From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hao Sun <sunhao.th@gmail.com>,
Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>
Subject: [PATCH 5.4 12/69] btrfs: unlock newly allocated extent buffer after error
Date: Mon, 18 Oct 2021 15:24:10 +0200 [thread overview]
Message-ID: <20211018132329.856285977@linuxfoundation.org> (raw)
In-Reply-To: <20211018132329.453964125@linuxfoundation.org>
From: Qu Wenruo <wqu@suse.com>
commit 19ea40dddf1833db868533958ca066f368862211 upstream.
[BUG]
There is a bug report that injected ENOMEM error could leave a tree
block locked while we return to user-space:
BTRFS info (device loop0): enabling ssd optimizations
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail+0x13c/0x160 lib/fault-inject.c:146
should_failslab+0x5/0x10 mm/slab_common.c:1328
slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
slab_alloc_node mm/slub.c:3120 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
__btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
lookup_open+0x660/0x780 fs/namei.c:3282
open_last_lookups fs/namei.c:3352 [inline]
path_openat+0x465/0xe20 fs/namei.c:3557
do_filp_open+0xe3/0x170 fs/namei.c:3588
do_sys_openat2+0x357/0x4a0 fs/open.c:1200
do_sys_open+0x87/0xd0 fs/open.c:1216
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46ae99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0
================================================
WARNING: lock held when returning to user space!
5.15.0-rc1 #16 Not tainted
------------------------------------------------
syz-executor/7579 is leaving the kernel with locks still held!
1 lock held by syz-executor/7579:
#0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
__btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112
[CAUSE]
In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
extent buffer @buf is locked, but if later operations like adding
delayed tree ref fail, we just free @buf without unlocking it,
resulting above warning.
[FIX]
Unlock @buf in out_free_buf: label.
Reported-by: Hao Sun <sunhao.th@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4596,6 +4596,7 @@ struct extent_buffer *btrfs_alloc_tree_b
out_free_delayed:
btrfs_free_delayed_extent_op(extent_op);
out_free_buf:
+ btrfs_tree_unlock(buf);
free_extent_buffer(buf);
out_free_reserved:
btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);
next prev parent reply other threads:[~2021-10-18 13:32 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-18 13:23 [PATCH 5.4 00/69] 5.4.155-rc1 review Greg Kroah-Hartman
2021-10-18 13:23 ` [PATCH 5.4 01/69] ovl: simplify file splice Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 02/69] ALSA: usb-audio: Add quirk for VF0770 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 03/69] ALSA: seq: Fix a potential UAF by wrong private_free call order Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 04/69] ALSA: hda/realtek: Complete partial device name to avoid ambiguity Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 05/69] ALSA: hda/realtek: Add quirk for Clevo X170KM-G Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 06/69] ALSA: hda/realtek - ALC236 headset MIC recording issue Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 07/69] ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 08/69] nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^ Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 09/69] s390: fix strrchr() implementation Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 10/69] csky: dont let sigreturn play with priveleged bits of status register Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 11/69] csky: Fixup regs.sr broken in ptrace Greg Kroah-Hartman
2021-10-18 13:24 ` Greg Kroah-Hartman [this message]
2021-10-18 13:24 ` [PATCH 5.4 13/69] btrfs: deal with errors when replaying dir entry during log replay Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 14/69] btrfs: deal with errors when adding inode reference " Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 15/69] btrfs: check for error when looking up inode during dir entry replay Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 16/69] watchdog: orion: use 0 for unset heartbeat Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 17/69] x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 18/69] mei: me: add Ice Lake-N device id Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 19/69] xhci: guard accesses to ep_state in xhci_endpoint_reset() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 20/69] xhci: Fix command ring pointer corruption while aborting a command Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 21/69] xhci: Enable trust tx length quirk for Fresco FL11 USB controller Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 22/69] cb710: avoid NULL pointer subtraction Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 23/69] efi/cper: use stack buffer for error record decoding Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 24/69] efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 25/69] usb: musb: dsps: Fix the probe error path Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 26/69] Input: xpad - add support for another USB ID of Nacon GC-100 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 27/69] USB: serial: qcserial: add EM9191 QDL support Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 28/69] USB: serial: option: add Quectel EC200S-CN module support Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 29/69] USB: serial: option: add Telit LE910Cx composition 0x1204 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 30/69] USB: serial: option: add prod. id for Quectel EG91 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 31/69] virtio: write back F_VERSION_1 before validate Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 32/69] EDAC/armada-xp: Fix output of uncorrectable error counter Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 33/69] nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 34/69] KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest() Greg Kroah-Hartman
2021-10-19 10:34 ` Michael Ellerman
2021-10-18 13:24 ` [PATCH 5.4 35/69] KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to guest Greg Kroah-Hartman
2021-10-19 10:54 ` Michael Ellerman
2021-10-18 13:24 ` [PATCH 5.4 36/69] x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 37/69] powerpc/xive: Discard disabled interrupts in get_irqchip_state() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 38/69] iio: adc: aspeed: set driver data when adc probe Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 39/69] iio: adc128s052: Fix the error handling path of adc128_probe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 40/69] iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 41/69] iio: light: opt3001: Fixed timeout error when 0 lux Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 42/69] iio: ssp_sensors: add more range checking in ssp_parse_dataframe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 43/69] iio: ssp_sensors: fix error code in ssp_print_mcu_debug() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 44/69] iio: dac: ti-dac5571: fix an error code in probe() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 45/69] sctp: account stream padding length for reconf chunk Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 46/69] gpio: pca953x: Improve bias setting Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 47/69] net: arc: select CRC32 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 48/69] net: korina: " Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 49/69] net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 50/69] net: stmmac: fix get_hw_feature() on old hardware Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 51/69] net: encx24j600: check error in devm_regmap_init_encx24j600 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 52/69] ethernet: s2io: fix setting mac address during resume Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 53/69] nfc: fix error handling of nfc_proto_register() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 54/69] NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 55/69] NFC: digital: fix possible memory leak in digital_in_send_sdd_req() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 56/69] pata_legacy: fix a couple uninitialized variable bugs Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 57/69] ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 58/69] mlxsw: thermal: Fix out-of-bounds memory accesses Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 59/69] platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 60/69] drm/panel: olimex-lcd-olinuxino: select CRC32 Greg Kroah-Hartman
2021-10-18 13:24 ` [PATCH 5.4 61/69] drm/msm: Fix null pointer dereference on pointer edp Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 62/69] drm/msm/mdp5: fix cursor-related warnings Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 63/69] drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 64/69] drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 65/69] acpi/arm64: fix next_platform_timer() section mismatch error Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 66/69] mqprio: Correct stats in mqprio_dump_class_stats() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 67/69] qed: Fix missing error code in qed_slowpath_start() Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 68/69] r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 Greg Kroah-Hartman
2021-10-18 13:25 ` [PATCH 5.4 69/69] ionic: dont remove netdev->dev_addr when syncing uc list Greg Kroah-Hartman
2021-10-18 14:11 ` [PATCH 5.4 00/69] 5.4.155-rc1 review Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211018132329.856285977@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsterba@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunhao.th@gmail.com \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).