From: Anand Jain <anand.jain@oracle.com> To: linux-btrfs@vger.kernel.org Cc: Anand Jain <anand.jain@oracle.com> Subject: [PATCH] btrfs: fix rw_devices count in __btrfs_free_extra_devids Date: Tue, 22 Sep 2020 20:30:41 +0800 [thread overview] Message-ID: <b3a0a629df98bd044a1fd5c4964f381ff6e7aa05.1600777827.git.anand.jain@oracle.com> (raw) syzbot reported a warning [1] in close_fs_devcies() which it reproduces using a crafted image. WARN_ON(fs_devices->rw_devices); The crafted image successfully creates a replace-device with the devid 0. But as there isn't any replace-item. We clean the extra the devid 0, at __btrfs_free_extra_devids(). rw_devices is incremented in btrfs_open_one_device() for all write-able devices except for devid == BTRFS_DEV_REPLACE_DEVID. But while we clean up the extra devices in __btrfs_free_extra_devids() we used the BTRFS_DEV_STATE_REPLACE_TGT flag which isn't set because there isn't the replace-item. So rw_devices went below zero. So let __btrfs_free_extra_devids() also depend on the devid != BTRFS_DEV_REPLACE_DEVID to manage the rw_devices. [1] WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 panic+0x347/0x7c0 kernel/panic.c:231 __warn.cold+0x20/0x46 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 Code: 0f b6 04 02 84 c0 74 02 7e 33 48 8b 44 24 18 c6 80 30 01 00 00 00 48 83 c4 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 99 ce 6a fe <0f> 0b e9 71 ff ff ff e8 8d ce 6a fe 0f 0b e9 20 ff ff ff e8 d1 d5 RSP: 0018:ffffc900091777e0 EFLAGS: 00010246 RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000 RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007 RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130 R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050 close_fs_devices fs/btrfs/volumes.c:1193 [inline] btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179 open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434 btrfs_fill_super fs/btrfs/super.c:1316 [inline] btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1008 vfs_kern_mount+0x3c/0x60 fs/namespace.c:995 btrfs_mount+0x234/0xaa0 fs/btrfs/super.c:1732 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x1387/0x2070 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount fs/namespace.c:3390 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x46004a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f414d78da88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f414d78db20 RCX: 000000000046004a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f414d78dae0 RBP: 00007f414d78dae0 R08: 00007f414d78db20 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 0000000020000200 R15: 000000002001a800 Signed-off-by: Anand Jain <anand.jain@oracle.com> --- fs/btrfs/volumes.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index ec9dac40b4f1..2fd73eab6219 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -1080,8 +1080,7 @@ static void __btrfs_free_extra_devids(struct btrfs_fs_devices *fs_devices, if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) { list_del_init(&device->dev_alloc_list); clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); - if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT, - &device->dev_state)) + if (device->devid != BTRFS_DEV_REPLACE_DEVID) fs_devices->rw_devices--; } list_del_init(&device->dev_list); -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Anand Jain <anand.jain@oracle.com> To: linux-btrfs@vger.kernel.org Cc: Anand Jain <anand.jain@oracle.com>, syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com Subject: [PATCH add reported by] btrfs: fix rw_devices count in __btrfs_free_extra_devids Date: Tue, 22 Sep 2020 20:33:55 +0800 [thread overview] Message-ID: <b3a0a629df98bd044a1fd5c4964f381ff6e7aa05.1600777827.git.anand.jain@oracle.com> (raw) Message-ID: <20200922123355.ylTJsThacZjBaG9vO1CVBztE6R5uFMoyrhD7aGkmcIU@z> (raw) syzbot reported a warning [1] in close_fs_devcies() which it reproduces using a crafted image. WARN_ON(fs_devices->rw_devices); The crafted image successfully creates a replace-device with the devid 0. But as there isn't any replace-item. We clean the extra the devid 0, at __btrfs_free_extra_devids(). rw_devices is incremented in btrfs_open_one_device() for all write-able devices except for devid == BTRFS_DEV_REPLACE_DEVID. But while we clean up the extra devices in __btrfs_free_extra_devids() we used the BTRFS_DEV_STATE_REPLACE_TGT flag which isn't set because there isn't the replace-item. So rw_devices went below zero. So let __btrfs_free_extra_devids() also depend on the devid != BTRFS_DEV_REPLACE_DEVID to manage the rw_devices. [1] WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 panic+0x347/0x7c0 kernel/panic.c:231 __warn.cold+0x20/0x46 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 Code: 0f b6 04 02 84 c0 74 02 7e 33 48 8b 44 24 18 c6 80 30 01 00 00 00 48 83 c4 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 99 ce 6a fe <0f> 0b e9 71 ff ff ff e8 8d ce 6a fe 0f 0b e9 20 ff ff ff e8 d1 d5 RSP: 0018:ffffc900091777e0 EFLAGS: 00010246 RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000 RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007 RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130 R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050 close_fs_devices fs/btrfs/volumes.c:1193 [inline] btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179 open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434 btrfs_fill_super fs/btrfs/super.c:1316 [inline] btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1008 vfs_kern_mount+0x3c/0x60 fs/namespace.c:995 btrfs_mount+0x234/0xaa0 fs/btrfs/super.c:1732 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x1387/0x2070 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount fs/namespace.c:3390 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x46004a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f414d78da88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f414d78db20 RCX: 000000000046004a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f414d78dae0 RBP: 00007f414d78dae0 R08: 00007f414d78db20 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000 R13: 0000000020000100 R14: 0000000020000200 R15: 000000002001a800 Signed-off-by: Anand Jain <anand.jain@oracle.com> Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com --- fs/btrfs/volumes.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index ec9dac40b4f1..2fd73eab6219 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -1080,8 +1080,7 @@ static void __btrfs_free_extra_devids(struct btrfs_fs_devices *fs_devices, if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) { list_del_init(&device->dev_alloc_list); clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); - if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT, - &device->dev_state)) + if (device->devid != BTRFS_DEV_REPLACE_DEVID) fs_devices->rw_devices--; } list_del_init(&device->dev_list); -- 2.25.1
next reply other threads:[~2020-09-22 12:32 UTC|newest] Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-09-22 12:30 Anand Jain [this message] 2020-09-22 12:33 ` [PATCH add reported by] btrfs: fix rw_devices count in __btrfs_free_extra_devids Anand Jain 2020-09-22 13:08 ` Josef Bacik 2020-09-23 4:42 ` Anand Jain 2020-09-23 13:42 ` Josef Bacik 2020-09-24 5:19 ` Anand Jain 2020-09-24 11:25 ` David Sterba 2020-09-24 14:02 ` Josef Bacik 2020-09-25 10:11 ` Anand Jain 2020-09-25 14:28 ` Josef Bacik 2020-10-06 13:12 ` Anand Jain 2020-09-22 12:33 Anand Jain 2020-10-06 13:08 ` [PATCH] btrfs: fix devid 0 without a replace item by failing the mount Anand Jain 2020-10-06 13:12 ` [PATCH v2] " Anand Jain 2020-10-06 14:54 ` [PATCH] " kernel test robot 2020-10-06 14:54 ` kernel test robot 2020-10-07 2:07 ` Anand Jain 2020-10-07 2:07 ` Anand Jain 2020-10-12 2:51 ` [kbuild-all] " Rong Chen 2020-10-12 2:51 ` Rong Chen 2020-10-06 16:44 ` kernel test robot 2020-10-06 16:44 ` kernel test robot 2020-10-06 13:12 [PATCH v2] " Anand Jain 2020-10-12 5:26 ` [PATCH v2 add prerequisite-patch-id] " Anand Jain 2020-10-21 4:02 ` [PATCH RESEND " Anand Jain 2020-10-12 5:36 ` [PATCH " Anand Jain 2020-10-21 5:49 ` [PATCH RESEND " kernel test robot 2020-10-21 5:49 ` kernel test robot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=b3a0a629df98bd044a1fd5c4964f381ff6e7aa05.1600777827.git.anand.jain@oracle.com \ --to=anand.jain@oracle.com \ --cc=linux-btrfs@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.