bcache: fix cache_set_flush() NULL pointer dereference on OOM

Eric Wheeler · axboe · commit f8b11260a445 · 2016-03-08T09:19:10.000-07:00
When bch_cache_set_alloc() fails to kzalloc the cache_set, the
asyncronous closure handling tries to dereference a cache_set that
hadn't yet been allocated inside of cache_set_flush() which is called
by __cache_set_unregister() during cleanup.  This appears to happen only
during an OOM condition on bcache_register.

Signed-off-by: Eric Wheeler &lt;bcache@linux.ewheeler.net&gt;
Cc: stable@vger.kernel.org
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
@@ -1373,6 +1373,9 @@ static void cache_set_flush(struct closure *cl)
 	struct btree *b;
 	unsigned i;
 
+	if (!c)
+		closure_return(cl);
+
 	bch_cache_accounting_destroy(&c->accounting);
 
 	kobject_put(&c->internal);
