Skip to content

Commit 39379fa

Browse files
naotakdave
naota
authored and
kdave
committed
btrfs: revert fs_devices state on error of btrfs_init_new_device
When btrfs hits error after modifying fs_devices in btrfs_init_new_device() (such as btrfs_add_dev_item() returns error), it leaves everything as is, but frees allocated btrfs_device. As a result, fs_devices->devices and fs_devices->alloc_list contain already freed btrfs_device, leading to later use-after-free bug. Error path also messes the things like ->num_devices. While they go back to the original value by unscanning btrfs devices, it is safe to revert them here. Fixes: 79787ea ("btrfs: replace many BUG_ONs with proper error handling") Signed-off-by: Naohiro Aota <naota@elisp.net> Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
1 parent 64f64f4 commit 39379fa

File tree

1 file changed

+24
-5
lines changed

1 file changed

+24
-5
lines changed

fs/btrfs/volumes.c

Lines changed: 24 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2321,7 +2321,8 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
23212321
struct super_block *sb = fs_info->sb;
23222322
struct rcu_string *name;
23232323
struct btrfs_fs_devices *fs_devices = fs_info->fs_devices;
2324-
u64 tmp;
2324+
u64 orig_super_total_bytes;
2325+
u64 orig_super_num_devices;
23252326
int seeding_dev = 0;
23262327
int ret = 0;
23272328
bool unlocked = false;
@@ -2417,12 +2418,14 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
24172418
if (!blk_queue_nonrot(q))
24182419
fs_devices->rotating = 1;
24192420

2420-
tmp = btrfs_super_total_bytes(fs_info->super_copy);
2421+
orig_super_total_bytes = btrfs_super_total_bytes(fs_info->super_copy);
24212422
btrfs_set_super_total_bytes(fs_info->super_copy,
2422-
round_down(tmp + device->total_bytes, fs_info->sectorsize));
2423+
round_down(orig_super_total_bytes + device->total_bytes,
2424+
fs_info->sectorsize));
24232425

2424-
tmp = btrfs_super_num_devices(fs_info->super_copy);
2425-
btrfs_set_super_num_devices(fs_info->super_copy, tmp + 1);
2426+
orig_super_num_devices = btrfs_super_num_devices(fs_info->super_copy);
2427+
btrfs_set_super_num_devices(fs_info->super_copy,
2428+
orig_super_num_devices + 1);
24262429

24272430
/* add sysfs device entry */
24282431
btrfs_sysfs_add_device_link(fs_devices, device);
@@ -2502,6 +2505,22 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
25022505

25032506
error_sysfs:
25042507
btrfs_sysfs_rm_device_link(fs_devices, device);
2508+
mutex_lock(&fs_info->fs_devices->device_list_mutex);
2509+
mutex_lock(&fs_info->chunk_mutex);
2510+
list_del_rcu(&device->dev_list);
2511+
list_del(&device->dev_alloc_list);
2512+
fs_info->fs_devices->num_devices--;
2513+
fs_info->fs_devices->open_devices--;
2514+
fs_info->fs_devices->rw_devices--;
2515+
fs_info->fs_devices->total_devices--;
2516+
fs_info->fs_devices->total_rw_bytes -= device->total_bytes;
2517+
atomic64_sub(device->total_bytes, &fs_info->free_chunk_space);
2518+
btrfs_set_super_total_bytes(fs_info->super_copy,
2519+
orig_super_total_bytes);
2520+
btrfs_set_super_num_devices(fs_info->super_copy,
2521+
orig_super_num_devices);
2522+
mutex_unlock(&fs_info->chunk_mutex);
2523+
mutex_unlock(&fs_info->fs_devices->device_list_mutex);
25052524
error_trans:
25062525
if (seeding_dev)
25072526
sb->s_flags |= SB_RDONLY;

0 commit comments

Comments
 (0)