fix double free on error in read_raid56()

(cherry picked from commit 065c0a60690d2c2cbd99ab72fef3b82dd09737a8)
2024-06-24 10:31:09 +08:00 · 2024-06-24 10:31:09 +08:00 · 75f72d76b2
commit 75f72d76b2
parent 9925051177
2 changed files with 47 additions and 1 deletions
--- a/0006-fix-double-free-on-error-in-read_raid56.patch
+++ b/0006-fix-double-free-on-error-in-read_raid56.patch
@ -0,0 +1,42 @@
+From 844caf8639826ed4ddc6dc7b3ba30bd19f9b21d8 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Thu, 4 Apr 2024 00:55:47 +0200
+Subject: [PATCH] btrfs-progs: fix double free on error in read_raid56()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported by 'gcc -fanalyzer':
+kernel-shared/extent_io.c: In function ‘read_raid56’:
+./include/kerncompat.h:393:18: warning: dereference of NULL ‘pointers’ [CWE-476] [-Wanalyzer-null-dereference]
+
+After allocation of the pointers array fails it's dereferenced in the
+exit block. We can return immediately instead.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+
+---
+ kernel-shared/extent_io.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/kernel-shared/extent_io.c b/kernel-shared/extent_io.c
+index ee19430..e62ca63 100644
+--- a/kernel-shared/extent_io.c
+++ b/kernel-shared/extent_io.c
+@@ -339,10 +339,9 @@ static int read_raid56(struct btrfs_fs_info *fs_info, void *buf, u64 logical,
+ 	ASSERT(len <= BTRFS_STRIPE_LEN);
+ 
+ 	pointers = calloc(num_stripes, sizeof(void *));
+-	if (!pointers) {
+-		ret = -ENOMEM;
+-		goto out;
+-	}
+	if (!pointers)
+		return -ENOMEM;
+
+ 	/* Allocate memory for the full stripe */
+ 	for (i = 0; i < num_stripes; i++) {
+ 		pointers[i] = kmalloc(BTRFS_STRIPE_LEN, GFP_KERNEL);
+-- 
+2.27.0
+
--- a/btrfs-progs.spec
+++ b/btrfs-progs.spec
@ -1,6 +1,6 @@
 Name:       btrfs-progs
 Version:    6.6.3
-Release:    6
+Release:    7
 Summary:    btrfs userspace programs
 License:    GPLv2 and GPL+ and LGPL-2.1+ and GPL-3.0+ and LGPL-2.1 and MIT
 URL:        https://btrfs.wiki.kernel.org/index.php/Main_Page
@ -11,6 +11,7 @@ Patch0002:  0002-subvolume-fix-return-value-when-the-target-exists.patch
 Patch0003:  0003-fix-memory-leak-on-exit-path-in-table-vprintf.patch
 Patch0004:  0004-btrfs-progs-scrub-status-only-report-limits-if-at-le.patch
 Patch0005:  0005-btrfs-progs-fix-freeing-of-device-after-error-in-btr.patch
+Patch0006:  0006-fix-double-free-on-error-in-read_raid56.patch

 BuildRequires:  python3-devel >= 3.4
 BuildRequires:  libacl-devel, e2fsprogs-devel, libblkid-devel, libuuid-devel, zlib-devel, libzstd-devel, lzo-devel, systemd-devel
@ -76,6 +77,9 @@ make mandir=%{_mandir} bindir=%{_sbindir} libdir=%{_libdir} incdir=%{_includedir
 %{_mandir}/man8/*.gz

 %changelog
+* Mon Jun 24 2024 zhangyaqi <zhangyaqi@kylinos.cn> - 6.6.3-7
+- fix double free on error in read_raid56()
+
 * Fri Jun 21 2024 liuh <liuhuan01@kylinos.cn> - 6.6.3-6
 - backport patch fix null dereference risk