mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-28 14:44:10 +08:00
e2b54eaf28
When creating a snapshot we may do a double free of an anonymous device
in case there's an error committing the transaction. The second free may
result in freeing an anonymous device number that was allocated by some
other subsystem in the kernel or another btrfs filesystem.
The steps that lead to this:
1) At ioctl.c:create_snapshot() we allocate an anonymous device number
and assign it to pending_snapshot->anon_dev;
2) Then we call btrfs_commit_transaction() and end up at
transaction.c:create_pending_snapshot();
3) There we call btrfs_get_new_fs_root() and pass it the anonymous device
number stored in pending_snapshot->anon_dev;
4) btrfs_get_new_fs_root() frees that anonymous device number because
btrfs_lookup_fs_root() returned a root - someone else did a lookup
of the new root already, which could some task doing backref walking;
5) After that some error happens in the transaction commit path, and at
ioctl.c:create_snapshot() we jump to the 'fail' label, and after
that we free again the same anonymous device number, which in the
meanwhile may have been reallocated somewhere else, because
pending_snapshot->anon_dev still has the same value as in step 1.
Recently syzbot ran into this and reported the following trace:
------------[ cut here ]------------
ida_free called for id=51 which is not allocated.
WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
Modules linked in:
CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
Code: 10 42 80 3c 28 (...)
RSP: 0018:ffffc90015a67300 EFLAGS: 00010246
RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000
RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4
R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246
R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246
FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0
Call Trace:
<TASK>
btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346
create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837
create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931
btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404
create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848
btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998
btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044
__btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306
btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393
btrfs_ioctl+0xa74/0xd40
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fca3e67dda9
Code: 28 00 00 00 (...)
RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9
RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003
RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658
</TASK>
Where we get an explicit message where we attempt to free an anonymous
device number that is not currently allocated. It happens in a different
code path from the example below, at btrfs_get_root_ref(), so this change
may not fix the case triggered by syzbot.
To fix at least the code path from the example above, change
btrfs_get_root_ref() and its callers to receive a dev_t pointer argument
for the anonymous device number, so that in case it frees the number, it
also resets it to 0, so that up in the call chain we don't attempt to do
the double free.
CC: stable@vger.kernel.org # 5.10+
Link: https://lore.kernel.org/linux-btrfs/000000000000f673a1061202f630@google.com/
Fixes: e03ee2fe87
("btrfs: do not ASSERT() if the newly created subvolume already got read")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
129 lines
5.0 KiB
C
129 lines
5.0 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Copyright (C) 2007 Oracle. All rights reserved.
|
|
*/
|
|
|
|
#ifndef BTRFS_DISK_IO_H
|
|
#define BTRFS_DISK_IO_H
|
|
|
|
#define BTRFS_SUPER_MIRROR_MAX 3
|
|
#define BTRFS_SUPER_MIRROR_SHIFT 12
|
|
|
|
/*
|
|
* Fixed blocksize for all devices, applies to specific ways of reading
|
|
* metadata like superblock. Must meet the set_blocksize requirements.
|
|
*
|
|
* Do not change.
|
|
*/
|
|
#define BTRFS_BDEV_BLOCKSIZE (4096)
|
|
|
|
static inline u64 btrfs_sb_offset(int mirror)
|
|
{
|
|
u64 start = SZ_16K;
|
|
if (mirror)
|
|
return start << (BTRFS_SUPER_MIRROR_SHIFT * mirror);
|
|
return BTRFS_SUPER_INFO_OFFSET;
|
|
}
|
|
|
|
struct btrfs_device;
|
|
struct btrfs_fs_devices;
|
|
struct btrfs_tree_parent_check;
|
|
|
|
void btrfs_check_leaked_roots(struct btrfs_fs_info *fs_info);
|
|
void btrfs_init_fs_info(struct btrfs_fs_info *fs_info);
|
|
struct extent_buffer *read_tree_block(struct btrfs_fs_info *fs_info, u64 bytenr,
|
|
struct btrfs_tree_parent_check *check);
|
|
struct extent_buffer *btrfs_find_create_tree_block(
|
|
struct btrfs_fs_info *fs_info,
|
|
u64 bytenr, u64 owner_root,
|
|
int level);
|
|
int btrfs_start_pre_rw_mount(struct btrfs_fs_info *fs_info);
|
|
int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
|
|
const struct btrfs_super_block *disk_sb);
|
|
int __cold open_ctree(struct super_block *sb,
|
|
struct btrfs_fs_devices *fs_devices,
|
|
char *options);
|
|
void __cold close_ctree(struct btrfs_fs_info *fs_info);
|
|
int btrfs_validate_super(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_super_block *sb, int mirror_num);
|
|
int btrfs_check_features(struct btrfs_fs_info *fs_info, bool is_rw_mount);
|
|
int write_all_supers(struct btrfs_fs_info *fs_info, int max_mirrors);
|
|
struct btrfs_super_block *btrfs_read_dev_super(struct block_device *bdev);
|
|
struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev,
|
|
int copy_num, bool drop_cache);
|
|
int btrfs_commit_super(struct btrfs_fs_info *fs_info);
|
|
struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root,
|
|
struct btrfs_key *key);
|
|
int btrfs_insert_fs_root(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_root *root);
|
|
void btrfs_free_fs_roots(struct btrfs_fs_info *fs_info);
|
|
|
|
struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info,
|
|
u64 objectid, bool check_ref);
|
|
struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info,
|
|
u64 objectid, dev_t *anon_dev);
|
|
struct btrfs_root *btrfs_get_fs_root_commit_root(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_path *path,
|
|
u64 objectid);
|
|
int btrfs_global_root_insert(struct btrfs_root *root);
|
|
void btrfs_global_root_delete(struct btrfs_root *root);
|
|
struct btrfs_root *btrfs_global_root(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_key *key);
|
|
struct btrfs_root *btrfs_csum_root(struct btrfs_fs_info *fs_info, u64 bytenr);
|
|
struct btrfs_root *btrfs_extent_root(struct btrfs_fs_info *fs_info, u64 bytenr);
|
|
struct btrfs_root *btrfs_block_group_root(struct btrfs_fs_info *fs_info);
|
|
|
|
void btrfs_free_fs_info(struct btrfs_fs_info *fs_info);
|
|
void btrfs_btree_balance_dirty(struct btrfs_fs_info *fs_info);
|
|
void btrfs_btree_balance_dirty_nodelay(struct btrfs_fs_info *fs_info);
|
|
void btrfs_drop_and_free_fs_root(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_root *root);
|
|
int btrfs_validate_extent_buffer(struct extent_buffer *eb,
|
|
struct btrfs_tree_parent_check *check);
|
|
#ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS
|
|
struct btrfs_root *btrfs_alloc_dummy_root(struct btrfs_fs_info *fs_info);
|
|
#endif
|
|
|
|
/*
|
|
* This function is used to grab the root, and avoid it is freed when we
|
|
* access it. But it doesn't ensure that the tree is not dropped.
|
|
*
|
|
* If you want to ensure the whole tree is safe, you should use
|
|
* fs_info->subvol_srcu
|
|
*/
|
|
static inline struct btrfs_root *btrfs_grab_root(struct btrfs_root *root)
|
|
{
|
|
if (!root)
|
|
return NULL;
|
|
if (refcount_inc_not_zero(&root->refs))
|
|
return root;
|
|
return NULL;
|
|
}
|
|
|
|
void btrfs_put_root(struct btrfs_root *root);
|
|
void btrfs_mark_buffer_dirty(struct btrfs_trans_handle *trans,
|
|
struct extent_buffer *buf);
|
|
int btrfs_buffer_uptodate(struct extent_buffer *buf, u64 parent_transid,
|
|
int atomic);
|
|
int btrfs_read_extent_buffer(struct extent_buffer *buf,
|
|
struct btrfs_tree_parent_check *check);
|
|
|
|
blk_status_t btree_csum_one_bio(struct btrfs_bio *bbio);
|
|
int btrfs_alloc_log_tree_node(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root);
|
|
int btrfs_init_log_root_tree(struct btrfs_trans_handle *trans,
|
|
struct btrfs_fs_info *fs_info);
|
|
int btrfs_add_log_tree(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root);
|
|
void btrfs_cleanup_dirty_bgs(struct btrfs_transaction *trans,
|
|
struct btrfs_fs_info *fs_info);
|
|
void btrfs_cleanup_one_transaction(struct btrfs_transaction *trans,
|
|
struct btrfs_fs_info *fs_info);
|
|
struct btrfs_root *btrfs_create_tree(struct btrfs_trans_handle *trans,
|
|
u64 objectid);
|
|
int btrfs_get_num_tolerated_disk_barrier_failures(u64 flags);
|
|
int btrfs_get_free_objectid(struct btrfs_root *root, u64 *objectid);
|
|
int btrfs_init_root_free_objectid(struct btrfs_root *root);
|
|
|
|
#endif
|