bcachefs: Fix a kasan splat in bch2_dev_add()

This fixes a use after free - mi is dangling after the resize call. Additionally, resizing the device's member info section was useless - we were attempting to preallocate the space required before adding it to the filesystem superblock, but there's other sections that we should have been preallocating as well for that to work. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: Fix a kasan splat in bch2_dev_add()
This fixes a use after free - mi is dangling after the resize call. Additionally, resizing the device's member info section was useless - we were attempting to preallocate the space required before adding it to the filesystem superblock, but there's other sections that we should have been preallocating as well for that to work. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
e8484348 · Kent Overstreet · 5c1ab40e · e8484348
Commit e8484348 authored Oct 26, 2023 by Kent Overstreet
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 10 deletions

fs/bcachefs/super.c fs/bcachefs/super.c +2 -10

No files found.
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -1622,16 +1622,6 @@ int bch2_dev_add(struct bch_fs *c, const char *path)
 		goto err_unlock;
 	}
-	mi = bch2_sb_field_get(ca->disk_sb.sb, members_v2);
-	if (!bch2_sb_field_resize(&ca->disk_sb, members_v2,
-				le32_to_cpu(mi->field.u64s) +
-				sizeof(dev_mi) / sizeof(u64))) {
-		ret = -BCH_ERR_ENOSPC_sb_members;
-		bch_err_msg(c, ret, "setting up new superblock");
-		goto err_unlock;
-	}
 	if (dynamic_fault("bcachefs:add:no_slot"))
 		goto no_slot;
@@ -1645,6 +1635,8 @@ int bch2_dev_add(struct bch_fs *c, const char *path)
 have_slot:
 	nr_devices = max_t(unsigned, dev_idx + 1, c->sb.nr_devices);
+	mi = bch2_sb_field_get(c->disk_sb.sb, members_v2);
 	u64s = DIV_ROUND_UP(sizeof(struct bch_sb_field_members_v2) +
 			    le16_to_cpu(mi->member_bytes) * nr_devices, sizeof(u64));