.20.1
next prev parent reply other threads:[~2020-02-14 15:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200214154854.6746-1-sashal@kernel.org>
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 452/542] bcache: cached_dev_free needs to put the sb page Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 453/542] bcache: rework error unwinding in register_bcache Sasha Levin
2020-02-14 15:47 ` Sasha Levin [this message]
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 455/542] bcache: avoid unnecessary btree nodes flushing in btree_flush_write() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 510/542] bcache: explicity type cast in bset_bkey_last() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 511/542] bcache: fix incorrect data type usage in btree_flush_write() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214154854.6746-454-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=colyli@suse.de \
--cc=hch@lst.de \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).