!10722 btrfs: zoned: fix use-after-free in do_zone_finish() (38d6c7af) · Commits · EulixOS / Software / Kernel

fs/btrfs/zoned.c

+7 −7

Original line number	Diff line number	Diff line
		@@ -1476,11 +1476,7 @@ int btrfs_load_block_group_zone_info(struct btrfs_block_group *cache, bool new)

		map = em->map_lookup;

		cache->physical_map = kmemdup(map, map_lookup_size(map->num_stripes), GFP_NOFS);
		if (!cache->physical_map) {
		ret = -ENOMEM;
		goto out;
		}
		cache->physical_map = map;

		zone_info = kcalloc(map->num_stripes, sizeof(*zone_info), GFP_NOFS);
		if (!zone_info) {
		@@ -1583,7 +1579,6 @@ int btrfs_load_block_group_zone_info(struct btrfs_block_group *cache, bool new)
		}
		bitmap_free(active);
		kfree(zone_info);
		free_extent_map(em);

		return ret;
		}
		@@ -2084,6 +2079,7 @@ static int do_zone_finish(struct btrfs_block_group *block_group, bool fully_writ
		struct map_lookup *map;
		const bool is_metadata = (block_group->flags &
		(BTRFS_BLOCK_GROUP_METADATA \| BTRFS_BLOCK_GROUP_SYSTEM));
		struct btrfs_dev_replace *dev_replace = &fs_info->dev_replace;
		int ret = 0;
		int i;

		@@ -2159,6 +2155,7 @@ static int do_zone_finish(struct btrfs_block_group *block_group, bool fully_writ
		btrfs_clear_data_reloc_bg(block_group);
		spin_unlock(&block_group->lock);

		down_read(&dev_replace->rwsem);
		map = block_group->physical_map;
		for (i = 0; i < map->num_stripes; i++) {
		struct btrfs_device *device = map->stripes[i].dev;
		@@ -2173,13 +2170,16 @@ static int do_zone_finish(struct btrfs_block_group *block_group, bool fully_writ
		zinfo->zone_size >> SECTOR_SHIFT,
		GFP_NOFS);

		if (ret)
		if (ret) {
		up_read(&dev_replace->rwsem);
		return ret;
		}

		if (!(block_group->flags & BTRFS_BLOCK_GROUP_DATA))
		zinfo->reserved_active_zones++;
		btrfs_dev_clear_active_zone(device, physical);
		}
		up_read(&dev_replace->rwsem);

		if (!fully_written)
		btrfs_dec_block_group_ro(block_group);