* [PATCH v2 0/2] btrfs: fix issues when mouting the poc image
@ 2021-01-03 9:28 Su Yue
2021-01-03 9:28 ` [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic() Su Yue
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Su Yue @ 2021-01-03 9:28 UTC (permalink / raw)
To: linux-btrfs; +Cc: l
The two patches fix issues found by the image which is provided by
Insu Yun at SSLab@Gatech.
patch 1 fixes a NULL pointer dereference in error handling path.
patch 2 enhances tree checker to detect chunk item end overflow.
Su Yue (2):
btrfs: prevent NULL pointer dereference in extent_io_tree_panic()
btrfs: tree-checker: check if chunk item end oveflows
fs/btrfs/extent_io.c | 4 +---
fs/btrfs/tree-checker.c | 7 +++++++
2 files changed, 8 insertions(+), 3 deletions(-)
--
2.29.2
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic()
2021-01-03 9:28 [PATCH v2 0/2] btrfs: fix issues when mouting the poc image Su Yue
@ 2021-01-03 9:28 ` Su Yue
2021-01-04 7:33 ` Anand Jain
2021-01-03 9:28 ` [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows Su Yue
2021-01-04 15:58 ` [PATCH v2 0/2] btrfs: fix issues when mouting the poc image David Sterba
2 siblings, 1 reply; 9+ messages in thread
From: Su Yue @ 2021-01-03 9:28 UTC (permalink / raw)
To: linux-btrfs; +Cc: l
Some extent io trees are initialized with NULL private member(e.g., btrfs_devi
ce::alloc_state and btrfs_fs_info::excluded_extents). Dereference of a NULL
@tree->private as struct inode * will cause kernel panic.
Just pass @tree->fs_info as parameter to extent_io_tree_panic() directly.
Let it panic as expected at least.
Fixes: 05912a3c04eb ("btrfs: drop extent_io_ops::tree_fs_info callback")
Signed-off-by: Su Yue <l@damenly.su>
---
fs/btrfs/extent_io.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 6e3b72e63e42..c9cee458e001 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -676,9 +676,7 @@ alloc_extent_state_atomic(struct extent_state *prealloc)
static void extent_io_tree_panic(struct extent_io_tree *tree, int err)
{
- struct inode *inode = tree->private_data;
-
- btrfs_panic(btrfs_sb(inode->i_sb), err,
+ btrfs_panic(tree->fs_info, err,
"locking error: extent tree was modified by another thread while locked");
}
--
2.29.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows
2021-01-03 9:28 [PATCH v2 0/2] btrfs: fix issues when mouting the poc image Su Yue
2021-01-03 9:28 ` [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic() Su Yue
@ 2021-01-03 9:28 ` Su Yue
2021-01-04 8:31 ` Anand Jain
2021-01-04 15:59 ` David Sterba
2021-01-04 15:58 ` [PATCH v2 0/2] btrfs: fix issues when mouting the poc image David Sterba
2 siblings, 2 replies; 9+ messages in thread
From: Su Yue @ 2021-01-03 9:28 UTC (permalink / raw)
To: linux-btrfs; +Cc: l
while mounting the poc image user-provided, kernel panics due to the
invalid chunk item whose end is less than start.
========================================================================
[ 66.387422] loop: module loaded
[ 66.389773] loop0: detected capacity change from 262144 to 0
[ 66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
[ 66.431061] BTRFS info (device loop0): disk space caching is enabled
[ 66.431078] BTRFS info (device loop0): has skinny extents
[ 66.437101] BTRFS error: insert state: end < start 29360127 37748736
[ 66.437136] ------------[ cut here ]------------
[ 66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
[ 66.437193] Modules linked in: loop btrfs(O) blake2b_generic xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq joydev mousedev crct10dif_pclmul psmouse crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon virtio_console virtio_net net_failover failover dm_mod sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci virtio_ring usb_common virtio i8042 serio
[ 66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G O 5.11.0-rc1-custom #45
[ 66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
[ 66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
[ 66.437416] Code: 39 01 00 00 48 c7 c7 85 38 9e c0 e8 3c fd ff ff 48 8b 7f 08 48 89 d1 48 89 da 4c 89 45 d0 48 c7 c6 20 b0 9e c0 e8 49 97 ff ff <0f> 0b 4c 8b 45 d0 e9 ff 28 f7 ff 49 8b 7d 08 49 89 d9 4d 89 f8 41
[ 66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
[ 66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
[ 66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
[ 66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
[ 66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
[ 66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
[ 66.437447] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
[ 66.437451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
[ 66.437460] PKRU: 55555554
[ 66.437464] Call Trace:
[ 66.437475] set_extent_bit+0x652/0x740 [btrfs]
[ 66.437539] set_extent_bits_nowait+0x1d/0x20 [btrfs]
[ 66.437576] add_extent_mapping+0x1e0/0x2f0 [btrfs]
[ 66.437621] read_one_chunk+0x33c/0x420 [btrfs]
[ 66.437674] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
[ 66.437708] ? kvm_sched_clock_read+0x18/0x40
[ 66.437739] open_ctree+0xb32/0x1734 [btrfs]
[ 66.437781] ? bdi_register_va+0x1b/0x20
[ 66.437788] ? super_setup_bdi_name+0x79/0xd0
[ 66.437810] btrfs_mount_root.cold+0x12/0xeb [btrfs]
[ 66.437854] ? __kmalloc_track_caller+0x217/0x3b0
[ 66.437873] legacy_get_tree+0x34/0x60
[ 66.437880] vfs_get_tree+0x2d/0xc0
[ 66.437888] vfs_kern_mount.part.0+0x78/0xc0
[ 66.437897] vfs_kern_mount+0x13/0x20
[ 66.437902] btrfs_mount+0x11f/0x3c0 [btrfs]
[ 66.437940] ? kfree+0x5ff/0x670
[ 66.437944] ? __kmalloc_track_caller+0x217/0x3b0
[ 66.437962] legacy_get_tree+0x34/0x60
[ 66.437974] vfs_get_tree+0x2d/0xc0
[ 66.437983] path_mount+0x48c/0xd30
[ 66.437998] __x64_sys_mount+0x108/0x140
[ 66.438011] do_syscall_64+0x38/0x50
[ 66.438018] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 66.438023] RIP: 0033:0x7f0138827f6e
[ 66.438029] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2 0e 0c 00 f7 d8 64 89 01 48
[ 66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
[ 66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
[ 66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
[ 66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
[ 66.438078] irq event stamp: 18169
[ 66.438082] hardirqs last enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
[ 66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
[ 66.438092] softirqs last enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
[ 66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
[ 66.438103] ---[ end trace e114b111db64298b ]---
[ 66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
[ 66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
[ 66.441069] ------------[ cut here ]------------
[ 66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
[ 66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G W O 5.11.0-rc1-custom #45
[ 66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
[ 66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
[ 66.447419] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89 f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81 fa 00 10 00 00 89 45 b0 44
[ 66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
[ 66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
[ 66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
[ 66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
[ 66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
[ 66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
[ 66.458356] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
[ 66.459841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
[ 66.462196] PKRU: 55555554
[ 66.462692] Call Trace:
[ 66.463139] set_extent_bit.cold+0x30/0x98 [btrfs]
[ 66.464049] set_extent_bits_nowait+0x1d/0x20 [btrfs]
[ 66.490466] add_extent_mapping+0x1e0/0x2f0 [btrfs]
[ 66.514097] read_one_chunk+0x33c/0x420 [btrfs]
[ 66.534976] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
[ 66.555718] ? kvm_sched_clock_read+0x18/0x40
[ 66.575758] open_ctree+0xb32/0x1734 [btrfs]
[ 66.595272] ? bdi_register_va+0x1b/0x20
[ 66.614638] ? super_setup_bdi_name+0x79/0xd0
[ 66.633809] btrfs_mount_root.cold+0x12/0xeb [btrfs]
[ 66.652938] ? __kmalloc_track_caller+0x217/0x3b0
[ 66.671925] legacy_get_tree+0x34/0x60
[ 66.690300] vfs_get_tree+0x2d/0xc0
[ 66.708221] vfs_kern_mount.part.0+0x78/0xc0
[ 66.725808] vfs_kern_mount+0x13/0x20
[ 66.742730] btrfs_mount+0x11f/0x3c0 [btrfs]
[ 66.759350] ? kfree+0x5ff/0x670
[ 66.775441] ? __kmalloc_track_caller+0x217/0x3b0
[ 66.791750] legacy_get_tree+0x34/0x60
[ 66.807494] vfs_get_tree+0x2d/0xc0
[ 66.823349] path_mount+0x48c/0xd30
[ 66.838753] __x64_sys_mount+0x108/0x140
[ 66.854412] do_syscall_64+0x38/0x50
[ 66.869673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 66.885093] RIP: 0033:0x7f0138827f6e
[ 66.899790] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2 0e 0c 00 f7 d8 64 89 01 48
[ 66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
[ 66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
[ 67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
[ 67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
[ 67.062965] Modules linked in: loop btrfs(O) blake2b_generic xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq joydev mousedev crct10dif_pclmul psmouse crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon virtio_console virtio_net net_failover failover dm_mod sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci virtio_ring usb_common virtio i8042 serio
[ 67.216138] ---[ end trace e114b111db64298c ]---
[ 67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
[ 67.258567] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89 f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81 fa 00 10 00 00 89 45 b0 44
[ 67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
[ 67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
[ 67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
[ 67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
[ 67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
[ 67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
[ 67.465436] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
[ 67.511660] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
[ 67.558449] PKRU: 55555554
[ 67.581146] note: mount[613] exited with preempt_count 2
========================================================================
The image has a chunk item which has a logical start 37748736 and length
18446744073701163008. The calculated end 29360127 is overflowed obviously.
-EEXIST was caught by insert_state() because of the duplicate end and
extent_io_tree_panic() was called.
Add overflow check of chunk item end in tree checker then the image will
be rejected to be mounted.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
Signed-off-by: Su Yue <l@damenly.su>
---
fs/btrfs/tree-checker.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 028e733e42f3..39c65c1cbe96 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -760,6 +760,7 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
{
struct btrfs_fs_info *fs_info = leaf->fs_info;
u64 length;
+ u64 chunk_end;
u64 stripe_len;
u16 num_stripes;
u16 sub_stripes;
@@ -814,6 +815,12 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
"invalid chunk length, have %llu", length);
return -EUCLEAN;
}
+ if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
+ chunk_err(leaf, chunk, logical,
+ "invalid chunk logical/length, have logical %llu length %llu",
+ logical, length);
+ return -EUCLEAN;
+ }
if (unlikely(!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN)) {
chunk_err(leaf, chunk, logical,
"invalid chunk stripe length: %llu",
--
2.29.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic()
2021-01-03 9:28 ` [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic() Su Yue
@ 2021-01-04 7:33 ` Anand Jain
0 siblings, 0 replies; 9+ messages in thread
From: Anand Jain @ 2021-01-04 7:33 UTC (permalink / raw)
To: Su Yue, linux-btrfs
On 3/1/21 5:28 pm, Su Yue wrote:
> Some extent io trees are initialized with NULL private member(e.g., btrfs_devi
> ce::alloc_state and btrfs_fs_info::excluded_extents). Dereference of a NULL
> @tree->private as struct inode * will cause kernel panic.
>
> Just pass @tree->fs_info as parameter to extent_io_tree_panic() directly.
> Let it panic as expected at least.
>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Thanks.
> Fixes: 05912a3c04eb ("btrfs: drop extent_io_ops::tree_fs_info callback")
> Signed-off-by: Su Yue <l@damenly.su>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows
2021-01-03 9:28 ` [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows Su Yue
@ 2021-01-04 8:31 ` Anand Jain
2021-01-04 9:15 ` Su Yue
2021-01-04 15:59 ` David Sterba
1 sibling, 1 reply; 9+ messages in thread
From: Anand Jain @ 2021-01-04 8:31 UTC (permalink / raw)
To: Su Yue, linux-btrfs
On 3/1/21 5:28 pm, Su Yue wrote:
> while mounting the poc image user-provided, kernel panics due to the
> invalid chunk item whose end is less than start.
> ========================================================================
> [ 66.387422] loop: module loaded
> [ 66.389773] loop0: detected capacity change from 262144 to 0
> [ 66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
> [ 66.431061] BTRFS info (device loop0): disk space caching is enabled
> [ 66.431078] BTRFS info (device loop0): has skinny extents
> [ 66.437101] BTRFS error: insert state: end < start 29360127 37748736
> [ 66.437136] ------------[ cut here ]------------
> [ 66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
> [ 66.437193] Modules linked in: loop btrfs(O) blake2b_generic xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq joydev mousedev crct10dif_pclmul psmouse crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon virtio_console virtio_net net_failover failover dm_mod sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci virtio_ring usb_common virtio i8042 serio
> [ 66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G O 5.11.0-rc1-custom #45
> [ 66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
> [ 66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
> [ 66.437416] Code: 39 01 00 00 48 c7 c7 85 38 9e c0 e8 3c fd ff ff 48 8b 7f 08 48 89 d1 48 89 da 4c 89 45 d0 48 c7 c6 20 b0 9e c0 e8 49 97 ff ff <0f> 0b 4c 8b 45 d0 e9 ff 28 f7 ff 49 8b 7d 08 49 89 d9 4d 89 f8 41
> [ 66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
> [ 66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
> [ 66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
> [ 66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
> [ 66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
> [ 66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
> [ 66.437447] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
> [ 66.437451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
> [ 66.437460] PKRU: 55555554
> [ 66.437464] Call Trace:
> [ 66.437475] set_extent_bit+0x652/0x740 [btrfs]
> [ 66.437539] set_extent_bits_nowait+0x1d/0x20 [btrfs]
> [ 66.437576] add_extent_mapping+0x1e0/0x2f0 [btrfs]
> [ 66.437621] read_one_chunk+0x33c/0x420 [btrfs]
> [ 66.437674] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
> [ 66.437708] ? kvm_sched_clock_read+0x18/0x40
> [ 66.437739] open_ctree+0xb32/0x1734 [btrfs]
> [ 66.437781] ? bdi_register_va+0x1b/0x20
> [ 66.437788] ? super_setup_bdi_name+0x79/0xd0
> [ 66.437810] btrfs_mount_root.cold+0x12/0xeb [btrfs]
> [ 66.437854] ? __kmalloc_track_caller+0x217/0x3b0
> [ 66.437873] legacy_get_tree+0x34/0x60
> [ 66.437880] vfs_get_tree+0x2d/0xc0
> [ 66.437888] vfs_kern_mount.part.0+0x78/0xc0
> [ 66.437897] vfs_kern_mount+0x13/0x20
> [ 66.437902] btrfs_mount+0x11f/0x3c0 [btrfs]
> [ 66.437940] ? kfree+0x5ff/0x670
> [ 66.437944] ? __kmalloc_track_caller+0x217/0x3b0
> [ 66.437962] legacy_get_tree+0x34/0x60
> [ 66.437974] vfs_get_tree+0x2d/0xc0
> [ 66.437983] path_mount+0x48c/0xd30
> [ 66.437998] __x64_sys_mount+0x108/0x140
> [ 66.438011] do_syscall_64+0x38/0x50
> [ 66.438018] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 66.438023] RIP: 0033:0x7f0138827f6e
> [ 66.438029] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2 0e 0c 00 f7 d8 64 89 01 48
> [ 66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> [ 66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
> [ 66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
> [ 66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
> [ 66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> [ 66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
> [ 66.438078] irq event stamp: 18169
> [ 66.438082] hardirqs last enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
> [ 66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
> [ 66.438092] softirqs last enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
> [ 66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
> [ 66.438103] ---[ end trace e114b111db64298b ]---
> [ 66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
> [ 66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
> [ 66.441069] ------------[ cut here ]------------
> [ 66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
> [ 66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> [ 66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G W O 5.11.0-rc1-custom #45
> [ 66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
> [ 66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
> [ 66.447419] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89 f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81 fa 00 10 00 00 89 45 b0 44
> [ 66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
> [ 66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
> [ 66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
> [ 66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
> [ 66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
> [ 66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
> [ 66.458356] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
> [ 66.459841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
> [ 66.462196] PKRU: 55555554
> [ 66.462692] Call Trace:
> [ 66.463139] set_extent_bit.cold+0x30/0x98 [btrfs]
> [ 66.464049] set_extent_bits_nowait+0x1d/0x20 [btrfs]
> [ 66.490466] add_extent_mapping+0x1e0/0x2f0 [btrfs]
> [ 66.514097] read_one_chunk+0x33c/0x420 [btrfs]
> [ 66.534976] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
> [ 66.555718] ? kvm_sched_clock_read+0x18/0x40
> [ 66.575758] open_ctree+0xb32/0x1734 [btrfs]
> [ 66.595272] ? bdi_register_va+0x1b/0x20
> [ 66.614638] ? super_setup_bdi_name+0x79/0xd0
> [ 66.633809] btrfs_mount_root.cold+0x12/0xeb [btrfs]
> [ 66.652938] ? __kmalloc_track_caller+0x217/0x3b0
> [ 66.671925] legacy_get_tree+0x34/0x60
> [ 66.690300] vfs_get_tree+0x2d/0xc0
> [ 66.708221] vfs_kern_mount.part.0+0x78/0xc0
> [ 66.725808] vfs_kern_mount+0x13/0x20
> [ 66.742730] btrfs_mount+0x11f/0x3c0 [btrfs]
> [ 66.759350] ? kfree+0x5ff/0x670
> [ 66.775441] ? __kmalloc_track_caller+0x217/0x3b0
> [ 66.791750] legacy_get_tree+0x34/0x60
> [ 66.807494] vfs_get_tree+0x2d/0xc0
> [ 66.823349] path_mount+0x48c/0xd30
> [ 66.838753] __x64_sys_mount+0x108/0x140
> [ 66.854412] do_syscall_64+0x38/0x50
> [ 66.869673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 66.885093] RIP: 0033:0x7f0138827f6e
> [ 66.899790] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2 0e 0c 00 f7 d8 64 89 01 48
> [ 66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> [ 66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
> [ 66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
> [ 67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
> [ 67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> [ 67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
> [ 67.062965] Modules linked in: loop btrfs(O) blake2b_generic xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq joydev mousedev crct10dif_pclmul psmouse crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon virtio_console virtio_net net_failover failover dm_mod sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci virtio_ring usb_common virtio i8042 serio
> [ 67.216138] ---[ end trace e114b111db64298c ]---
> [ 67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
> [ 67.258567] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89 f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81 fa 00 10 00 00 89 45 b0 44
> [ 67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
> [ 67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
> [ 67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
> [ 67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
> [ 67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
> [ 67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
> [ 67.465436] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
> [ 67.511660] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
> [ 67.558449] PKRU: 55555554
> [ 67.581146] note: mount[613] exited with preempt_count 2
> ========================================================================
>
> The image has a chunk item which has a logical start 37748736 and length
> 18446744073701163008. The calculated end 29360127 is overflowed obviously.
> -EEXIST was caught by insert_state() because of the duplicate end and
> extent_io_tree_panic() was called.
>
> Add overflow check of chunk item end in tree checker then the image will
> be rejected to be mounted.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
> Signed-off-by: Su Yue <l@damenly.su>
> ---
> fs/btrfs/tree-checker.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index 028e733e42f3..39c65c1cbe96 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -760,6 +760,7 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
> {
> struct btrfs_fs_info *fs_info = leaf->fs_info;
> u64 length;
> + u64 chunk_end;
> u64 stripe_len;
> u16 num_stripes;
> u16 sub_stripes;
> @@ -814,6 +815,12 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
> "invalid chunk length, have %llu", length);
> return -EUCLEAN;
> }
> + if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
> + chunk_err(leaf, chunk, logical,
> + "invalid chunk logical/length, have logical %llu length %llu",
> + logical, length);
> + return -EUCLEAN;
> + }
> if (unlikely(!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN)) {
> chunk_err(leaf, chunk, logical,
> "invalid chunk stripe length: %llu",
>
So this is a system chunk? It is not so evident from the trace above.
Thanks, Anand
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows
2021-01-04 8:31 ` Anand Jain
@ 2021-01-04 9:15 ` Su Yue
2021-01-05 3:31 ` Anand Jain
0 siblings, 1 reply; 9+ messages in thread
From: Su Yue @ 2021-01-04 9:15 UTC (permalink / raw)
To: Anand Jain; +Cc: linux-btrfs
On Mon 04 Jan 2021 at 16:31, Anand Jain <anand.jain@oracle.com>
wrote:
> On 3/1/21 5:28 pm, Su Yue wrote:
>> while mounting the poc image user-provided, kernel panics due
>> to the
>> invalid chunk item whose end is less than start.
>> ========================================================================
>> [ 66.387422] loop: module loaded
>> [ 66.389773] loop0: detected capacity change from 262144 to 0
>> [ 66.427708] BTRFS: device fsid
>> a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12
>> /dev/loop0 scanned by mount (613)
>> [ 66.431061] BTRFS info (device loop0): disk space caching is
>> enabled
>> [ 66.431078] BTRFS info (device loop0): has skinny extents
>> [ 66.437101] BTRFS error: insert state: end < start 29360127
>> 37748736
>> [ 66.437136] ------------[ cut here ]------------
>> [ 66.437140] WARNING: CPU: 16 PID: 613 at
>> fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
>> [ 66.437193] Modules linked in: loop btrfs(O) blake2b_generic
>> xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq
>> joydev mousedev crct10dif_pclmul psmouse crc32_pclmul
>> crc32c_intel ghash_clmulni_intel aesni_intel glue_helper
>> crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt
>> qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon
>> virtio_console virtio_net net_failover failover dm_mod sd_mod
>> hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci
>> libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci
>> virtio_ring usb_common virtio i8042 serio
>> [ 66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G
>> O 5.11.0-rc1-custom #45
>> [ 66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX,
>> 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
>> [ 66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
>> [ 66.437416] Code: 39 01 00 00 48 c7 c7 85 38 9e c0 e8 3c fd
>> ff ff 48 8b 7f 08 48 89 d1 48 89 da 4c 89 45 d0 48 c7 c6 20 b0
>> 9e c0 e8 49 97 ff ff <0f> 0b 4c 8b 45 d0 e9 ff 28 f7 ff 49 8b
>> 7d 08 49 89 d9 4d 89 f8 41
>> [ 66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
>> [ 66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX:
>> 0000000000000000
>> [ 66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI:
>> 00000000ffffffff
>> [ 66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09:
>> 0000000000000001
>> [ 66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12:
>> ffff8ec782d72aa0
>> [ 66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15:
>> 0000000002400000
>> [ 66.437447] FS: 00007f01386a8580(0000)
>> GS:ffff8ec809000000(0000) knlGS:0000000000000000
>> [ 66.437451] CS: 0010 DS: 0000 ES: 0000 CR0:
>> 0000000080050033
>> [ 66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4:
>> 0000000000750ee0
>> [ 66.437460] PKRU: 55555554
>> [ 66.437464] Call Trace:
>> [ 66.437475] set_extent_bit+0x652/0x740 [btrfs]
>> [ 66.437539] set_extent_bits_nowait+0x1d/0x20 [btrfs]
>> [ 66.437576] add_extent_mapping+0x1e0/0x2f0 [btrfs]
>> [ 66.437621] read_one_chunk+0x33c/0x420 [btrfs]
>> [ 66.437674] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
>> [ 66.437708] ? kvm_sched_clock_read+0x18/0x40
>> [ 66.437739] open_ctree+0xb32/0x1734 [btrfs]
>> [ 66.437781] ? bdi_register_va+0x1b/0x20
>> [ 66.437788] ? super_setup_bdi_name+0x79/0xd0
>> [ 66.437810] btrfs_mount_root.cold+0x12/0xeb [btrfs]
>> [ 66.437854] ? __kmalloc_track_caller+0x217/0x3b0
>> [ 66.437873] legacy_get_tree+0x34/0x60
>> [ 66.437880] vfs_get_tree+0x2d/0xc0
>> [ 66.437888] vfs_kern_mount.part.0+0x78/0xc0
>> [ 66.437897] vfs_kern_mount+0x13/0x20
>> [ 66.437902] btrfs_mount+0x11f/0x3c0 [btrfs]
>> [ 66.437940] ? kfree+0x5ff/0x670
>> [ 66.437944] ? __kmalloc_track_caller+0x217/0x3b0
>> [ 66.437962] legacy_get_tree+0x34/0x60
>> [ 66.437974] vfs_get_tree+0x2d/0xc0
>> [ 66.437983] path_mount+0x48c/0xd30
>> [ 66.437998] __x64_sys_mount+0x108/0x140
>> [ 66.438011] do_syscall_64+0x38/0x50
>> [ 66.438018] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 66.438023] RIP: 0033:0x7f0138827f6e
>> [ 66.438029] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83
>> c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca
>> b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2
>> 0e 0c 00 f7 d8 64 89 01 48
>> [ 66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246
>> ORIG_RAX: 00000000000000a5
>> [ 66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX:
>> 00007f0138827f6e
>> [ 66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI:
>> 00005593a4a3a6c0
>> [ 66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09:
>> 0000000000000001
>> [ 66.438050] R10: 0000000000000000 R11: 0000000000000246 R12:
>> 0000000000000000
>> [ 66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15:
>> 00005593a4a33440
>> [ 66.438078] irq event stamp: 18169
>> [ 66.438082] hardirqs last enabled at (18175):
>> [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
>> [ 66.438088] hardirqs last disabled at (18180):
>> [<ffffffffb8115427>] console_unlock+0x467/0x5f0
>> [ 66.438092] softirqs last enabled at (16910):
>> [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
>> [ 66.438097] softirqs last disabled at (16905):
>> [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
>> [ 66.438103] ---[ end trace e114b111db64298b ]---
>> [ 66.438107] BTRFS error: found node 12582912 29360127 on
>> insert of 37748736 29360127
>> [ 66.438127] BTRFS critical: panic in
>> extent_io_tree_panic:679: locking error: extent tree was
>> modified by another thread while locked (errno=-17 Object
>> already exists)
>> [ 66.441069] ------------[ cut here ]------------
>> [ 66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
>> [ 66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
>> [ 66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G W
>> O 5.11.0-rc1-custom #45
>> [ 66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX,
>> 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
>> [ 66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25
>> [btrfs]
>> [ 66.447419] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89
>> f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48
>> 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81
>> fa 00 10 00 00 89 45 b0 44
>> [ 66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
>> [ 66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX:
>> 0000000000000000
>> [ 66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI:
>> 00000000ffffffff
>> [ 66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09:
>> 0000000000000001
>> [ 66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12:
>> ffff8ec782d728c0
>> [ 66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15:
>> 0000000002400000
>> [ 66.458356] FS: 00007f01386a8580(0000)
>> GS:ffff8ec809000000(0000) knlGS:0000000000000000
>> [ 66.459841] CS: 0010 DS: 0000 ES: 0000 CR0:
>> 0000000080050033
>> [ 66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4:
>> 0000000000750ee0
>> [ 66.462196] PKRU: 55555554
>> [ 66.462692] Call Trace:
>> [ 66.463139] set_extent_bit.cold+0x30/0x98 [btrfs]
>> [ 66.464049] set_extent_bits_nowait+0x1d/0x20 [btrfs]
>> [ 66.490466] add_extent_mapping+0x1e0/0x2f0 [btrfs]
>> [ 66.514097] read_one_chunk+0x33c/0x420 [btrfs]
>> [ 66.534976] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
>> [ 66.555718] ? kvm_sched_clock_read+0x18/0x40
>> [ 66.575758] open_ctree+0xb32/0x1734 [btrfs]
>> [ 66.595272] ? bdi_register_va+0x1b/0x20
>> [ 66.614638] ? super_setup_bdi_name+0x79/0xd0
>> [ 66.633809] btrfs_mount_root.cold+0x12/0xeb [btrfs]
>> [ 66.652938] ? __kmalloc_track_caller+0x217/0x3b0
>> [ 66.671925] legacy_get_tree+0x34/0x60
>> [ 66.690300] vfs_get_tree+0x2d/0xc0
>> [ 66.708221] vfs_kern_mount.part.0+0x78/0xc0
>> [ 66.725808] vfs_kern_mount+0x13/0x20
>> [ 66.742730] btrfs_mount+0x11f/0x3c0 [btrfs]
>> [ 66.759350] ? kfree+0x5ff/0x670
>> [ 66.775441] ? __kmalloc_track_caller+0x217/0x3b0
>> [ 66.791750] legacy_get_tree+0x34/0x60
>> [ 66.807494] vfs_get_tree+0x2d/0xc0
>> [ 66.823349] path_mount+0x48c/0xd30
>> [ 66.838753] __x64_sys_mount+0x108/0x140
>> [ 66.854412] do_syscall_64+0x38/0x50
>> [ 66.869673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 66.885093] RIP: 0033:0x7f0138827f6e
>> [ 66.899790] Code: 48 8b 0d 05 0f 0c 00 f7 d8 64 89 01 48 83
>> c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca
>> b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d2
>> 0e 0c 00 f7 d8 64 89 01 48
>> [ 66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246
>> ORIG_RAX: 00000000000000a5
>> [ 66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX:
>> 00007f0138827f6e
>> [ 66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI:
>> 00005593a4a3a6c0
>> [ 67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09:
>> 0000000000000001
>> [ 67.028836] R10: 0000000000000000 R11: 0000000000000246 R12:
>> 0000000000000000
>> [ 67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15:
>> 00005593a4a33440
>> [ 67.062965] Modules linked in: loop btrfs(O) blake2b_generic
>> xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq
>> joydev mousedev crct10dif_pclmul psmouse crc32_pclmul
>> crc32c_intel ghash_clmulni_intel aesni_intel glue_helper
>> crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt
>> qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon
>> virtio_console virtio_net net_failover failover dm_mod sd_mod
>> hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci
>> libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci
>> virtio_ring usb_common virtio i8042 serio
>> [ 67.216138] ---[ end trace e114b111db64298c ]---
>> [ 67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25
>> [btrfs]
>> [ 67.258567] Code: 9e c0 e8 d1 ff ff ff 0f 1f 44 00 00 55 89
>> f1 49 c7 c0 70 ae 9e c0 ba a7 02 00 00 48 c7 c6 00 b5 9d c0 48
>> 89 e5 e8 15 a0 ff ff <0f> 0b 42 8d 14 10 4c 89 4d a8 89 c1 81
>> fa 00 10 00 00 89 45 b0 44
>> [ 67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
>> [ 67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX:
>> 0000000000000000
>> [ 67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI:
>> 00000000ffffffff
>> [ 67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09:
>> 0000000000000001
>> [ 67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12:
>> ffff8ec782d728c0
>> [ 67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15:
>> 0000000002400000
>> [ 67.465436] FS: 00007f01386a8580(0000)
>> GS:ffff8ec809000000(0000) knlGS:0000000000000000
>> [ 67.511660] CS: 0010 DS: 0000 ES: 0000 CR0:
>> 0000000080050033
>> [ 67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4:
>> 0000000000750ee0
>> [ 67.558449] PKRU: 55555554
>> [ 67.581146] note: mount[613] exited with preempt_count 2
>> ========================================================================
>> The image has a chunk item which has a logical start 37748736
>> and length
>> 18446744073701163008. The calculated end 29360127 is overflowed
>> obviously.
>> -EEXIST was caught by insert_state() because of the duplicate
>> end and
>> extent_io_tree_panic() was called.
>> Add overflow check of chunk item end in tree checker then the
>> image will
>> be rejected to be mounted.
>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
>> Signed-off-by: Su Yue <l@damenly.su>
>> ---
>> fs/btrfs/tree-checker.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
>> index 028e733e42f3..39c65c1cbe96 100644
>> --- a/fs/btrfs/tree-checker.c
>> +++ b/fs/btrfs/tree-checker.c
>> @@ -760,6 +760,7 @@ int btrfs_check_chunk_valid(struct
>> extent_buffer *leaf,
>> {
>> struct btrfs_fs_info *fs_info = leaf->fs_info;
>> u64 length;
>> + u64 chunk_end;
>> u64 stripe_len;
>> u16 num_stripes;
>> u16 sub_stripes;
>> @@ -814,6 +815,12 @@ int btrfs_check_chunk_valid(struct
>> extent_buffer *leaf,
>> "invalid chunk length, have %llu", length);
>> return -EUCLEAN;
>> }
>> + if (unlikely(check_add_overflow(logical, length,
>> &chunk_end))) {
>> + chunk_err(leaf, chunk, logical,
>> + "invalid chunk logical/length, have logical %llu
>> length %llu",
>> + logical, length);
>> + return -EUCLEAN;
>> + }
>> if (unlikely(!is_power_of_2(stripe_len) || stripe_len !=
>> BTRFS_STRIPE_LEN)) {
>> chunk_err(leaf, chunk, logical,
>> "invalid chunk stripe length: %llu",
>>
>
> So this is a system chunk? It is not so evident from the trace
> above.
>
It's a chunk item located in chunk tree leaf, not in system chunk
array.
Tree checker checks chunk items in both locations.
Thanks.
> Thanks, Anand
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/2] btrfs: fix issues when mouting the poc image
2021-01-03 9:28 [PATCH v2 0/2] btrfs: fix issues when mouting the poc image Su Yue
2021-01-03 9:28 ` [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic() Su Yue
2021-01-03 9:28 ` [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows Su Yue
@ 2021-01-04 15:58 ` David Sterba
2 siblings, 0 replies; 9+ messages in thread
From: David Sterba @ 2021-01-04 15:58 UTC (permalink / raw)
To: Su Yue; +Cc: linux-btrfs
On Sun, Jan 03, 2021 at 05:28:02PM +0800, Su Yue wrote:
> The two patches fix issues found by the image which is provided by
> Insu Yun at SSLab@Gatech.
>
> patch 1 fixes a NULL pointer dereference in error handling path.
> patch 2 enhances tree checker to detect chunk item end overflow.
>
> Su Yue (2):
> btrfs: prevent NULL pointer dereference in extent_io_tree_panic()
> btrfs: tree-checker: check if chunk item end oveflows
Thanks, added to misc-next. I've slightly updated the error message in
patch 2, to say that it's the 'logical start' of the chunk.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows
2021-01-03 9:28 ` [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows Su Yue
2021-01-04 8:31 ` Anand Jain
@ 2021-01-04 15:59 ` David Sterba
1 sibling, 0 replies; 9+ messages in thread
From: David Sterba @ 2021-01-04 15:59 UTC (permalink / raw)
To: Su Yue; +Cc: linux-btrfs
On Sun, Jan 03, 2021 at 05:28:04PM +0800, Su Yue wrote:
> while mounting the poc image user-provided, kernel panics due to the
> invalid chunk item whose end is less than start.
> ========================================================================
> [ 66.387422] loop: module loaded
> [ 66.389773] loop0: detected capacity change from 262144 to 0
> [ 66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
> [ 66.431061] BTRFS info (device loop0): disk space caching is enabled
> [ 66.431078] BTRFS info (device loop0): has skinny extents
> [ 66.437101] BTRFS error: insert state: end < start 29360127 37748736
> [ 66.437136] ------------[ cut here ]------------
> [ 66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
> [ 66.437193] Modules linked in: loop btrfs(O) blake2b_generic xor zstd_compress nls_iso8859_1 nls_cp437 vfat fat raid6_pq joydev mousedev crct10dif_pclmul psmouse crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rtc_cmos evdev intel_agp intel_gtt qemu_fw_cfg drm agpgart ip_tables x_tables xfs virtio_balloon virtio_console virtio_net net_failover failover dm_mod sd_mod hid_generic usbhid hid uhci_hcd serio_raw atkbd libps2 ahci libahci ehci_pci ehci_hcd libata usbcore scsi_mod virtio_pci virtio_ring usb_common virtio i8042 serio
The Modules line
> [ 66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G O 5.11.0-rc1-custom #45
> [ 66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
> [ 66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
> [ 66.437416] Code: 39 01 00 00 48 c7 c7 85 38 9e c0 e8 3c fd ff ff 48 8b 7f 08 48 89 d1 48 89 da 4c 89 45 d0 48 c7 c6 20 b0 9e c0 e8 49 97 ff ff <0f> 0b 4c 8b 45 d0 e9 ff 28 f7 ff 49 8b 7d 08 49 89 d9 4d 89 f8 41
and Code: are usually quite long and not necessary for understanding the
report, so please leave them out in future reports. Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows
2021-01-04 9:15 ` Su Yue
@ 2021-01-05 3:31 ` Anand Jain
0 siblings, 0 replies; 9+ messages in thread
From: Anand Jain @ 2021-01-05 3:31 UTC (permalink / raw)
To: Su Yue; +Cc: linux-btrfs
>>> The image has a chunk item which has a logical start 37748736 and length
>>> 18446744073701163008. The calculated end 29360127 is overflowed
>>> obviously.
>>> -EEXIST was caught by insert_state() because of the duplicate end and
>>> extent_io_tree_panic() was called.
>>> Add overflow check of chunk item end in tree checker then the image will
>>> be rejected to be mounted.
>>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
>>> Signed-off-by: Su Yue <l@damenly.su>
>>> ---
>>> fs/btrfs/tree-checker.c | 7 +++++++
>>> 1 file changed, 7 insertions(+)
>>> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
>>> index 028e733e42f3..39c65c1cbe96 100644
>>> --- a/fs/btrfs/tree-checker.c
>>> +++ b/fs/btrfs/tree-checker.c
>>> @@ -760,6 +760,7 @@ int btrfs_check_chunk_valid(struct extent_buffer
>>> *leaf,
>>> {
>>> struct btrfs_fs_info *fs_info = leaf->fs_info;
>>> u64 length;
>>> + u64 chunk_end;
>>> u64 stripe_len;
>>> u16 num_stripes;
>>> u16 sub_stripes;
>>> @@ -814,6 +815,12 @@ int btrfs_check_chunk_valid(struct extent_buffer
>>> *leaf,
>>> "invalid chunk length, have %llu", length);
>>> return -EUCLEAN;
>>> }
>>> + if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
>>> + chunk_err(leaf, chunk, logical,
>>> + "invalid chunk logical/length, have logical %llu
>>> length %llu",
>>> + logical, length);
>>> + return -EUCLEAN;
>>> + }
>>> if (unlikely(!is_power_of_2(stripe_len) || stripe_len !=
>>> BTRFS_STRIPE_LEN)) {
>>> chunk_err(leaf, chunk, logical,
>>> "invalid chunk stripe length: %llu",
>>>
>>
>> So this is a system chunk? It is not so evident from the trace above.
>>
> It's a chunk item located in chunk tree leaf, not in system chunk array.
> Tree checker checks chunk items in both locations.
Ok. Thanks.
Reviewed-by: Anand Jain <anand.jain@oracle.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-01-05 3:34 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-03 9:28 [PATCH v2 0/2] btrfs: fix issues when mouting the poc image Su Yue
2021-01-03 9:28 ` [PATCH v2 1/2] btrfs: prevent NULL pointer dereference in extent_io_tree_panic() Su Yue
2021-01-04 7:33 ` Anand Jain
2021-01-03 9:28 ` [PATCH v2 2/2] btrfs: tree-checker: check if chunk item end oveflows Su Yue
2021-01-04 8:31 ` Anand Jain
2021-01-04 9:15 ` Su Yue
2021-01-05 3:31 ` Anand Jain
2021-01-04 15:59 ` David Sterba
2021-01-04 15:58 ` [PATCH v2 0/2] btrfs: fix issues when mouting the poc image David Sterba
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).