From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Filipe Manana <fdmanana@suse.com>,
Omar Sandoval <osandov@osandov.com>, Chris Mason <clm@fb.com>
Subject: [PATCH 3.10 05/65] Btrfs: fix inode eviction infinite loop after cloning into it
Date: Sat, 2 May 2015 21:03:35 +0200 [thread overview]
Message-ID: <20150502190114.949123256@linuxfoundation.org> (raw)
In-Reply-To: <20150502190114.555225285@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit ccccf3d67294714af2d72a6fd6fd7d73b01c9329 upstream.
If we attempt to clone a 0 length region into a file we can end up
inserting a range in the inode's extent_io tree with a start offset
that is greater then the end offset, which triggers immediately the
following warning:
[ 3914.619057] WARNING: CPU: 17 PID: 4199 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3914.620886] BTRFS: end < start 4095 4096
(...)
[ 3914.638093] Call Trace:
[ 3914.638636] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3914.639620] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3914.640789] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3914.642041] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3914.643236] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3914.644441] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3914.645711] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3914.646914] [<ffffffff8142b2fb>] ? _raw_spin_unlock+0x28/0x33
[ 3914.648058] [<ffffffffa03cbac4>] ? test_range_bit+0xcc/0xde [btrfs]
[ 3914.650105] [<ffffffffa03cb3c3>] lock_extent+0x13/0x15 [btrfs]
[ 3914.651361] [<ffffffffa03db39e>] lock_extent_range+0x3d/0xcd [btrfs]
[ 3914.652761] [<ffffffffa03de1fe>] btrfs_ioctl_clone+0x278/0x388 [btrfs]
[ 3914.654128] [<ffffffff811226dd>] ? might_fault+0x58/0xb5
[ 3914.655320] [<ffffffffa03e0909>] btrfs_ioctl+0xb51/0x2195 [btrfs]
(...)
[ 3914.669271] ---[ end trace 14843d3e2e622fc1 ]---
This later makes the inode eviction handler enter an infinite loop that
keeps dumping the following warning over and over:
[ 3915.117629] WARNING: CPU: 22 PID: 4228 at fs/btrfs/extent_io.c:435 insert_state+0x4b/0x10b [btrfs]()
[ 3915.119913] BTRFS: end < start 4095 4096
(...)
[ 3915.137394] Call Trace:
[ 3915.137913] [<ffffffff81425fd9>] dump_stack+0x4c/0x65
[ 3915.139154] [<ffffffff81045390>] warn_slowpath_common+0xa1/0xbb
[ 3915.140316] [<ffffffffa03ca44f>] ? insert_state+0x4b/0x10b [btrfs]
[ 3915.141505] [<ffffffff810453f0>] warn_slowpath_fmt+0x46/0x48
[ 3915.142709] [<ffffffffa03ca44f>] insert_state+0x4b/0x10b [btrfs]
[ 3915.143849] [<ffffffffa03ca729>] __set_extent_bit+0x107/0x3f4 [btrfs]
[ 3915.145120] [<ffffffffa038c1e3>] ? btrfs_kill_super+0x17/0x23 [btrfs]
[ 3915.146352] [<ffffffff811548f6>] ? deactivate_locked_super+0x3b/0x50
[ 3915.147565] [<ffffffffa03cb256>] lock_extent_bits+0x65/0x1bf [btrfs]
[ 3915.148785] [<ffffffff8142b7e2>] ? _raw_write_unlock+0x28/0x33
[ 3915.149931] [<ffffffffa03bc325>] btrfs_evict_inode+0x196/0x482 [btrfs]
[ 3915.151154] [<ffffffff81168904>] evict+0xa0/0x148
[ 3915.152094] [<ffffffff811689e5>] dispose_list+0x39/0x43
[ 3915.153081] [<ffffffff81169564>] evict_inodes+0xdc/0xeb
[ 3915.154062] [<ffffffff81154418>] generic_shutdown_super+0x49/0xef
[ 3915.155193] [<ffffffff811546d1>] kill_anon_super+0x13/0x1e
[ 3915.156274] [<ffffffffa038c1e3>] btrfs_kill_super+0x17/0x23 [btrfs]
(...)
[ 3915.167404] ---[ end trace 14843d3e2e622fc2 ]---
So just bail out of the clone ioctl if the length of the region to clone
is zero, without locking any extent range, in order to prevent this issue
(same behaviour as a pwrite with a 0 length for example).
This is trivial to reproduce. For example, the steps for the test I just
made for fstests:
mkfs.btrfs -f SCRATCH_DEV
mount SCRATCH_DEV $SCRATCH_MNT
touch $SCRATCH_MNT/foo
touch $SCRATCH_MNT/bar
$CLONER_PROG -s 0 -d 4096 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
umount $SCRATCH_MNT
A test case for fstests follows soon.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2572,6 +2572,11 @@ static noinline long btrfs_ioctl_clone(s
if (off + len == src->i_size)
len = ALIGN(src->i_size, bs) - off;
+ if (len == 0) {
+ ret = 0;
+ goto out_unlock;
+ }
+
/* verify the end result is block aligned */
if (!IS_ALIGNED(off, bs) || !IS_ALIGNED(off + len, bs) ||
!IS_ALIGNED(destoff, bs))
next prev parent reply other threads:[~2015-05-02 20:00 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-02 19:03 [PATCH 3.10 00/65] 3.10.77-stable review Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 01/65] ip_forward: Drop frames with attached skb->sk Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 02/65] tcp: fix possible deadlock in tcp_send_fin() Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 03/65] tcp: avoid looping " Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 04/65] Btrfs: fix log tree corruption when fs mounted with -o discard Greg Kroah-Hartman
2015-05-02 19:03 ` Greg Kroah-Hartman [this message]
2015-05-02 19:03 ` [PATCH 3.10 06/65] sched/idle/x86: Restore mwait_idle() to fix boot hangs, to improve power savings and to improve performance Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 07/65] usb: gadget: composite: enable BESL support Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 08/65] KVM: s390: Zero out current VMDB of STSI before including level3 data Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 09/65] s390/hibernate: fix save and restore of kernel text section Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 11/65] MIPS: Hibernate: flush TLB entries earlier Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 12/65] cdc-wdm: fix endianness bug in debug statements Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 13/65] spi: spidev: fix possible arithmetic overflow for multi-transfer message Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 14/65] ring-buffer: Replace this_cpu_*() with __this_cpu_*() Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 15/65] power_supply: lp8788-charger: Fix leaked power supply on probe fail Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 16/65] ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 17/65] ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 18/65] usb: phy: Find the right match in devm_usb_phy_match Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 19/65] usb: define a generic USB_RESUME_TIMEOUT macro Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 20/65] usb: host: r8a66597: use new USB_RESUME_TIMEOUT Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 21/65] usb: host: isp116x: " Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 22/65] usb: host: xhci: " Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 23/65] usb: host: sl811: " Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 24/65] usb: core: hub: " Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 25/65] ALSA: emu10k1: dont deadlock in proc-functions Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 26/65] Input: elantech - fix absolute mode setting on some ASUS laptops Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 27/65] fs/binfmt_elf.c: fix bug in loading of PIE binaries Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 28/65] ptrace: fix race between ptrace_resume() and wait_task_stopped() Greg Kroah-Hartman
2015-05-02 19:03 ` [PATCH 3.10 29/65] rtlwifi: rtl8192cu: Add new USB ID Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 30/65] rtlwifi: rtl8192cu: Add new device ID Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 31/65] parport: disable PC-style parallel port support on cris Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 32/65] drivers: parport: Kconfig: exclude h8300 for PARPORT_PC Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 33/65] console: Disable VGA text console support on cris Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 34/65] video: vgacon: Dont build on arm64 Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 35/65] arm64: kernel: compiling issue, need delete read_current_timer() Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 36/65] ext4: make fsync to sync parent dir in no-journal for real this time Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 37/65] powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 38/65] tools/power turbostat: Use $(CURDIR) instead of $(PWD) and add support for O= option in Makefile Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 39/65] UBI: account for bitflips in both the VID header and data Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 40/65] UBI: fix out of bounds write Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 41/65] UBI: initialize LEB number variable Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 42/65] UBI: fix check for "too many bytes" Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 43/65] scsi: storvsc: Fix a bug in copy_from_bounce_buffer() Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 44/65] drivers: parport: Kconfig: exclude arm64 for PARPORT_PC Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 45/65] ACPICA: Utilities: split IO address types from data type models Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 46/65] xtensa: xtfpga: fix hardware lockup caused by LCD driver Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 47/65] xtensa: provide __NR_sync_file_range2 instead of __NR_sync_file_range Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 48/65] gpio: mvebu: Fix mask/unmask managment per irq chip type Greg Kroah-Hartman
2015-05-03 8:20 ` Christoph Biedl
2015-05-04 21:41 ` Greg Kroah-Hartman
2015-05-06 18:06 ` Christoph Biedl
2015-05-02 19:04 ` [PATCH 3.10 49/65] Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 50/65] mvsas: fix panic on expander attached SATA devices Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 51/65] [media] stk1160: Make sure current buffer is released Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 52/65] IB/core: disallow registering 0-sized memory region Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 53/65] IB/core: dont disallow registering region starting at 0x0 Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 54/65] IB/mlx4: Fix WQE LSO segment calculation Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 55/65] tracing: Handle ftrace_dump() atomic context in graph_trace_open() Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 56/65] i2c: core: Export bus recovery functions Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 57/65] drm/radeon: fix doublescan modes (v2) Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 58/65] drm/i915: cope with large i2c transfers Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 59/65] RCU pathwalk breakage when running into a symlink overmounting something Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 60/65] ksoftirqd: Enable IRQs and call cond_resched() before poking RCU Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 61/65] e1000: add dummy allocator to fix race condition between mtu change and netpoll Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 62/65] lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 63/65] wl18xx: show rx_frames_per_rates as an array as it really is Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 64/65] C6x: time: Ensure consistency in __init Greg Kroah-Hartman
2015-05-02 19:04 ` [PATCH 3.10 65/65] memstick: mspro_block: add missing curly braces Greg Kroah-Hartman
2015-05-03 19:49 ` [PATCH 3.10 00/65] 3.10.77-stable review Guenter Roeck
2015-05-04 4:40 ` Guenter Roeck
2015-05-04 8:09 ` Heiko Carstens
2015-05-04 9:54 ` Jiri Slaby
2015-05-04 10:40 ` Heiko Carstens
2015-05-04 21:38 ` Greg Kroah-Hartman
2015-05-04 18:51 ` Guenter Roeck
2015-05-05 4:42 ` Guenter Roeck
2015-05-05 21:59 ` Greg Kroah-Hartman
2015-05-05 22:01 ` Patch "s390: Fix build error" has been added to the 3.10-stable tree gregkh
2015-05-04 21:40 ` [PATCH 3.10 00/65] 3.10.77-stable review Greg Kroah-Hartman
2015-05-04 16:16 ` Shuah Khan
2015-05-04 21:42 ` Greg Kroah-Hartman
2015-05-04 22:13 ` Shuah Khan
2015-05-04 22:24 ` Guenter Roeck
2015-05-05 21:58 ` Greg Kroah-Hartman
2015-05-05 22:05 ` Greg Kroah-Hartman
2015-05-06 3:31 ` Guenter Roeck
2015-05-06 16:01 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150502190114.949123256@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=clm@fb.com \
--cc=fdmanana@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=osandov@osandov.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.