bcachefs: return err ptr instead of null in read sb clean

syzbot reported a null-ptr-deref in bch2_fs_start. [0]

When a sb is marked clear but doesn't have a clean section
bch2_read_superblock_clean returns NULL which PTR_ERR_OR_ZERO
lets through, eventually leading to a null ptr dereference down
the line. Adjust read sb clean to return an ERR_PTR indicating the
invalid clean section.

[0] https://syzkaller.appspot.com/bug?extid=1cecc37d87c4286e5543

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=1cecc37d87c4286e5543
Signed-off-by: Diogo Jahchan Koike <[email protected]>
Signed-off-by: Kent Overstreet <[email protected]>

diff --git a/fs/bcachefs/sb-clean.c b/fs/bcachefs/sb-clean.c
index c57d42bb8d1b82a0c0ac291210140628cce8a87a..025848a9c4c03dc14a5dcda55494a7b6ef8d00d6 100644 (file)
--- a/fs/bcachefs/sb-clean.c
+++ b/fs/bcachefs/sb-clean.c
@@ -155,7 +155,7 @@ struct bch_sb_field_clean *bch2_read_superblock_clean(struct bch_fs *c)
                SET_BCH_SB_CLEAN(c->disk_sb.sb, false);
                c->sb.clean = false;
                mutex_unlock(&c->sb_lock);
-               return NULL;
+               return ERR_PTR(-BCH_ERR_invalid_sb_clean);
        }
 
        clean = kmemdup(sb_clean, vstruct_bytes(&sb_clean->field),