From: Sasha Levin <sasha.levin@oracle.com>
Date: Tue, 12 May 2015 23:31:37 +0000 (-0400)
Subject: btrfs: use after free when closing devices
X-Git-Tag: firefly_0821_release~176^2~1298^2~75
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2037a0933bc2894a2f50ae57a1ccf6be192adb76;p=firefly-linux-kernel-4.4.55.git

btrfs: use after free when closing devices

__btrfs_close_devices() would call_rcu to free the device, which is racy with
list_for_each_entry() accessing the memory to retrieve the next device on the
list.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
---

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 403ed1fdd901..c99f29a52e0b 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -693,13 +693,13 @@ static void free_device(struct rcu_head *head)
 
 static int __btrfs_close_devices(struct btrfs_fs_devices *fs_devices)
 {
-	struct btrfs_device *device;
+	struct btrfs_device *device, *tmp;
 
 	if (--fs_devices->opened > 0)
 		return 0;
 
 	mutex_lock(&fs_devices->device_list_mutex);
-	list_for_each_entry(device, &fs_devices->devices, dev_list) {
+	list_for_each_entry_safe(device, tmp, &fs_devices->devices, dev_list) {
 		struct btrfs_device *new_device;
 		struct rcu_string *name;