releases/5.0.4/btrfs-drop-the-lock-on-error-in-btrfs_dev_replace_cancel.patch

   1 From 669e859b5ea7c6f4fce0149d3907c64e550c294b Mon Sep 17 00:00:00 2001
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Mon, 11 Feb 2019 21:32:10 +0300
   4 Subject: btrfs: drop the lock on error in btrfs_dev_replace_cancel
   5
   6 From: Dan Carpenter <dan.carpenter@oracle.com>
   7
   8 commit 669e859b5ea7c6f4fce0149d3907c64e550c294b upstream.
   9
  10 We should drop the lock on this error path.  This has been found by a
  11 static tool.
  12
  13 The lock needs to be released, it's there to protect access to the
  14 dev_replace members and is not supposed to be left locked. The value of
  15 state that's being switched would need to be artifically changed to an
  16 invalid value so the default: branch is taken.
  17
  18 Fixes: d189dd70e255 ("btrfs: fix use-after-free due to race between replace start and cancel")
  19 CC: stable@vger.kernel.org # 5.0+
  20 Reviewed-by: Anand Jain <anand.jain@oracle.com>
  21 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  22 Reviewed-by: David Sterba <dsterba@suse.com>
  23 Signed-off-by: David Sterba <dsterba@suse.com>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25
  26 ---
  27  fs/btrfs/dev-replace.c |    1 +
  28  1 file changed, 1 insertion(+)
  29
  30 --- a/fs/btrfs/dev-replace.c
  31 +++ b/fs/btrfs/dev-replace.c
  32 @@ -862,6 +862,7 @@ int btrfs_dev_replace_cancel(struct btrf
  33                         btrfs_destroy_dev_replace_tgtdev(tgt_device);
  34                 break;
  35         default:
  36 +               up_write(&dev_replace->rwsem);
  37                 result = -EINVAL;
  38         }
  39