diff options
| author | Ilya Dryomov <idryomov@gmail.com> | 2013-10-02 13:41:01 -0400 |
|---|---|---|
| committer | Josef Bacik <jbacik@fusionio.com> | 2013-10-04 16:02:14 -0400 |
| commit | 1357272fc7deeebb7b3c5d1a071562edc273cdaf (patch) | |
| tree | 37af6be54b03e07b4fb06a2ddc4c5ac739c53032 /fs | |
| parent | 964fb15acfcd672ac691f04879b71f07ccc21e0c (diff) | |
Btrfs: fix a use-after-free bug in btrfs_dev_replace_finishing
free_device rcu callback, scheduled from btrfs_rm_dev_replace_srcdev,
can be processed before btrfs_scratch_superblock is called, which would
result in a use-after-free on btrfs_device contents. Fix this by
zeroing the superblock before the rcu callback is registered.
Cc: Stefan Behrens <sbehrens@giantdisaster.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/btrfs/dev-replace.c | 5 | ||||
| -rw-r--r-- | fs/btrfs/volumes.c | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index 5d844438b2d4..2a9bd5bd24c3 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c | |||
| @@ -535,10 +535,7 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info, | |||
| 535 | list_add(&tgt_device->dev_alloc_list, &fs_info->fs_devices->alloc_list); | 535 | list_add(&tgt_device->dev_alloc_list, &fs_info->fs_devices->alloc_list); |
| 536 | 536 | ||
| 537 | btrfs_rm_dev_replace_srcdev(fs_info, src_device); | 537 | btrfs_rm_dev_replace_srcdev(fs_info, src_device); |
| 538 | if (src_device->bdev) { | 538 | |
| 539 | /* zero out the old super */ | ||
| 540 | btrfs_scratch_superblock(src_device); | ||
| 541 | } | ||
| 542 | /* | 539 | /* |
| 543 | * this is again a consistent state where no dev_replace procedure | 540 | * this is again a consistent state where no dev_replace procedure |
| 544 | * is running, the target device is part of the filesystem, the | 541 | * is running, the target device is part of the filesystem, the |
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 043114749516..b0203b1322ac 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c | |||
| @@ -1716,6 +1716,7 @@ void btrfs_rm_dev_replace_srcdev(struct btrfs_fs_info *fs_info, | |||
| 1716 | struct btrfs_device *srcdev) | 1716 | struct btrfs_device *srcdev) |
| 1717 | { | 1717 | { |
| 1718 | WARN_ON(!mutex_is_locked(&fs_info->fs_devices->device_list_mutex)); | 1718 | WARN_ON(!mutex_is_locked(&fs_info->fs_devices->device_list_mutex)); |
| 1719 | |||
| 1719 | list_del_rcu(&srcdev->dev_list); | 1720 | list_del_rcu(&srcdev->dev_list); |
| 1720 | list_del_rcu(&srcdev->dev_alloc_list); | 1721 | list_del_rcu(&srcdev->dev_alloc_list); |
| 1721 | fs_info->fs_devices->num_devices--; | 1722 | fs_info->fs_devices->num_devices--; |
| @@ -1725,9 +1726,13 @@ void btrfs_rm_dev_replace_srcdev(struct btrfs_fs_info *fs_info, | |||
| 1725 | } | 1726 | } |
| 1726 | if (srcdev->can_discard) | 1727 | if (srcdev->can_discard) |
| 1727 | fs_info->fs_devices->num_can_discard--; | 1728 | fs_info->fs_devices->num_can_discard--; |
| 1728 | if (srcdev->bdev) | 1729 | if (srcdev->bdev) { |
| 1729 | fs_info->fs_devices->open_devices--; | 1730 | fs_info->fs_devices->open_devices--; |
| 1730 | 1731 | ||
| 1732 | /* zero out the old super */ | ||
| 1733 | btrfs_scratch_superblock(srcdev); | ||
| 1734 | } | ||
| 1735 | |||
| 1731 | call_rcu(&srcdev->rcu, free_device); | 1736 | call_rcu(&srcdev->rcu, free_device); |
| 1732 | } | 1737 | } |
| 1733 | 1738 | ||