From: Slava Pestov Date: Sun, 13 Jul 2014 04:53:11 +0000 (-0700) Subject: bcache: fix use-after-free in btree_gc_coalesce() X-Git-Tag: firefly_0821_release~176^2~3399^2^2~7 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=400ffaa2acd72274e2c7293a9724382383bebf3e;p=firefly-linux-kernel-4.4.55.git bcache: fix use-after-free in btree_gc_coalesce() If we goto out_nocoalesce after we free new_nodes[0], we end up freeing new_nodes[0] again. This was generating a lockdep warning. The fix is to set new_nodes[0] to NULL, since the out_nocoalesce path safely ignores NULL entries in the new_nodes array. This regression was introduced in 2d7f9531. Change-Id: I76564d7257800583214376b4bacf236cda90c89c --- diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index f8237856a61b..776583f7247d 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -1409,6 +1409,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, BUG_ON(btree_bset_first(new_nodes[0])->keys); btree_node_free(new_nodes[0]); rw_unlock(true, new_nodes[0]); + new_nodes[0] = NULL; for (i = 0; i < nodes; i++) { if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))