linux/block/bdev.c, branch v5.15Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v5.152021-10-02T13:29:20Zblock: genhd: fix double kfree() in __alloc_disk_node()2021-10-02T13:29:20ZTetsuo Handapenguin-kernel@i-love.sakura.ne.jp2021-10-02T09:23:02Zurn:sha1:06cc978d3ff226072780f74897800b33e78abb57
syzbot is reporting use-after-free read at bdev_free_inode() [1], for
kfree() from __alloc_disk_node() is called before bdev_free_inode()
(which is called after RCU grace period) reads bdev->bd_disk and calls
kfree(bdev->bd_disk).
Fix use-after-free read followed by double kfree() problem
by making sure that bdev->bd_disk is NULL when calling iput().
Link: https://syzkaller.appspot.com/bug?extid=8281086e8a6fbfbd952a [1]
Reported-by: syzbot <syzbot+8281086e8a6fbfbd952a@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/e6dd13c5-8db0-4392-6e78-a42ee5d2a1c4@i-love.sakura.ne.jp
Signed-off-by: Jens Axboe <axboe@kernel.dk>
block: move fs/block_dev.c to block/bdev.c2021-09-07T14:39:40ZChristoph Hellwighch@lst.de2021-09-07T14:13:03Zurn:sha1:0dca4462ed0681649fdcd5700a6ddfbaa65fa178
Move it together with the rest of the block layer.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210907141303.1371844-3-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>