linux/fs/btrfs
Dongliang Mu 79c9234ba5 btrfs: don't access possibly stale fs_info data in device_list_add
Syzbot reported a possible use-after-free in printing information
in device_list_add.

Very similar with the bug fixed by commit 0697d9a610 ("btrfs: don't
access possibly stale fs_info data for printing duplicate device"),
but this time the use occurs in btrfs_info_in_rcu.

  Call Trace:
   kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
   btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
   device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957
   btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387
   btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:874 [inline]
   __se_sys_ioctl fs/ioctl.c:860 [inline]
   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Fix this by modifying device->fs_info to NULL too.

Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2022-03-14 13:13:54 +01:00
..
tests btrfs: assert we have a write lock when removing and replacing extent maps 2022-03-14 13:13:50 +01:00
acl.c overlayfs update for 5.15 2021-09-02 09:21:27 -07:00
async-thread.c btrfs: fix memory ordering between normal and ordered work functions 2021-11-16 16:50:23 +01:00
async-thread.h Btrfs: fix crash during unmount due to race with delayed inode workers 2020-03-23 17:01:51 +01:00
backref.c btrfs: unify the error handling pattern for read_tree_block() 2022-03-14 13:13:53 +01:00
backref.h btrfs: remove ignore_offset argument from btrfs_find_all_roots() 2021-08-23 13:19:01 +02:00
block-group.c btrfs: zoned: mark relocation as writing 2022-03-14 13:13:53 +01:00
block-group.h btrfs: add support for multiple global roots 2022-03-14 13:13:49 +01:00
block-rsv.c btrfs: reserve extra space for the free space tree 2022-01-07 14:18:25 +01:00
block-rsv.h btrfs: init root block_rsv at init root time 2022-01-03 15:09:48 +01:00
btrfs_inode.h btrfs: reset last_reflink_trans after fsyncing inode 2022-03-14 13:13:52 +01:00
check-integrity.c btrfs: check-integrity: stop storing the block device name in btrfsic_dev_state 2021-10-26 19:08:07 +02:00
check-integrity.h btrfs: remove btrfsic_submit_bh() 2020-03-23 17:01:39 +01:00
compression.c btrfs: do not double complete bio on errors during compressed reads 2022-03-14 13:13:51 +01:00
compression.h btrfs: track compressed bio errors as blk_status_t 2022-03-14 13:13:51 +01:00
ctree.c btrfs: unify the error handling of btrfs_read_buffer() 2022-03-14 13:13:53 +01:00
ctree.h btrfs: pass btrfs_fs_info to btrfs_recover_relocation 2022-03-14 13:13:52 +01:00
delalloc-space.c btrfs: support different disk extent size for delalloc 2022-03-14 13:13:51 +01:00
delalloc-space.h btrfs: make btrfs_delalloc_reserve_space take btrfs_inode 2020-07-27 12:55:36 +02:00
delayed-inode.c btrfs: add an inode-item.h 2022-01-07 14:18:23 +01:00
delayed-inode.h btrfs: make btrfs_delayed_update_inode take btrfs_inode 2020-12-08 15:54:10 +01:00
delayed-ref.c btrfs: reserve extra space for the free space tree 2022-01-07 14:18:25 +01:00
delayed-ref.h btrfs: make btrfs_ref::real_root optional 2021-10-26 19:08:06 +02:00
dev-replace.c btrfs: add device major-minor info in the struct btrfs_device 2022-03-14 13:13:47 +01:00
dev-replace.h btrfs: zoned: mark block groups to copy for device-replace 2021-02-09 02:46:07 +01:00
dir-item.c btrfs: drop the _nr from the item helpers 2022-01-03 15:09:43 +01:00
discard.c btrfs: fix typos in comments 2021-06-22 14:11:57 +02:00
discard.h btrfs: cleanup btrfs_discard_update_discardable usage 2020-12-08 15:54:02 +01:00
disk-io.c btrfs: verify the tranisd of the to-be-written dirty extent buffer 2022-03-14 13:13:53 +01:00
disk-io.h btrfs: add code to support the block group root 2022-03-14 13:13:48 +01:00
export.c btrfs: locking: rip out path->leave_spinning 2020-12-08 15:54:02 +01:00
export.h btrfs: export helpers for subvolume name/id resolution 2020-03-23 17:01:42 +01:00
extent_io.c btrfs: do not clean up repair bio if submit fails 2022-03-14 13:13:52 +01:00
extent_io.h btrfs: cleanup for extent_write_locked_range() 2021-10-26 19:08:04 +02:00
extent_map.c btrfs: assert we have a write lock when removing and replacing extent maps 2022-03-14 13:13:50 +01:00
extent_map.h btrfs: defrag: don't use merged extent map for their generation check 2022-02-23 17:43:13 +01:00
extent-io-tree.h btrfs: use fixed width int type for extent_state::state 2020-12-08 15:54:13 +01:00
extent-tree.c btrfs: factor out do_free_extent_accounting helper 2022-03-14 13:13:53 +01:00
file-item.c btrfs: handle csum lookup errors properly on reads 2022-03-14 13:13:51 +01:00
file.c btrfs: reset last_reflink_trans after fsyncing inode 2022-03-14 13:13:52 +01:00
free-space-cache.c btrfs: add inode to truncate control 2022-01-07 14:18:24 +01:00
free-space-cache.h btrfs: change name and type of private member of btrfs_free_space_ctl 2022-01-03 15:09:50 +01:00
free-space-tree.c btrfs: add support for multiple global roots 2022-03-14 13:13:49 +01:00
free-space-tree.h
inode-item.c btrfs: make should_throttle loop local in btrfs_truncate_inode_items 2022-01-07 14:18:25 +01:00
inode-item.h btrfs: add inode to truncate control 2022-01-07 14:18:24 +01:00
inode.c btrfs: reset last_reflink_trans after fsyncing inode 2022-03-14 13:13:52 +01:00
ioctl.c btrfs: add BTRFS_IOC_ENCODED_WRITE 2022-03-14 13:13:51 +01:00
Kconfig btrfs: use generic Kconfig option for 256kB page size limit 2022-01-20 08:52:55 +02:00
locking.c btrfs: fix typos in comments 2021-06-22 14:11:57 +02:00
locking.h btrfs: assert that extent buffers are write locked instead of only locked 2021-10-26 19:08:02 +02:00
lzo.c btrfs: add lzo workspace buffer length constants 2022-03-14 13:13:50 +01:00
Makefile btrfs: remove reada infrastructure 2022-01-07 14:18:26 +01:00
misc.h btrfs: use correct header for div_u64 in misc.h 2021-09-07 14:29:50 +02:00
ordered-data.c btrfs: add BTRFS_IOC_ENCODED_WRITE 2022-03-14 13:13:51 +01:00
ordered-data.h btrfs: add BTRFS_IOC_ENCODED_WRITE 2022-03-14 13:13:51 +01:00
orphan.c
print-tree.c btrfs: unify the error handling pattern for read_tree_block() 2022-03-14 13:13:53 +01:00
print-tree.h btrfs: print the actual offset in btrfs_root_name 2021-01-07 17:25:05 +01:00
props.c btrfs: change root to fs_info for btrfs_reserve_metadata_bytes 2022-01-03 15:09:45 +01:00
props.h
qgroup.c btrfs: qgroup: remove outdated TODO comments 2022-03-14 13:13:50 +01:00
qgroup.h btrfs: fix lock inversion problem when doing qgroup extent tracing 2021-07-22 15:50:07 +02:00
raid56.c btrfs: remove btrfs_raid_bio::fs_info member 2021-10-26 19:08:03 +02:00
raid56.h btrfs: remove btrfs_raid_bio::fs_info member 2021-10-26 19:08:03 +02:00
rcu-string.h btrfs: rcu-string: Replace zero-length array with flexible-array member 2020-03-23 17:01:53 +01:00
ref-verify.c btrfs: stop accessing ->extent_root directly 2022-01-03 15:09:49 +01:00
ref-verify.h
reflink.c btrfs: remove the cross file system checks from remap 2022-03-14 13:13:52 +01:00
reflink.h Btrfs: move all reflink implementation code into its own file 2020-03-23 17:01:54 +01:00
relocation.c btrfs: unify the error handling pattern for read_tree_block() 2022-03-14 13:13:53 +01:00
root-tree.c btrfs: do not start relocation until in progress drops are done 2022-03-02 16:52:39 +01:00
scrub.c btrfs: scrub: remove redundant initialization of increment 2022-03-14 13:13:47 +01:00
send.c btrfs: send: remove redundant ret variable in fs_path_copy 2022-03-14 13:13:47 +01:00
send.h btrfs: reuse existing inode from btrfs_ioctl 2022-03-14 13:13:46 +01:00
space-info.c btrfs: add lockdep_assert_held to need_preemptive_reclaim 2022-03-14 13:13:53 +01:00
space-info.h btrfs: change root to fs_info for btrfs_reserve_metadata_bytes 2022-01-03 15:09:45 +01:00
struct-funcs.c btrfs: add special case to setget helpers for 64k pages 2021-08-23 13:18:58 +02:00
subpage.c btrfs: subpage: fix a wrong check on subpage->writers 2022-03-02 16:51:39 +01:00
subpage.h btrfs: rework page locking in __extent_writepage() 2021-10-26 19:08:05 +02:00
super.c btrfs: add filesystems state details to error messages 2022-03-14 13:13:52 +01:00
sysfs.c btrfs: replace BUILD_BUG_ON by static_assert 2022-03-14 13:13:49 +01:00
sysfs.h btrfs: split and refactor btrfs_sysfs_remove_devices_dir 2020-10-07 12:12:21 +02:00
transaction.c btrfs: pass btrfs_fs_info for deleting snapshots and cleaner 2022-03-14 13:13:52 +01:00
transaction.h btrfs: pass btrfs_fs_info for deleting snapshots and cleaner 2022-03-14 13:13:52 +01:00
tree-checker.c btrfs: add support for multiple global roots 2022-03-14 13:13:49 +01:00
tree-checker.h
tree-defrag.c btrfs: remove unnecessary extent root check in btrfs_defrag_leaves 2022-01-03 15:09:48 +01:00
tree-log.c btrfs: add and use helper for unlinking inode during log replay 2022-03-14 13:13:53 +01:00
tree-log.h btrfs: avoid inode logging during rename and link when possible 2022-03-14 13:13:48 +01:00
tree-mod-log.c btrfs: fix race when picking most recent mod log operation for an old root 2021-04-20 19:27:17 +02:00
tree-mod-log.h btrfs: add and use helper to get lowest sequence number for the tree mod log 2021-04-19 17:25:17 +02:00
ulist.c
ulist.h
uuid-tree.c btrfs: drop the _nr from the item helpers 2022-01-03 15:09:43 +01:00
verity.c btrfs: drop the _nr from the item helpers 2022-01-03 15:09:43 +01:00
volumes.c btrfs: don't access possibly stale fs_info data in device_list_add 2022-03-14 13:13:54 +01:00
volumes.h btrfs: add device major-minor info in the struct btrfs_device 2022-03-14 13:13:47 +01:00
xattr.c btrfs: drop the _nr from the item helpers 2022-01-03 15:09:43 +01:00
xattr.h
zlib.c Revert "btrfs: compression: drop kmap/kunmap from zlib" 2021-10-29 13:03:05 +02:00
zoned.c btrfs: zoned: remove redundant assignment in btrfs_check_zoned_mode 2022-03-14 13:13:49 +01:00
zoned.h btrfs: zoned: fix chunk allocation condition for zoned allocator 2022-01-07 14:18:26 +01:00
zstd.c lib: zstd: Add kernel-specific API 2021-11-08 16:55:21 -08:00