bcache: fix use-after-free problem in bcache_device_free()

Coly Li · gregkh · commit d6a300977ac9 · 2021-11-18T19:17:17.000+01:00
commit 8468f45 upstream. In bcache_device_free(), pointer disk is referenced still in ida_simple_remove() after blk_cleanup_disk() gets called on this pointer. This may cause a potential panic by use-after-free on the disk pointer. This patch fixes the problem by calling blk_cleanup_disk() after ida_simple_remove(). Fixes: bc70852 ("bcache: convert to blk_alloc_disk/blk_cleanup_disk") Signed-off-by: Coly Li <colyli@suse.de> Cc: Christoph Hellwig <hch@lst.de> Cc: Hannes Reinecke <hare@suse.de> Cc: Ulf Hansson <ulf.hansson@linaro.org> Cc: stable@vger.kernel.org # v5.14+ Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20211103064917.67383-1-colyli@suse.de Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
@@ -885,9 +885,9 @@ static void bcache_device_free(struct bcache_device *d)
 		bcache_device_detach(d);
 
 	if (disk) {
-		blk_cleanup_disk(disk);
 		ida_simple_remove(&bcache_device_idx,
 				  first_minor_to_idx(disk->first_minor));
+		blk_cleanup_disk(disk);
 	}
 
 	bioset_exit(&d->bio_split);

Original file line number	Diff line number	Diff line change
`@@ -885,9 +885,9 @@ static void bcache_device_free(struct bcache_device *d)`
`885`	`885`	`bcache_device_detach(d);`
`886`	`886`
`887`	`887`	`if (disk) {`
`888`		`- blk_cleanup_disk(disk);`
`889`	`888`	`ida_simple_remove(&bcache_device_idx,`
`890`	`889`	`first_minor_to_idx(disk->first_minor));`
	`890`	`+ blk_cleanup_disk(disk);`
`891`	`891`	`}`
`892`	`892`
`893`	`893`	`bioset_exit(&d->bio_split);`