• Omar Sandoval's avatar
    Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() · 5f7e3b5b
    Omar Sandoval authored
    commit fd4e994b upstream.
    
    If we have invalid flags set, when we error out we must drop our writer
    counter and free the buffer we allocated for the arguments. This bug is
    trivially reproduced with the following program on 4.7+:
    
    	#include <fcntl.h>
    	#include <stdint.h>
    	#include <stdio.h>
    	#include <stdlib.h>
    	#include <unistd.h>
    	#include <sys/ioctl.h>
    	#include <sys/stat.h>
    	#include <sys/types.h>
    	#include <linux/btrfs.h>
    	#include <linux/btrfs_tree.h>
    
    	int main(int argc, char **argv)
    	{
    		struct btrfs_ioctl_vol_args_v2 vol_args = {
    			.flags = UINT64_MAX,
    		};
    		int ret;
    		int fd;
    
    		if (argc != 2) {
    			fprintf(stderr, "usage: %s PATH\n", argv[0]);
    			return EXIT_FAILURE;
    		}
    
    		fd = open(argv[1], O_WRONLY);
    		if (fd == -1) {
    			perror("open");
    			return EXIT_FAILURE;
    		}
    
    		ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args);
    		if (ret == -1)
    			perror("ioctl");
    
    		close(fd);
    		return EXIT_SUCCESS;
    	}
    
    When unmounting the filesystem, we'll hit the
    WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt() and also may prevent the
    filesystem to be remounted read-only as the writer count will stay
    lifted.
    
    Fixes: 6b526ed7 ("btrfs: introduce device delete by devid")
    CC: stable@vger.kernel.org # 4.9+
    Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
    Reviewed-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
    Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    5f7e3b5b
ioctl.c 137 KB