f2fs: fix double free of f2fs_sb_info

ebiggers · ebiggers · commit c919330dd578 · 2024-01-12T18:55:09.000-08:00
kill_f2fs_super() is called even if f2fs_fill_super() fails. f2fs_fill_super() frees the struct f2fs_sb_info, so it must set sb->s_fs_info to NULL to prevent it from being freed again. Fixes: 275dca4 ("f2fs: move release of block devices to after kill_block_super()") Reported-by: <syzbot+8f477ac014ff5b32d81f@syzkaller.appspotmail.com> Closes: https://lore.kernel.org/lkml/0000000000006cb174060ec34502@google.com Reviewed-by: Chao Yu <chao@kernel.org> Link: https://lore.kernel.org/linux-f2fs-devel/20240113005747.38887-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com>
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
@@ -4880,6 +4880,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
 	if (sbi->s_chksum_driver)
 		crypto_free_shash(sbi->s_chksum_driver);
 	kfree(sbi);
+	sb->s_fs_info = NULL;
 
 	/* give only one another chance */
 	if (retry_cnt > 0 && skip_recovery) {
