• Omar Sandoval's avatar
    Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() · fd4e994b
    Omar Sandoval authored
    If we have invalid flags set, when we error out we must drop our writer
    counter and free the buffer we allocated for the arguments. This bug is
    trivially reproduced with the following program on 4.7+:
    
    	#include <fcntl.h>
    	#include <stdint.h>
    	#include <stdio.h>
    	#include <stdlib.h>
    	#include <unistd.h>
    	#include <sys/ioctl.h>
    	#include <sys/stat.h>
    	#include <sys/types.h>
    	#include <linux/btrfs.h>
    	#include <linux/btrfs_tree.h>
    
    	int main(int argc, char **argv)
    	{
    		struct btrfs_ioctl_vol_args_v2 vol_args = {
    			.flags = UINT64_MAX,
    		};
    		int ret;
    		int fd;
    
    		if (argc != 2) {
    			fprintf(stderr, "usage: %s PATH\n", argv[0]);
    			return EXIT_FAILURE;
    		}
    
    		fd = open(argv[1], O_WRONLY);
    		if (fd == -1) {
    			perror("open");
    			return EXIT_FAILURE;
    		}
    
    		ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args);
    		if (ret == -1)
    			perror("ioctl");
    
    		close(fd);
    		return EXIT_SUCCESS;
    	}
    
    When unmounting the filesystem, we'll hit the
    WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt() and also may prevent the
    filesystem to be remounted read-only as the writer count will stay
    lifted.
    
    Fixes: 6b526ed7 ("btrfs: introduce device delete by devid")
    CC: stable@vger.kernel.org # 4.9+
    Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
    Reviewed-by: default avatarSu Yue <suy.fnst@cn.fujitsu.com>
    Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    fd4e994b
ioctl.c 135 KB