On Tue, May 22, 2018 at 03:44:01PM -0700, Omar Sandoval wrote:
> From: Omar Sandoval <osandov@xxxxxx>
>
> If we have invalid flags set, when we error out we must drop our writer
> counter and free the buffer we allocated for the arguments. This bug is
> trivially reproduced with the following program:
>
> #include <fcntl.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <sys/ioctl.h>
> #include <sys/stat.h>
> #include <sys/types.h>
> #include <linux/btrfs.h>
> #include <linux/btrfs_tree.h>
>
> int main(int argc, char **argv)
> {
> struct btrfs_ioctl_vol_args_v2 vol_args = {
> .flags = UINT64_MAX,
> };
> int ret;
> int fd;
>
> if (argc != 2) {
> fprintf(stderr, "usage: %s PATH\n", argv[0]);
> return EXIT_FAILURE;
> }
>
> fd = open(argv[1], O_WRONLY);
> if (fd == -1) {
> perror("open");
> return EXIT_FAILURE;
> }
>
> ret = ioctl(fd, BTRFS_IOC_RM_DEV_V2, &vol_args);
> if (ret == -1)
> perror("ioctl");
>
> close(fd);
> return EXIT_SUCCESS;
> }
>
> When unmounting the filesystem, we'll hit the
> WARN_ON(mnt_get_writers(mnt)) in cleanup_mnt().
>
> Fixes: 6b526ed70cf1 ("btrfs: introduce device delete by devid")
> Signed-off-by: Omar Sandoval <osandov@xxxxxx>
Reviewed-by: David Sterba <dsterba@xxxxxxxx>
> ---
> Sigh, I keep stepping in these ioctl bugs just trying to get my swap
> file series ready.
This was the last one, pinky swear.
> This one is based on top of my "Btrfs: fix partly
> checksummed file races" series, although it should apply to for-next
> without it +/- some moved lines.
Applies cleanly, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
