Btrfs: fix potential use-after-free for cloned bio

Liu Bo · kdave · commit a967efb30b3a · 2017-04-11T18:49:56.000+02:00
KASAN reports that there is a use-after-free case of bio in btrfs_map_bio.

If we need to submit IOs to several disks at a time, the original bio
would get cloned and mapped to the destination disk, but we really should
use the original bio instead of a cloned bio to do the sanity check
because cloned bios are likely to be freed by its endio.

Reported-by: Diego &lt;diegocg@gmail.com&gt;
Signed-off-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
@@ -6213,7 +6213,7 @@ int btrfs_map_bio(struct btrfs_fs_info *fs_info, struct bio *bio,
 	for (dev_nr = 0; dev_nr < total_devs; dev_nr++) {
 		dev = bbio->stripes[dev_nr].dev;
 		if (!dev || !dev->bdev ||
-		    (bio_op(bio) == REQ_OP_WRITE && !dev->writeable)) {
+		    (bio_op(first_bio) == REQ_OP_WRITE && !dev->writeable)) {
 			bbio_error(bbio, first_bio, logical);
 			continue;
 		}

Original file line number	Diff line number	Diff line change
`@@ -6213,7 +6213,7 @@ int btrfs_map_bio(struct btrfs_fs_info fs_info, struct bio bio,`
`6213`	`6213`	`for (dev_nr = 0; dev_nr < total_devs; dev_nr++) {`
`6214`	`6214`	`dev = bbio->stripes[dev_nr].dev;`
`6215`	`6215`	`if (!dev \|\| !dev->bdev \|\|`
`6216`		`- (bio_op(bio) == REQ_OP_WRITE && !dev->writeable)) {`
	`6216`	`+ (bio_op(first_bio) == REQ_OP_WRITE && !dev->writeable)) {`
`6217`	`6217`	`bbio_error(bbio, first_bio, logical);`
`6218`	`6218`	`continue;`
`6219`	`6219`	`}`