FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.15-stable tree

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.15-stable tree
@ 2023-01-04 12:52 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2023-01-04 12:52 UTC (permalink / raw)
  To: void0red, 1527030098, dsterba; +Cc: stable


The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

Possible dependencies:

1742e1c90c3d ("btrfs: fix extent map use-after-free when handling missing device in read_one_chunk")
ff37c89f94be ("btrfs: move missing device handling in a dedicate function")
562d7b1512f7 ("btrfs: handle device lookup with btrfs_dev_lookup_args")

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 1742e1c90c3da344f3bb9b1f1309b3f47482756a Mon Sep 17 00:00:00 2001
From: void0red <void0red@gmail.com>
Date: Wed, 23 Nov 2022 22:39:45 +0800
Subject: [PATCH] btrfs: fix extent map use-after-free when handling missing
 device in read_one_chunk

Store the error code before freeing the extent_map. Though it's
reference counted structure, in that function it's the first and last
allocation so this would lead to a potential use-after-free.

The error can happen eg. when chunk is stored on a missing device and
the degraded mount option is missing.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216721
Reported-by: eriri <1527030098@qq.com>
Fixes: adfb69af7d8c ("btrfs: add_missing_dev() should return the actual error")
CC: stable@vger.kernel.org # 4.9+
Signed-off-by: void0red <void0red@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index acab20f2863d..aa25fa335d3e 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6976,8 +6976,9 @@ static int read_one_chunk(struct btrfs_key *key, struct extent_buffer *leaf,
 			map->stripes[i].dev = handle_missing_device(fs_info,
 								    devid, uuid);
 			if (IS_ERR(map->stripes[i].dev)) {
+				ret = PTR_ERR(map->stripes[i].dev);
 				free_extent_map(em);
-				return PTR_ERR(map->stripes[i].dev);
+				return ret;
 			}
 		}
 


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-01-04 12:53 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-04 12:52 FAILED: patch "[PATCH] btrfs: fix extent map use-after-free when handling missing" failed to apply to 5.15-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox