bcachefs: Fix a kasan splat in bch2_dev_add()
authorKent Overstreet <kent.overstreet@linux.dev>
Thu, 26 Oct 2023 21:00:36 +0000 (17:00 -0400)
committerKent Overstreet <kent.overstreet@linux.dev>
Thu, 2 Nov 2023 01:11:07 +0000 (21:11 -0400)
This fixes a use after free - mi is dangling after the resize call.

Additionally, resizing the device's member info section was useless - we
were attempting to preallocate the space required before adding it to
the filesystem superblock, but there's other sections that we should
have been preallocating as well for that to work.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
fs/bcachefs/super.c

index ce59018b27acc92d70b75ba68ba6e2b1c4db643a..835342b56003cba6186825849fa1e4b6012c0d2d 100644 (file)
@@ -1622,16 +1622,6 @@ int bch2_dev_add(struct bch_fs *c, const char *path)
                goto err_unlock;
        }
 
-       mi = bch2_sb_field_get(ca->disk_sb.sb, members_v2);
-
-       if (!bch2_sb_field_resize(&ca->disk_sb, members_v2,
-                               le32_to_cpu(mi->field.u64s) +
-                               sizeof(dev_mi) / sizeof(u64))) {
-               ret = -BCH_ERR_ENOSPC_sb_members;
-               bch_err_msg(c, ret, "setting up new superblock");
-               goto err_unlock;
-       }
-
        if (dynamic_fault("bcachefs:add:no_slot"))
                goto no_slot;
 
@@ -1645,6 +1635,8 @@ no_slot:
 
 have_slot:
        nr_devices = max_t(unsigned, dev_idx + 1, c->sb.nr_devices);
+
+       mi = bch2_sb_field_get(c->disk_sb.sb, members_v2);
        u64s = DIV_ROUND_UP(sizeof(struct bch_sb_field_members_v2) +
                            le16_to_cpu(mi->member_bytes) * nr_devices, sizeof(u64));