bcachefs: Fix UAF in __promote_alloc() error path

If we error in data_update_init() after adding to the rhashtable of
outstanding promotes, kfree_rcu() is required.

Reported-by: Reed Riley <reed@riley.engineer>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
This commit is contained in:
Kent Overstreet 2024-11-06 16:40:08 -05:00
parent f9f0a5390d
commit 8440da9331

View File

@ -262,7 +262,8 @@ err:
bio_free_pages(&(*rbio)->bio); bio_free_pages(&(*rbio)->bio);
kfree(*rbio); kfree(*rbio);
*rbio = NULL; *rbio = NULL;
kfree(op); /* We may have added to the rhashtable and thus need rcu freeing: */
kfree_rcu(op, rcu);
bch2_write_ref_put(c, BCH_WRITE_REF_promote); bch2_write_ref_put(c, BCH_WRITE_REF_promote);
return ERR_PTR(ret); return ERR_PTR(ret);
} }