linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Omar Sandoval <osandov@fb.com>,
	Su Yue <suy.fnst@cn.fujitsu.com>, David Sterba <dsterba@suse.com>
Subject: [PATCH 4.9 25/39] Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2()
Date: Sun, 24 Jun 2018 23:24:12 +0800	[thread overview]
Message-ID: <20180624152354.825828413@linuxfoundation.org> (raw)
In-Reply-To: <20180624152352.038950449@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit fd4e994bd1f9dc9628e168a7f619bf69f6984635 upstream.

If we have invalid flags set, when we error out we must drop our writer
counter and free the buffer we allocated for the arguments. This bug is
trivially reproduced with the following program on 4.7+:

	#include <fcntl.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <sys/ioctl.h>
	#include <sys/stat.h>
	#include <sys/types.h>
	#include <linux/btrfs.h>
	#include <linux/btrfs_tree.h>

	int main(int argc, char **argv)
	{
		struct btrfs_ioctl_vol_args_v2 vol_args = {
			.flags = UINT64_MAX,
		};
		int ret;
		int fd;

		if (argc != 2) {
			fprintf(stderr, "usage: %s PATH\n", argv[0]);
			return EXIT_FAILURE;
		}

		fd = open(argv[1], O_WRONLY);
		if (fd == -1) {
			perror("open");
			return EXIT_FAILURE;
		}

		ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args);
		if (ret == -1)
			perror("ioctl");

		close(fd);
		return EXIT_SUCCESS;
	}

When unmounting the filesystem, we'll hit the
WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt() and also may prevent the
filesystem to be remounted read-only as the writer count will stay
lifted.

Fixes: 6b526ed70cf1 ("btrfs: introduce device delete by devid")
CC: stable@vger.kernel.org # 4.9+
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ioctl.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2708,8 +2708,10 @@ static long btrfs_ioctl_rm_dev_v2(struct
 	}
 
 	/* Check for compatibility reject unknown flags */
-	if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED)
-		return -EOPNOTSUPP;
+	if (vol_args->flags & ~BTRFS_VOL_ARG_V2_FLAGS_SUPPORTED) {
+		ret = -EOPNOTSUPP;
+		goto out;
+	}
 
 	if (atomic_xchg(&root->fs_info->mutually_exclusive_operation_running,
 			1)) {



  parent reply	other threads:[~2018-06-24 15:53 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-24 15:23 [PATCH 4.9 00/39] 4.9.110-stable review Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 01/39] objtool: update .gitignore file Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 03/39] netfilter: ebtables: handle string from userspace with care Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 04/39] ipvs: fix buffer overflow with sync daemon and service Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 05/39] iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 06/39] atm: zatm: fix memcmp casting Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 09/39] net/sonic: Use dma_mapping_error() Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 11/39] Revert "Btrfs: fix scrub to repair raid6 corruption" Greg Kroah-Hartman
2018-06-24 15:23 ` [PATCH 4.9 12/39] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 13/39] Btrfs: make raid6 rebuild retry more Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 15/39] bonding: re-evaluate force_primary when the primary slave name changes Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 16/39] ipv6: allow PMTU exceptions to local routes Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 17/39] net/sched: act_simple: fix parsing of TCA_DEF_DATA Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 18/39] tcp: verify the checksum of the first data segment in a new connection Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 20/39] ext4: fix hole length detection in ext4_ind_map_blocks() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 21/39] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 22/39] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 23/39] driver core: Dont ignore class_dir_create_and_add() failure Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 24/39] Btrfs: fix clone vs chattr NODATASUM race Greg Kroah-Hartman
2018-06-24 15:24 ` Greg Kroah-Hartman [this message]
2018-06-24 15:24 ` [PATCH 4.9 26/39] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 27/39] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 28/39] ALSA: hda: add dock and led support for HP EliteBook 830 G5 Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 29/39] ALSA: hda: add dock and led support for HP ProBook 640 G4 Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 30/39] smb3: on reconnect set PreviousSessionId field Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 31/39] cpufreq: Fix new policy initialization during limits updates via sysfs Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 32/39] libata: zpodd: make arrays cdb static, reduces object code size Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 33/39] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 34/39] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 35/39] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 36/39] orangefs: set i_size on new symlink Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 37/39] HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 38/39] vhost: fix info leak due to uninitialized memory Greg Kroah-Hartman
2018-06-24 15:24 ` [PATCH 4.9 39/39] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-06-24 17:44 ` [PATCH 4.9 00/39] 4.9.110-stable review Nathan Chancellor
2018-06-25  0:55   ` Greg Kroah-Hartman
2018-06-25  5:06 ` Naresh Kamboju
2018-06-25  6:43   ` Greg Kroah-Hartman
2018-06-25 17:18 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180624152354.825828413@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dsterba@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=osandov@fb.com \
    --cc=stable@vger.kernel.org \
    --cc=suy.fnst@cn.fujitsu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).