btrfs: revert fs_devices state on error of btrfs_init_new_device
When btrfs hits error after modifying fs_devices in
btrfs_init_new_device() (such as btrfs_add_dev_item() returns error), it
leaves everything as is, but frees allocated btrfs_device. As a result,
fs_devices->devices and fs_devices->alloc_list contain already freed
btrfs_device, leading to later use-after-free bug.
Error path also messes the things like ->num_devices. While they go back
to the original value by unscanning btrfs devices, it is safe to revert
them here.
Fixes: 79787eaab4
("btrfs: replace many BUG_ONs with proper error handling")
Signed-off-by: Naohiro Aota <naota@elisp.net>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
parent
64f64f43c8
commit
39379faaad
|
@ -2321,7 +2321,8 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
|
|||
struct super_block *sb = fs_info->sb;
|
||||
struct rcu_string *name;
|
||||
struct btrfs_fs_devices *fs_devices = fs_info->fs_devices;
|
||||
u64 tmp;
|
||||
u64 orig_super_total_bytes;
|
||||
u64 orig_super_num_devices;
|
||||
int seeding_dev = 0;
|
||||
int ret = 0;
|
||||
bool unlocked = false;
|
||||
|
@ -2417,12 +2418,14 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
|
|||
if (!blk_queue_nonrot(q))
|
||||
fs_devices->rotating = 1;
|
||||
|
||||
tmp = btrfs_super_total_bytes(fs_info->super_copy);
|
||||
orig_super_total_bytes = btrfs_super_total_bytes(fs_info->super_copy);
|
||||
btrfs_set_super_total_bytes(fs_info->super_copy,
|
||||
round_down(tmp + device->total_bytes, fs_info->sectorsize));
|
||||
round_down(orig_super_total_bytes + device->total_bytes,
|
||||
fs_info->sectorsize));
|
||||
|
||||
tmp = btrfs_super_num_devices(fs_info->super_copy);
|
||||
btrfs_set_super_num_devices(fs_info->super_copy, tmp + 1);
|
||||
orig_super_num_devices = btrfs_super_num_devices(fs_info->super_copy);
|
||||
btrfs_set_super_num_devices(fs_info->super_copy,
|
||||
orig_super_num_devices + 1);
|
||||
|
||||
/* add sysfs device entry */
|
||||
btrfs_sysfs_add_device_link(fs_devices, device);
|
||||
|
@ -2502,6 +2505,22 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
|
|||
|
||||
error_sysfs:
|
||||
btrfs_sysfs_rm_device_link(fs_devices, device);
|
||||
mutex_lock(&fs_info->fs_devices->device_list_mutex);
|
||||
mutex_lock(&fs_info->chunk_mutex);
|
||||
list_del_rcu(&device->dev_list);
|
||||
list_del(&device->dev_alloc_list);
|
||||
fs_info->fs_devices->num_devices--;
|
||||
fs_info->fs_devices->open_devices--;
|
||||
fs_info->fs_devices->rw_devices--;
|
||||
fs_info->fs_devices->total_devices--;
|
||||
fs_info->fs_devices->total_rw_bytes -= device->total_bytes;
|
||||
atomic64_sub(device->total_bytes, &fs_info->free_chunk_space);
|
||||
btrfs_set_super_total_bytes(fs_info->super_copy,
|
||||
orig_super_total_bytes);
|
||||
btrfs_set_super_num_devices(fs_info->super_copy,
|
||||
orig_super_num_devices);
|
||||
mutex_unlock(&fs_info->chunk_mutex);
|
||||
mutex_unlock(&fs_info->fs_devices->device_list_mutex);
|
||||
error_trans:
|
||||
if (seeding_dev)
|
||||
sb->s_flags |= SB_RDONLY;
|
||||
|
|
Loading…
Reference in New Issue