mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-08 15:04:45 +00:00
bcachefs: Fix rare use after free in read path
If the bkey_on_stack_reassemble() call in __bch2_read_indirect_extent() reallocates the buffer, k in bch2_read - which we pointed at the bkey_on_stack buffer - will now point to a stale buffer. Whoops. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
This commit is contained in:
parent
e00711d2ca
commit
13dcd4abcd
@ -782,18 +782,19 @@ static void bchfs_read(struct btree_trans *trans, struct btree_iter *iter,
|
||||
if (ret)
|
||||
break;
|
||||
|
||||
bkey_on_stack_reassemble(&sk, c, k);
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
offset_into_extent = iter->pos.offset -
|
||||
bkey_start_offset(k.k);
|
||||
sectors = k.k->size - offset_into_extent;
|
||||
|
||||
bkey_on_stack_reassemble(&sk, c, k);
|
||||
|
||||
ret = bch2_read_indirect_extent(trans,
|
||||
&offset_into_extent, &sk);
|
||||
if (ret)
|
||||
break;
|
||||
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
sectors = min(sectors, k.k->size - offset_into_extent);
|
||||
|
||||
bch2_trans_unlock(trans);
|
||||
|
@ -911,20 +911,21 @@ static int bch2_fiemap(struct inode *vinode, struct fiemap_extent_info *info,
|
||||
continue;
|
||||
}
|
||||
|
||||
bkey_on_stack_realloc(&cur, c, k.k->u64s);
|
||||
bkey_on_stack_realloc(&prev, c, k.k->u64s);
|
||||
bkey_reassemble(cur.k, k);
|
||||
k = bkey_i_to_s_c(cur.k);
|
||||
|
||||
offset_into_extent = iter->pos.offset -
|
||||
bkey_start_offset(k.k);
|
||||
sectors = k.k->size - offset_into_extent;
|
||||
|
||||
bkey_on_stack_realloc(&cur, c, k.k->u64s);
|
||||
bkey_on_stack_realloc(&prev, c, k.k->u64s);
|
||||
bkey_reassemble(cur.k, k);
|
||||
|
||||
ret = bch2_read_indirect_extent(&trans,
|
||||
&offset_into_extent, &cur);
|
||||
if (ret)
|
||||
break;
|
||||
|
||||
k = bkey_i_to_s_c(cur.k);
|
||||
|
||||
sectors = min(sectors, k.k->size - offset_into_extent);
|
||||
|
||||
if (offset_into_extent)
|
||||
|
@ -1667,7 +1667,6 @@ static void bch2_read_retry(struct bch_fs *c, struct bch_read_bio *rbio,
|
||||
unsigned bytes, sectors, offset_into_extent;
|
||||
|
||||
bkey_on_stack_reassemble(&sk, c, k);
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
offset_into_extent = iter->pos.offset -
|
||||
bkey_start_offset(k.k);
|
||||
@ -1678,6 +1677,8 @@ static void bch2_read_retry(struct bch_fs *c, struct bch_read_bio *rbio,
|
||||
if (ret)
|
||||
break;
|
||||
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
sectors = min(sectors, k.k->size - offset_into_extent);
|
||||
|
||||
bch2_trans_unlock(&trans);
|
||||
@ -2311,13 +2312,14 @@ void bch2_read(struct bch_fs *c, struct bch_read_bio *rbio, u64 inode)
|
||||
sectors = k.k->size - offset_into_extent;
|
||||
|
||||
bkey_on_stack_reassemble(&sk, c, k);
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
ret = bch2_read_indirect_extent(&trans,
|
||||
&offset_into_extent, &sk);
|
||||
if (ret)
|
||||
goto err;
|
||||
|
||||
k = bkey_i_to_s_c(sk.k);
|
||||
|
||||
/*
|
||||
* With indirect extents, the amount of data to read is the min
|
||||
* of the original extent and the indirect extent:
|
||||
|
Loading…
Reference in New Issue
Block a user