From: Nikolay Borisov <nborisov@suse.com>
To: Qu Wenruo <quwenruo.btrfs@gmx.com>,
dsterba@suse.cz, Qu Wenruo <wqu@suse.com>,
linux-btrfs@vger.kernel.org, Filipe Manana <fdmanana@suse.com>
Subject: Re: [PATCH v5] btrfs: trim: fix underflow in trim length to prevent access beyond device boundary
Date: Wed, 12 Aug 2020 14:24:51 +0300 [thread overview]
Message-ID: <9fbab6c1-ca45-3a88-9853-749bc666b949@suse.com> (raw)
In-Reply-To: <fcf7972e-6579-01ee-add1-6bab2903cdf0@gmx.com>
On 12.08.20 г. 14:14 ч., Qu Wenruo wrote:
>
>
> On 2020/8/12 下午2:43, David Sterba wrote:
>> The v5 changes were discussed but were not all trivial to be just
>> committed. I need to add the patch to pull request branch soon so am
>> not waiting for your v5
>>
>> v5:
>>
>> - add mask for chunk state bits and use that to clear the range a after
>> device shrink; on a second thought doing all ones did not look clean
>> to me
>
> Extra idea inspired by this patch.
>
> We can do extra extent_io_tree bits sanity check for DEBUG build.
>
> In the past, extent_io_tree got its owner member, which each
> extent_io_tree should have one. (Unfortunately, when alloc_state is
> added, we didn't add a new entry for it)
>
> With that, we can easily verify the set/clear bits against its owner to
> ensure we don't set wrong bits for wrong extent_io_tree.
> E.g. CHUNK_* bits are only for alloc_state, while
> DELALLOC/QGROUP_RESERVED are only for inode io tree.
Will this work given the CHUNK_* bits are defined to 2 existing flags,
chosen such that to not clash with the special logic in bit management
functions? (check comment above CHUNK_* bits defines).
>
> Of course, this would be in a new patch.
>
> Thanks,
> Qu
>>
>> - removed assert after clear_extent_bits - make it consistent with all
>> other calls where we don't check the return value for now
>>
>> - reworded comments
>>
>> ---
>>
>> From: Qu Wenruo <wqu@suse.com>
>> Subject: [PATCH] btrfs: trim: fix underflow in trim length to prevent access
>> beyond device boundary
>>
>> [BUG]
>> The following script can lead to tons of beyond device boundary access:
>>
>> mkfs.btrfs -f $dev -b 10G
>> mount $dev $mnt
>> trimfs $mnt
>> btrfs filesystem resize 1:-1G $mnt
>> trimfs $mnt
>>
>> [CAUSE]
>> Since commit 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to
>> find_first_clear_extent_bit"), we try to avoid trimming ranges that's
>> already trimmed.
>>
>> So we check device->alloc_state by finding the first range which doesn't
>> have CHUNK_TRIMMED and CHUNK_ALLOCATED not set.
>>
>> But if we shrunk the device, that bits are not cleared, thus we could
>> easily got a range starts beyond the shrunk device size.
>>
>> This results the returned @start and @end are all beyond device size,
>> then we call "end = min(end, device->total_bytes -1);" making @end
>> smaller than device size.
>>
>> Then finally we goes "len = end - start + 1", totally underflow the
>> result, and lead to the beyond-device-boundary access.
>>
>> [FIX]
>> This patch will fix the problem in two ways:
>>
>> - Clear CHUNK_TRIMMED | CHUNK_ALLOCATED bits when shrinking device
>> This is the root fix
>>
>> - Add extra safety check when trimming free device extents
>> We check and warn if the returned range is already beyond current
>> device.
>>
>> Link: https://github.com/kdave/btrfs-progs/issues/282
>> Fixes: 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to find_first_clear_extent_bit")
>> CC: stable@vger.kernel.org # 5.4+
>> Signed-off-by: Qu Wenruo <wqu@suse.com>
>> Reviewed-by: Filipe Manana <fdmanana@suse.com>
>> Signed-off-by: David Sterba <dsterba@suse.com>
>> ---
>> fs/btrfs/extent-io-tree.h | 2 ++
>> fs/btrfs/extent-tree.c | 14 ++++++++++++++
>> fs/btrfs/volumes.c | 4 ++++
>> 3 files changed, 20 insertions(+)
>>
>> diff --git a/fs/btrfs/extent-io-tree.h b/fs/btrfs/extent-io-tree.h
>> index f39d47a2d01a..219a09a2b734 100644
>> --- a/fs/btrfs/extent-io-tree.h
>> +++ b/fs/btrfs/extent-io-tree.h
>> @@ -34,6 +34,8 @@ struct io_failure_record;
>> */
>> #define CHUNK_ALLOCATED EXTENT_DIRTY
>> #define CHUNK_TRIMMED EXTENT_DEFRAG
>> +#define CHUNK_STATE_MASK (CHUNK_ALLOCATED | \
>> + CHUNK_TRIMMED)
>>
>> enum {
>> IO_TREE_FS_PINNED_EXTENTS,
>> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
>> index fa7d83051587..597505df90b4 100644
>> --- a/fs/btrfs/extent-tree.c
>> +++ b/fs/btrfs/extent-tree.c
>> @@ -33,6 +33,7 @@
>> #include "delalloc-space.h"
>> #include "block-group.h"
>> #include "discard.h"
>> +#include "rcu-string.h"
>>
>> #undef SCRAMBLE_DELAYED_REFS
>>
>> @@ -5669,6 +5670,19 @@ static int btrfs_trim_free_extents(struct btrfs_device *device, u64 *trimmed)
>> &start, &end,
>> CHUNK_TRIMMED | CHUNK_ALLOCATED);
>>
>> + /* Check if there are any CHUNK_* bits left */
>> + if (start > device->total_bytes) {
>> + WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG));
>> + btrfs_warn_in_rcu(fs_info,
>> +"ignoring attempt to trim beyond device size: offset %llu length %llu device %s device size %llu",
>> + start, end - start + 1,
>> + rcu_str_deref(device->name),
>> + device->total_bytes);
>> + mutex_unlock(&fs_info->chunk_mutex);
>> + ret = 0;
>> + break;
>> + }
>> +
>> /* Ensure we skip the reserved area in the first 1M */
>> start = max_t(u64, start, SZ_1M);
>>
>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>> index d7670e2a9f39..ee96c5869f57 100644
>> --- a/fs/btrfs/volumes.c
>> +++ b/fs/btrfs/volumes.c
>> @@ -4720,6 +4720,10 @@ int btrfs_shrink_device(struct btrfs_device *device, u64 new_size)
>> }
>>
>> mutex_lock(&fs_info->chunk_mutex);
>> + /* Clear all state bits beyond the shrunk device size */
>> + clear_extent_bits(&device->alloc_state, new_size, (u64)-1,
>> + CHUNK_STATE_MASK);
>> +
>> btrfs_device_set_disk_total_bytes(device, new_size);
>> if (list_empty(&device->post_commit_list))
>> list_add_tail(&device->post_commit_list,
>>
>
next prev parent reply other threads:[~2020-08-12 11:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-31 11:29 [PATCH v4] btrfs: trim: fix underflow in trim length to prevent access beyond device boundary Qu Wenruo
2020-07-31 14:08 ` David Sterba
2020-07-31 23:35 ` Qu Wenruo
2020-08-11 7:22 ` David Sterba
2020-08-11 7:42 ` Qu Wenruo
2020-08-12 6:10 ` David Sterba
2020-08-12 6:33 ` Qu Wenruo
2020-08-12 6:37 ` David Sterba
2020-08-11 8:41 ` Nikolay Borisov
2020-08-11 8:46 ` Qu Wenruo
2020-08-11 10:24 ` Filipe Manana
2020-08-12 6:14 ` David Sterba
2020-08-12 6:43 ` [PATCH v5] " David Sterba
2020-08-12 6:57 ` Qu Wenruo
2020-08-12 11:14 ` Qu Wenruo
2020-08-12 11:24 ` Nikolay Borisov [this message]
2020-08-12 11:26 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9fbab6c1-ca45-3a88-9853-749bc666b949@suse.com \
--to=nborisov@suse.com \
--cc=dsterba@suse.cz \
--cc=fdmanana@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).