bcachefs: return err ptr instead of null in read sb clean

Diogo Jahchan Koike · Kent Overstreet · commit 025c55a4c7f1 · 2024-09-21T11:39:49.000-04:00
syzbot reported a null-ptr-deref in bch2_fs_start. [0] When a sb is marked clear but doesn't have a clean section bch2_read_superblock_clean returns NULL which PTR_ERR_OR_ZERO lets through, eventually leading to a null ptr dereference down the line. Adjust read sb clean to return an ERR_PTR indicating the invalid clean section. [0] https://syzkaller.appspot.com/bug?extid=1cecc37d87c4286e5543 Reported-by: syzbot+1cecc37d87c4286e5543@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1cecc37d87c4286e5543 Signed-off-by: Diogo Jahchan Koike <djahchankoike@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
diff --git a/fs/bcachefs/sb-clean.c b/fs/bcachefs/sb-clean.c
@@ -155,7 +155,7 @@ struct bch_sb_field_clean *bch2_read_superblock_clean(struct bch_fs *c)
 		SET_BCH_SB_CLEAN(c->disk_sb.sb, false);
 		c->sb.clean = false;
 		mutex_unlock(&c->sb_lock);
-		return NULL;
+		return ERR_PTR(-BCH_ERR_invalid_sb_clean);
 	}
 
 	clean = kmemdup(sb_clean, vstruct_bytes(&sb_clean->field),

Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ struct bch_sb_field_clean bch2_read_superblock_clean(struct bch_fs c)`
`155`	`155`	`SET_BCH_SB_CLEAN(c->disk_sb.sb, false);`
`156`	`156`	`c->sb.clean = false;`
`157`	`157`	`mutex_unlock(&c->sb_lock);`
`158`		`- return NULL;`
	`158`	`+ return ERR_PTR(-BCH_ERR_invalid_sb_clean);`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`clean = kmemdup(sb_clean, vstruct_bytes(&sb_clean->field),`