bcache: fix use-after-free in btree_gc_coalesce()

If we goto out_nocoalesce after we free new_nodes[0], we end up freeing new_nodes[0] again. This was generating a lockdep warning. The fix is to set new_nodes[0] to NULL, since the out_nocoalesce path safely ignores NULL entries in the new_nodes array. This regression was introduced in 2d7f9531. Change-Id: I76564d7257800583214376b4bacf236cda90c89c

bcache: fix use-after-free in btree_gc_coalesce()
If we goto out_nocoalesce after we free new_nodes[0], we end up freeing new_nodes[0] again. This was generating a lockdep warning. The fix is to set new_nodes[0] to NULL, since the out_nocoalesce path safely ignores NULL entries in the new_nodes array. This regression was introduced in 2d7f9531. Change-Id: I76564d7257800583214376b4bacf236cda90c89c
Slava Pestov · Kent Overstreet
1 parent 6b708de64a
Showing 1 changed file with 1 additions and 0 deletions Side-by-side Diff
drivers/md/bcache/btree.c
@@ -1409,6 +1409,7 @@
 	BUG_ON(btree_bset_first(new_nodes[0])->keys);
 	btree_node_free(new_nodes[0]);
 	rw_unlock(true, new_nodes[0]);
+	new_nodes[0] = NULL;
  
 	for (i = 0; i < nodes; i++) {
 		if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))
...	...	@@ -1409,6 +1409,7 @@
1409	1409	BUG_ON(btree_bset_first(new_nodes[0])->keys);
1410	1410	btree_node_free(new_nodes[0]);
1411	1411	rw_unlock(true, new_nodes[0]);
	1412	+ new_nodes[0] = NULL;
1412	1413
1413	1414	for (i = 0; i < nodes; i++) {
1414	1415	if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))