From: Josef Bacik <josef@toxicpanda.com>
To: Naohiro Aota <naohiro.aota@wdc.com>,
linux-btrfs@vger.kernel.org, dsterba@suse.com
Cc: hare@suse.com, linux-fsdevel@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>,
Christoph Hellwig <hch@infradead.org>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Johannes Thumshirn <johannes.thumshirn@wdc.com>
Subject: Re: [PATCH v12 05/41] btrfs: release path before calling into btrfs_load_block_group_zone_info
Date: Fri, 15 Jan 2021 17:22:31 -0500 [thread overview]
Message-ID: <8f7434ae-fdb8-32be-f781-a47f32ace949@toxicpanda.com> (raw)
In-Reply-To: <0786a9782ec6306cddb0a2808116c3f95a88849b.1610693037.git.naohiro.aota@wdc.com>
On 1/15/21 1:53 AM, Naohiro Aota wrote:
> From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>
> Since we have no write pointer in conventional zones, we cannot determine
> the allocation offset from it. Instead, we set the allocation offset after
> the highest addressed extent. This is done by reading the extent tree in
> btrfs_load_block_group_zone_info().
>
> However, this function is called from btrfs_read_block_groups(), so the
> read lock for the tree node can recursively taken.
>
> To avoid this unsafe locking scenario, release the path before reading the
> extent tree to get the allocation offset.
>
> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> ---
> fs/btrfs/block-group.c | 39 ++++++++++++++++++---------------------
> 1 file changed, 18 insertions(+), 21 deletions(-)
>
> diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
> index b8bbdd95743e..ff13f7554ee5 100644
> --- a/fs/btrfs/block-group.c
> +++ b/fs/btrfs/block-group.c
> @@ -1806,24 +1806,8 @@ static int check_chunk_block_group_mappings(struct btrfs_fs_info *fs_info)
> return ret;
> }
>
> -static void read_block_group_item(struct btrfs_block_group *cache,
> - struct btrfs_path *path,
> - const struct btrfs_key *key)
> -{
> - struct extent_buffer *leaf = path->nodes[0];
> - struct btrfs_block_group_item bgi;
> - int slot = path->slots[0];
> -
> - cache->length = key->offset;
> -
> - read_extent_buffer(leaf, &bgi, btrfs_item_ptr_offset(leaf, slot),
> - sizeof(bgi));
> - cache->used = btrfs_stack_block_group_used(&bgi);
> - cache->flags = btrfs_stack_block_group_flags(&bgi);
> -}
> -
> static int read_one_block_group(struct btrfs_fs_info *info,
> - struct btrfs_path *path,
> + struct btrfs_block_group_item *bgi,
> const struct btrfs_key *key,
> int need_clear)
> {
> @@ -1838,7 +1822,9 @@ static int read_one_block_group(struct btrfs_fs_info *info,
> if (!cache)
> return -ENOMEM;
>
> - read_block_group_item(cache, path, key);
> + cache->length = key->offset;
> + cache->used = btrfs_stack_block_group_used(bgi);
> + cache->flags = btrfs_stack_block_group_flags(bgi);
>
> set_free_space_tree_thresholds(cache);
>
> @@ -1997,19 +1983,30 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info)
> need_clear = 1;
>
> while (1) {
> + struct btrfs_block_group_item bgi;
> + struct extent_buffer *leaf;
> + int slot;
> +
> ret = find_first_block_group(info, path, &key);
> if (ret > 0)
> break;
> if (ret != 0)
> goto error;
>
> - btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
> - ret = read_one_block_group(info, path, &key, need_clear);
> + leaf = path->nodes[0];
> + slot = path->slots[0];
> + btrfs_release_path(path);
You're releasing the path and then reading from it, a potential UAF. Thanks,
Josef
next prev parent reply other threads:[~2021-01-15 22:23 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 6:53 [PATCH v12 00/41] btrfs: zoned block device support Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 01/41] block: add bio_add_zone_append_page Naohiro Aota
2021-01-15 22:03 ` Josef Bacik
2021-01-20 13:34 ` Johannes Thumshirn
2021-01-15 6:53 ` [PATCH v12 02/41] iomap: support REQ_OP_ZONE_APPEND Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 03/41] btrfs: defer loading zone info after opening trees Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 04/41] btrfs: use regular SB location on emulated zoned mode Naohiro Aota
2021-01-15 22:20 ` Josef Bacik
2021-01-15 6:53 ` [PATCH v12 05/41] btrfs: release path before calling into btrfs_load_block_group_zone_info Naohiro Aota
2021-01-15 22:22 ` Josef Bacik [this message]
2021-01-18 8:55 ` Johannes Thumshirn
2021-01-15 6:53 ` [PATCH v12 06/41] btrfs: do not load fs_info->zoned from incompat flag Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 07/41] btrfs: disallow fitrim in ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 08/41] btrfs: allow zoned mode on non-zoned block devices Naohiro Aota
2021-01-15 22:07 ` Josef Bacik
2021-01-18 14:15 ` Naohiro Aota
2021-01-19 0:28 ` Anand Jain
2021-01-15 6:53 ` [PATCH v12 08/41] btrfs: emulated zoned mode on non-zoned devices Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 09/41] btrfs: implement zoned chunk allocator Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 10/41] btrfs: verify device extent is aligned to zone Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 11/41] btrfs: load zone's allocation offset Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 12/41] btrfs: calculate allocation offset for conventional zones Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 13/41] btrfs: track unusable bytes for zones Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 14/41] btrfs: do sequential extent allocation in ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 15/41] btrfs: redirty released extent buffers " Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 16/41] btrfs: advance allocation pointer after tree log node Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 17/41] btrfs: enable to mount ZONED incompat flag Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 18/41] btrfs: reset zones of unused block groups Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 19/41] btrfs: extract page adding function Naohiro Aota
2021-01-15 22:14 ` Josef Bacik
2021-01-15 6:53 ` [PATCH v12 20/41] btrfs: use bio_add_zone_append_page for zoned btrfs Naohiro Aota
2021-01-15 22:16 ` Josef Bacik
2021-01-15 6:53 ` [PATCH v12 21/41] btrfs: handle REQ_OP_ZONE_APPEND as writing Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 22/41] btrfs: split ordered extent when bio is sent Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 23/41] btrfs: extend btrfs_rmap_block for specifying a device Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 24/41] btrfs: cache if block-group is on a sequential zone Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 25/41] btrfs: save irq flags when looking up an ordered extent Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 26/41] btrfs: use ZONE_APPEND write for ZONED btrfs Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 27/41] btrfs: enable zone append writing for direct IO Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 28/41] btrfs: introduce dedicated data write path for ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 29/41] btrfs: serialize meta IOs on " Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 30/41] btrfs: wait existing extents before truncating Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 31/41] btrfs: avoid async metadata checksum on ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 32/41] btrfs: mark block groups to copy for device-replace Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 33/41] btrfs: implement cloning for ZONED device-replace Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 34/41] btrfs: implement copying " Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 35/41] btrfs: support dev-replace in ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 36/41] btrfs: enable relocation " Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 37/41] btrfs: relocate block group to repair IO failure in ZONED Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 38/41] btrfs: split alloc_log_tree() Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 39/41] btrfs: extend zoned allocator to use dedicated tree-log block group Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 40/41] btrfs: serialize log transaction on ZONED mode Naohiro Aota
2021-01-15 6:53 ` [PATCH v12 41/41] btrfs: reorder log node allocation Naohiro Aota
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8f7434ae-fdb8-32be-f781-a47f32ace949@toxicpanda.com \
--to=josef@toxicpanda.com \
--cc=axboe@kernel.dk \
--cc=darrick.wong@oracle.com \
--cc=dsterba@suse.com \
--cc=hare@suse.com \
--cc=hch@infradead.org \
--cc=johannes.thumshirn@wdc.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=naohiro.aota@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.