linux_dsm_epyc7002

mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-11-24 18:10:52 +07:00

History

Filipe Manana 6609fee889 Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues When a tree mod log user no longer needs to use the tree it calls btrfs_put_tree_mod_seq() to remove itself from the list of users and delete all no longer used elements of the tree's red black tree, which should be all elements with a sequence number less then our equals to the caller's sequence number. However the logic is broken because it can delete and free elements from the red black tree that have a sequence number greater then the caller's sequence number: 1) At a point in time we have sequence numbers 1, 2, 3 and 4 in the tree mod log; 2) The task which got assigned the sequence number 1 calls btrfs_put_tree_mod_seq(); 3) Sequence number 1 is deleted from the list of sequence numbers; 4) The current minimum sequence number is computed to be the sequence number 2; 5) A task using sequence number 2 is at tree_mod_log_rewind() and gets a pointer to one of its elements from the red black tree through a call to tree_mod_log_search(); 6) The task with sequence number 1 iterates the red black tree of tree modification elements and deletes (and frees) all elements with a sequence number less then or equals to 2 (the computed minimum sequence number) - it ends up only leaving elements with sequence numbers of 3 and 4; 7) The task with sequence number 2 now uses the pointer to its element, already freed by the other task, at __tree_mod_log_rewind(), resulting in a use-after-free issue. When CONFIG_DEBUG_PAGEALLOC=y it produces a trace like the following: [16804.546854] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI [16804.547451] CPU: 0 PID: 28257 Comm: pool Tainted: G W 5.4.0-rc8-btrfs-next-51 #1 [16804.548059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 [16804.548666] RIP: 0010:rb_next+0x16/0x50 (...) [16804.550581] RSP: 0018:ffffb948418ef9b0 EFLAGS: 00010202 [16804.551227] RAX: 6b6b6b6b6b6b6b6b RBX: ffff90e0247f6600 RCX: 6b6b6b6b6b6b6b6b [16804.551873] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff90e0247f6600 [16804.552504] RBP: ffff90dffe0d4688 R08: 0000000000000001 R09: 0000000000000000 [16804.553136] R10: ffff90dffa4a0040 R11: 0000000000000000 R12: 000000000000002e [16804.553768] R13: ffff90e0247f6600 R14: 0000000000001663 R15: ffff90dff77862b8 [16804.554399] FS: 00007f4b197ae700(0000) GS:ffff90e036a00000(0000) knlGS:0000000000000000 [16804.555039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [16804.555683] CR2: 00007f4b10022000 CR3: 00000002060e2004 CR4: 00000000003606f0 [16804.556336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [16804.556968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [16804.557583] Call Trace: [16804.558207] __tree_mod_log_rewind+0xbf/0x280 [btrfs] [16804.558835] btrfs_search_old_slot+0x105/0xd00 [btrfs] [16804.559468] resolve_indirect_refs+0x1eb/0xc70 [btrfs] [16804.560087] ? free_extent_buffer.part.19+0x5a/0xc0 [btrfs] [16804.560700] find_parent_nodes+0x388/0x1120 [btrfs] [16804.561310] btrfs_check_shared+0x115/0x1c0 [btrfs] [16804.561916] ? extent_fiemap+0x59d/0x6d0 [btrfs] [16804.562518] extent_fiemap+0x59d/0x6d0 [btrfs] [16804.563112] ? __might_fault+0x11/0x90 [16804.563706] do_vfs_ioctl+0x45a/0x700 [16804.564299] ksys_ioctl+0x70/0x80 [16804.564885] ? trace_hardirqs_off_thunk+0x1a/0x20 [16804.565461] __x64_sys_ioctl+0x16/0x20 [16804.566020] do_syscall_64+0x5c/0x250 [16804.566580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [16804.567153] RIP: 0033:0x7f4b1ba2add7 (...) [16804.568907] RSP: 002b:00007f4b197adc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [16804.569513] RAX: ffffffffffffffda RBX: 00007f4b100210d8 RCX: 00007f4b1ba2add7 [16804.570133] RDX: 00007f4b100210d8 RSI: 00000000c020660b RDI: 0000000000000003 [16804.570726] RBP: 000055de05a6cfe0 R08: 0000000000000000 R09: 00007f4b197add44 [16804.571314] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b197add48 [16804.571905] R13: 00007f4b197add40 R14: 00007f4b100210d0 R15: 00007f4b197add50 (...) [16804.575623] ---[ end trace 87317359aad4ba50 ]--- Fix this by making btrfs_put_tree_mod_seq() skip deletion of elements that have a sequence number equals to the computed minimum sequence number, and not just elements with a sequence number greater then that minimum. Fixes: `bd989ba359` ("Btrfs: add tree modification log functions") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Josef Bacik <josef@toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>		2019-12-13 14:09:25 +01:00
..
tests	btrfs: return error pointer from alloc_test_extent_buffer	2019-12-13 14:09:24 +01:00
acl.c	btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter	2019-04-29 19:02:44 +02:00
async-thread.c	btrfs: add __pure attribute to functions	2019-11-18 12:46:52 +01:00
async-thread.h	btrfs: add __pure attribute to functions	2019-11-18 12:46:52 +01:00
backref.c	Btrfs: fix deadlock between fiemap and transaction commits	2019-07-30 18:25:12 +02:00
backref.h	btrfs: fiemap: preallocate ulists for btrfs_check_shared	2019-07-01 13:34:53 +02:00
block-group.c	btrfs: scrub: Don't check free space before marking a block group RO	2019-11-18 18:07:55 +01:00
block-group.h	btrfs: scrub: Don't check free space before marking a block group RO	2019-11-18 18:07:55 +01:00
block-rsv.c	btrfs: use btrfs_try_granting_tickets in update_global_rsv	2019-09-09 14:59:19 +02:00
block-rsv.h	btrfs: migrate the global_block_rsv helpers to block-rsv.c	2019-07-02 12:30:55 +02:00
btrfs_inode.h	Btrfs: remove unnecessary delalloc mutex for inodes	2019-11-18 17:51:46 +01:00
check-integrity.c	btrfs: reduce stack usage for btrfsic_process_written_block	2019-09-09 14:58:58 +02:00
check-integrity.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
compression.c	btrfs: drop bio_set_dev where not needed	2019-11-18 23:39:30 +01:00
compression.h	btrfs: compression: remove ops pointer from workspace_manager	2019-11-18 12:46:59 +01:00
ctree.c	Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues	2019-12-13 14:09:25 +01:00
ctree.h	Btrfs: fix missing data checksums after replaying a log tree	2019-12-13 14:09:24 +01:00
delalloc-space.c	Btrfs: remove unnecessary delalloc mutex for inodes	2019-11-18 17:51:46 +01:00
delalloc-space.h	btrfs: migrate the delalloc space stuff to it's own home	2019-07-04 17:26:17 +02:00
delayed-inode.c	btrfs: use refcount_inc_not_zero in kill_all_nodes	2019-11-18 12:46:51 +01:00
delayed-inode.h	Btrfs: delayed-inode: use rb_first_cached for ins_root and del_root	2018-10-15 17:23:33 +02:00
delayed-ref.c	btrfs: rename btrfs_space_info_add_old_bytes	2019-09-09 14:59:18 +02:00
delayed-ref.h	btrfs: migrate the delayed refs rsv code	2019-07-04 17:26:17 +02:00
dev-replace.c	btrfs: add __pure attribute to functions	2019-11-18 12:46:52 +01:00
dev-replace.h	btrfs: add __pure attribute to functions	2019-11-18 12:46:52 +01:00
dir-item.c	btrfs: remove unused parameter fs_info from btrfs_extend_item	2019-04-29 19:02:50 +02:00
disk-io.c	btrfs: remove extent_map::bdev	2019-11-18 23:43:44 +01:00
disk-io.h	btrfs: add __cold attribute to more functions	2019-11-18 12:46:52 +01:00
export.c	btrfs: drop unused parameter is_new from btrfs_iget	2019-11-18 12:46:52 +01:00
export.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
extent_io.c	btrfs: return error pointer from alloc_test_extent_buffer	2019-12-13 14:09:24 +01:00
extent_io.h	btrfs: opencode extent_buffer_get	2019-11-18 12:46:54 +01:00
extent_map.c	btrfs: remove extent_map::bdev	2019-11-18 23:43:44 +01:00
extent_map.h	btrfs: remove extent_map::bdev	2019-11-18 23:43:44 +01:00
extent-io-tree.h	btrfs: move the failrec tree stuff into extent-io-tree.h	2019-11-18 12:46:47 +01:00
extent-tree.c	Btrfs: fix missing data checksums after replaying a log tree	2019-12-13 14:09:24 +01:00
file-item.c	Btrfs: fix missing data checksums after replaying a log tree	2019-12-13 14:09:24 +01:00
file.c	Btrfs: fix cloning range with a hole when using the NO_HOLES feature	2019-12-13 13:29:22 +01:00
free-space-cache.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
free-space-cache.h	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
free-space-tree.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
free-space-tree.h	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
inode-item.c	btrfs: Make btrfs_find_name_in_ext_backref return struct btrfs_inode_extref	2019-09-09 14:59:16 +02:00
inode-map.c	btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents()	2019-10-15 18:50:07 +02:00
inode-map.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
inode.c	btrfs: don't double lock the subvol_sem for rename exchange	2019-12-13 14:09:23 +01:00
ioctl.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
Kconfig	btrfs: add sha256 to checksumming algorithm	2019-11-18 17:51:43 +01:00
locking.c	btrfs: document extent buffer locking	2019-11-18 17:51:50 +01:00
locking.h	btrfs: move btrfs_unlock_up_safe to other locking functions	2019-11-18 12:46:49 +01:00
lzo.c	btrfs: compression: inline free_workspace	2019-11-18 12:46:59 +01:00
Makefile	btrfs: migrate the block group lookup code	2019-09-09 14:59:04 +02:00
misc.h	btrfs: add 64bit safe helper for power of two checks	2019-11-18 12:46:50 +01:00
ordered-data.c	Btrfs: fix block group remaining RO forever after error during device replace	2019-11-18 18:07:55 +01:00
ordered-data.h	Btrfs: fix block group remaining RO forever after error during device replace	2019-11-18 18:07:55 +01:00
orphan.c	btrfs: replace GPL boilerplate by SPDX -- sources	2018-04-12 16:29:51 +02:00
print-tree.c	btrfs: rename extent buffer block group item accessors	2019-11-18 17:51:45 +01:00
print-tree.h	btrfs: print-tree: debugging output enhancement	2018-04-20 19:18:16 +02:00
props.c	btrfs: props: remove unnecessary hash_init()	2019-11-18 12:46:55 +01:00
props.h	btrfs: delete unused function btrfs_set_prop_trans	2019-04-29 19:02:54 +02:00
qgroup.c	btrfs: Fix error messages in qgroup_rescan_init	2019-12-13 13:29:12 +01:00
qgroup.h	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
raid56.c	btrfs: remove pointless local variable in lock_stripe_add()	2019-11-18 12:47:00 +01:00
raid56.h	btrfs: constify map parameter for nr_parity_stripes and nr_data_stripes	2019-07-01 13:34:58 +02:00
rcu-string.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
reada.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
ref-verify.c	btrfs: fix uninitialized ret in ref-verify	2019-10-03 15:00:56 +02:00
ref-verify.h	btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod()	2019-04-29 19:02:49 +02:00
relocation.c	btrfs: remove extent_map::bdev	2019-11-18 23:43:44 +01:00
root-tree.c	btrfs: rename the btrfs_calc_*_metadata_size helpers	2019-09-09 14:59:13 +02:00
scrub.c	Btrfs: fix block group remaining RO forever after error during device replace	2019-11-18 18:07:55 +01:00
send.c	Btrfs: send, skip backreference walking for extents with many references	2019-11-18 17:51:48 +01:00
send.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
space-info.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
space-info.h	Btrfs: remove wait queue from space_info structure	2019-11-18 17:51:46 +01:00
struct-funcs.c	btrfs: tie extent buffer and it's token together	2019-09-09 14:59:16 +02:00
super.c	btrfs: add support for 4-copy replication (raid1c4)	2019-11-18 17:51:49 +01:00
sysfs.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
sysfs.h	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
transaction.c	btrfs: rename btrfs_block_group_cache	2019-11-18 17:51:51 +01:00
transaction.h	btrfs: Rename btrfs_join_transaction_nolock	2019-11-18 12:46:54 +01:00
tree-checker.c	Btrfs: make tree checker detect checksum items with overlapping ranges	2019-12-13 14:09:25 +01:00
tree-checker.h	btrfs: get fs_info from eb in btrfs_check_chunk_valid	2019-04-29 19:02:39 +02:00
tree-defrag.c	btrfs: open code now trivial btrfs_set_lock_blocking	2019-02-25 14:13:27 +01:00
tree-log.c	Btrfs: fix missing data checksums after replaying a log tree	2019-12-13 14:09:24 +01:00
tree-log.h	btrfs: get fs_info from trans in btrfs_set_log_full_commit	2019-04-29 19:02:41 +02:00
ulist.c	btrfs: replace GPL boilerplate by SPDX -- sources	2018-04-12 16:29:51 +02:00
ulist.h	btrfs: replace GPL boilerplate by SPDX -- headers	2018-04-12 16:29:46 +02:00
uuid-tree.c	btrfs: remove unused parameter fs_info from btrfs_extend_item	2019-04-29 19:02:50 +02:00
volumes.c	btrfs: fix devs_max constraints for raid1c3 and raid1c4	2019-12-13 14:09:23 +01:00
volumes.h	btrfs: change btrfs_fs_devices::rotating to bool	2019-11-18 17:51:51 +01:00
xattr.c	Btrfs: fix failure to persist compression property xattr deletion on fsync	2019-06-17 16:37:17 +02:00
xattr.h	btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter	2019-04-29 19:02:44 +02:00
zlib.c	btrfs: compression: inline free_workspace	2019-11-18 12:46:59 +01:00
zstd.c	btrfs: compression: inline free_workspace	2019-11-18 12:46:59 +01:00