[opensuse-kernel] [PATCH 08/13] bcache: fix use-after-free in btree_gc_coalesce() (bnc#908604).

8 Dec 2014

---
 ...e-fix-use-after-free-in-btree_gc_coalesce.patch | 36 ++++++++++++++++++++++
 series.conf                                        |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 patches.fixes/0009-bcache-fix-use-after-free-in-btree_gc_coalesce.patch

diff --git a/patches.fixes/0009-bcache-fix-use-after-free-in-btree_gc_coalesce.patch b/patches.fixes/0009-bcache-fix-use-after-free-in-btree_gc_coalesce.patch
new file mode 100644
index 0000000..f9f451f
--- /dev/null
+++ b/patches.fixes/0009-bcache-fix-use-after-free-in-btree_gc_coalesce.patch
@@ -0,0 +1,36 @@
+From 9133a31a0a23dd6ec0c02a3d21a2667892677b9d Mon Sep 17 00:00:00 2001
+From: Slava Pestov 
+Date: Sat, 12 Jul 2014 21:53:11 -0700
+Subject: [PATCH 09/14] bcache: fix use-after-free in btree_gc_coalesce()
+Git-commit: 400ffaa2acd72274e2c7293a9724382383bebf3e
+Patch-mainline: v3.17
+References: bnc#908604
+
+If we goto out_nocoalesce after we free new_nodes[0], we end up freeing
+new_nodes[0] again. This was generating a lockdep warning. The fix is
+to set new_nodes[0] to NULL, since the out_nocoalesce path safely
+ignores NULL entries in the new_nodes array.
+
+This regression was introduced in 2d7f9531.
+
+Change-Id: I76564d7257800583214376b4bacf236cda90c89c
+Signed-off-by: Joshua Schmid 
+---
+ drivers/md/bcache/btree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
+index 5ef445d..e3aece2 100644
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1403,6 +1403,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op,
+ 	BUG_ON(btree_bset_first(new_nodes[0])->keys);
+ 	btree_node_free(new_nodes[0]);
+ 	rw_unlock(true, new_nodes[0]);
++	new_nodes[0] = NULL;
+ 
+ 	for (i = 0; i < nodes; i++) {
+ 		if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))
+-- 
+2.1.2
+
diff --git a/series.conf b/series.conf
index dfca269..fbce3cb 100644
--- a/series.conf
+++ b/series.conf
@@ -429,6 +429,7 @@
 	patches.fixes/0006-bcache-Make-sure-to-pass-GFP_WAIT-to-mempool_alloc.patch
 	patches.fixes/0007-bcache-fix-typo-in-bch_bkey_equal_header.patch
 	patches.fixes/0008-bcache-Fix-an-infinite-loop-in-journal-replay.patch
+	patches.fixes/0009-bcache-fix-use-after-free-in-btree_gc_coalesce.patch
 
 	########################################################
 	# DRM/Video
-- 
2.1.2

-- 
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org

    