bcache: fix use-after-free problem in bcache_device_free()

Commit Message

Coly Li Nov. 3, 2021, 6:49 a.m. UTC

In bcache_device_free(), pointer disk is referenced still in
ida_simple_remove() after blk_cleanup_disk() gets called on this
pointer. This may cause a potential panic by use-after-free on the
disk pointer.

This patch fixes the problem by calling blk_cleanup_disk() after
ida_simple_remove().

Fixes: bc70852fd104 ("bcache: convert to blk_alloc_disk/blk_cleanup_disk")
Signed-off-by: Coly Li <colyli@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: stable@vger.kernel.org # v5.14+
---
 drivers/md/bcache/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Christoph Hellwig Nov. 3, 2021, 7:21 a.m. UTC | #1

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Jens Axboe Nov. 3, 2021, noon UTC | #2

On Wed, 3 Nov 2021 14:49:17 +0800, Coly Li wrote:
> In bcache_device_free(), pointer disk is referenced still in
> ida_simple_remove() after blk_cleanup_disk() gets called on this
> pointer. This may cause a potential panic by use-after-free on the
> disk pointer.
> 
> This patch fixes the problem by calling blk_cleanup_disk() after
> ida_simple_remove().
> 
> [...]

Applied, thanks!

[1/1] bcache: fix use-after-free problem in bcache_device_free()
      commit: 8468f45091d2866affed6f6a7aecc20779139173

Best regards,

Patch

diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 4a9a65dff95e..86b9e355c583 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -885,9 +885,9 @@  static void bcache_device_free(struct bcache_device *d)
 		bcache_device_detach(d);
 
 	if (disk) {
-		blk_cleanup_disk(disk);
 		ida_simple_remove(&bcache_device_idx,
 				  first_minor_to_idx(disk->first_minor));
+		blk_cleanup_disk(disk);
 	}
 
 	bioset_exit(&d->bio_split);