From patchwork Tue Apr  7 15:24:24 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Mason <clm@fb.com>
X-Patchwork-Id: 6172811
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id CD3A19F2E9
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue,  7 Apr 2015 15:24:50 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D0C7E2038D
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue,  7 Apr 2015 15:24:49 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id D7C1A2035D
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue,  7 Apr 2015 15:24:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754760AbbDGPYj (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Tue, 7 Apr 2015 11:24:39 -0400
Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:43130 "EHLO
	mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754710AbbDGPYj (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Tue, 7 Apr 2015 11:24:39 -0400
Received: from pps.filterd (m0004348 [127.0.0.1])
	by m0004348.ppops.net (8.14.5/8.14.5) with SMTP id t37FOZrf031341
	for <linux-btrfs@vger.kernel.org>; Tue, 7 Apr 2015 08:24:38 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com;
	h=date : from : to : subject
	: message-id : references : mime-version : content-type : in-reply-to;
	s=facebook; bh=02smz43Og3jTeXzCGvGJxvg6urGxqkrYunhB0fmY2b0=;
	b=Oz25U05jqRXY89gEzQRhlThZwUks/iwbMcXn4K6VWEsDLXRPFIAvbmB3IGfWWlB9QBEd
	qDTyEKqIEsugvblf5OqHZDtJ0hxfCNCxHXZ9dew7OrjQJM8npdZDv4M1XZOurXHcqo9U
	8o/h2KMU05agw5jOqdvCk4es0ZAa1s9l8FI=
Received: from mail.thefacebook.com ([199.201.64.23])
	by m0004348.ppops.net with ESMTP id 1tmghpg62v-5
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT)
	for <linux-btrfs@vger.kernel.org>; Tue, 07 Apr 2015 08:24:38 -0700
Received: from localhost (192.168.16.4) by mail.thefacebook.com
	(192.168.16.20) with Microsoft SMTP Server (TLS) id 14.3.195.1;
	Tue, 7 Apr 2015 08:24:26 -0700
Date: Tue, 7 Apr 2015 11:24:24 -0400
From: Chris Mason <clm@fb.com>
To: <linux-btrfs@vger.kernel.org>
Subject: [PATCH v2] Btrfs: fix use after free when close_ctree frees the
	orphan_rsv
Message-ID: <20150407152424.GA11741@ret.masoncoding.com>
Mail-Followup-To: Chris Mason <clm@fb.com>, linux-btrfs@vger.kernel.org
References: <20150407150926.GA10738@ret.masoncoding.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20150407150926.GA10738@ret.masoncoding.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Originating-IP: [192.168.16.4]
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33,
	0.0.0000
	definitions=2015-04-07_04:2015-04-07, 2015-04-07,
	1970-01-01 signatures=0
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From 471717f48f9d853a6ced290d91e8b7f1d1c039da Mon Sep 17 00:00:00 2001
From: Chris Mason <clm@fb.com>
Date: Mon, 6 Apr 2015 18:17:00 -0700
Subject: [PATCH] Btrfs: fix use after free when close_ctree frees the
 orphan_rsv

Near the end of close_ctree, we're calling btrfs_free_block_rsv
to free up the orphan rsv.  The problem is this call updates the
space_info, which has already been freed.

This adds a new __ function that directly calls kfree instead of trying
to update the space infos.

Signed-off-by: Chris Mason <clm@fb.com>
---

 v1 -> v2: whoops, get __btrfs-free_block_rsv in the right commit

 fs/btrfs/ctree.h       | 1 +
 fs/btrfs/disk-io.c     | 2 +-
 fs/btrfs/extent-tree.c | 7 +++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index e1800d4..21032ed 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -3488,6 +3488,7 @@ struct btrfs_block_rsv *btrfs_alloc_block_rsv(struct btrfs_root *root,
 					      unsigned short type);
 void btrfs_free_block_rsv(struct btrfs_root *root,
 			  struct btrfs_block_rsv *rsv);
+void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv);
 int btrfs_block_rsv_add(struct btrfs_root *root,
 			struct btrfs_block_rsv *block_rsv, u64 num_bytes,
 			enum btrfs_reserve_flush_enum flush);
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index bb589b5..a123626 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3746,7 +3746,7 @@ void close_ctree(struct btrfs_root *root)
 
 	btrfs_free_stripe_hash_table(fs_info);
 
-	btrfs_free_block_rsv(root, root->orphan_block_rsv);
+	__btrfs_free_block_rsv(root->orphan_block_rsv);
 	root->orphan_block_rsv = NULL;
 
 	lock_chunks(root);
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9a53afc..0f1be4a 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4925,6 +4925,13 @@ void btrfs_free_block_rsv(struct btrfs_root *root,
 	kfree(rsv);
 }
 
+void __btrfs_free_block_rsv(struct btrfs_block_rsv *rsv)
+{
+	if (!rsv)
+		return;
+	kfree(rsv);
+}
+
 int btrfs_block_rsv_add(struct btrfs_root *root,
 			struct btrfs_block_rsv *block_rsv, u64 num_bytes,
 			enum btrfs_reserve_flush_enum flush)