diff options
| author | Coly Li <colyli@suse.de> | 2021-11-03 09:49:17 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-11-18 21:17:17 +0300 |
| commit | d6a300977ac9fd714303049a37e0f5f74ef5e6c9 (patch) | |
| tree | aa5a684c7aca3288076bba6c3f776b61c7ab1d36 /drivers/md | |
| parent | a958d144754e6090ef321b2ec4e53c51048bc35f (diff) | |
| download | linux-d6a300977ac9fd714303049a37e0f5f74ef5e6c9.tar.xz | |
bcache: fix use-after-free problem in bcache_device_free()
commit 8468f45091d2866affed6f6a7aecc20779139173 upstream.
In bcache_device_free(), pointer disk is referenced still in
ida_simple_remove() after blk_cleanup_disk() gets called on this
pointer. This may cause a potential panic by use-after-free on the
disk pointer.
This patch fixes the problem by calling blk_cleanup_disk() after
ida_simple_remove().
Fixes: bc70852fd104 ("bcache: convert to blk_alloc_disk/blk_cleanup_disk")
Signed-off-by: Coly Li <colyli@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: stable@vger.kernel.org # v5.14+
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20211103064917.67383-1-colyli@suse.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/md')
| -rw-r--r-- | drivers/md/bcache/super.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index f2874c77ff79..3f72c0f40613 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -885,9 +885,9 @@ static void bcache_device_free(struct bcache_device *d) bcache_device_detach(d); if (disk) { - blk_cleanup_disk(disk); ida_simple_remove(&bcache_device_idx, first_minor_to_idx(disk->first_minor)); + blk_cleanup_disk(disk); } bioset_exit(&d->bio_split); |