From: Dan Robertson <dan@dlrobertson.com>
Date: Thu, 13 May 2021 00:54:37 +0000 (-0400)
Subject: bcachefs: Fix null deref in bch2_ioctl_read_super
X-Git-Tag: io_uring-6.7-2023-11-10~119^2~1584
X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=2b25de552f8a8d9cae5b54c83137c67e03ee1957;p=linux-2.6-block.git

bcachefs: Fix null deref in bch2_ioctl_read_super

Do not attempt to cleanup the returned value of bch2_device_lookup if
the returned value was an error pointer. We currently check to see if
the returned value is null and run the cleanup otherwise. As a result,
we attempt to run the cleanup on a error pointer.

Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---

diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index 34085e32a159..b0cbbb70161d 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -523,7 +523,7 @@ static long bch2_ioctl_read_super(struct bch_fs *c,
 	ret = copy_to_user((void __user *)(unsigned long)arg.sb,
 			   sb, vstruct_bytes(sb));
 err:
-	if (ca)
+	if (!IS_ERR_OR_NULL(ca))
 		percpu_ref_put(&ca->ref);
 	mutex_unlock(&c->sb_lock);
 	return ret;