From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH] btrfs: extent-tree: Check if the newly reserved tree block is already in use
Date: Tue, 17 Jul 2018 15:46:58 +0800 [thread overview]
Message-ID: <20180717074658.22331-1-wqu@suse.com> (raw)
[BUG]
For certain fuzzed btrfs image, if we create any csum data, it would
cause the following kernel warning and deadlock when trying to update
csum tree:
------
[ 278.113360] WARNING: CPU: 1 PID: 41 at fs/btrfs/locking.c:230 btrfs_tree_lock+0x3e2/0x400
[ 278.113737] CPU: 1 PID: 41 Comm: kworker/u4:1 Not tainted 4.18.0-rc1+ #8
[ 278.113745] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 278.113753] Workqueue: btrfs-endio-write btrfs_endio_write_helper
[ 278.113761] RIP: 0010:btrfs_tree_lock+0x3e2/0x400
[ 278.113762] Code: 00 48 c7 40 08 00 00 00 00 48 8b 45 d0 65 48 33 04 25 28 00 00 00 75 20 48 81 c4 a0 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b e9 d4 fc ff ff 0f 0b e9 61 ff ff ff e8 ab f4 87 ff 90 66 2e
[ 278.113818] RSP: 0018:ffff8801f407f488 EFLAGS: 00010246
[ 278.113865] Call Trace:
[ 278.113936] btrfs_alloc_tree_block+0x39f/0x770
[ 278.113988] __btrfs_cow_block+0x285/0x9e0
[ 278.114029] btrfs_cow_block+0x191/0x2e0
[ 278.114035] btrfs_search_slot+0x492/0x1160
[ 278.114146] btrfs_lookup_csum+0xec/0x280
[ 278.114182] btrfs_csum_file_blocks+0x2be/0xa60
[ 278.114232] add_pending_csums+0xaf/0xf0
[ 278.114238] btrfs_finish_ordered_io+0x74b/0xc90
[ 278.114281] finish_ordered_fn+0x15/0x20
[ 278.114285] normal_work_helper+0xf6/0x500
[ 278.114305] btrfs_endio_write_helper+0x12/0x20
[ 278.114310] process_one_work+0x302/0x770
[ 278.114315] worker_thread+0x81/0x6d0
[ 278.114321] kthread+0x180/0x1d0
[ 278.114334] ret_from_fork+0x35/0x40
[ 278.114339] ---[ end trace 2e85051acb5f6dc1 ]---
------
[CAUSE]
The fuzzed image has corrupted EXTENT_ITEM for csum tree root:
------
extent tree key (EXTENT_TREE ROOT_ITEM 0)
item 4 key (29364224 METADATA_ITEM 0) itemoff 3857 itemsize 33
refs 1 gen 6 flags TREE_BLOCK
tree block skinny level 0
tree block backref root UUID_TREE
item 5 key (29376512 UNKNOWN.0 0) itemoff 3824 itemsize 33
^^^^^^^^^^^^^^^^^^^^ Corrupted METADATA_ITEM
item 6 key (29380608 METADATA_ITEM 0) itemoff 3791 itemsize 33
refs 1 gen 4 flags TREE_BLOCK
tree block skinny level 0
tree block backref root DATA_RELOC_TREE
checksum tree key (CSUM_TREE ROOT_ITEM 0)
leaf 29376512 items 0 free space 3995 generation 4 owner CSUM_TREE
^^^^^^^^ bytenr matches above item.
------
So when btrfs_alloc_tree_blocks() calls btrfs_reserve_extent(), since
there is not METADATA_ITEM/EXTENT_ITEM for bytenr 29376512, btrfs thinks
it's free space, and reserve it.
However in fact it's already been used by csum tree, and later
btrfs_init_new_buffer() will try to call btrfs_tree_lock(), whose
WARN_ON() detects lock nest on the same extent buffer.
Finally the wait_event() on the eb->read/write_lock_wq will never exit
since we're holding the lock by ourselves and deadlock.
[FIX]
The fix here is to ensure at least the reserved extent buffer is not
cached.
Any used extent buffer should be cached in the global radix tree
(fs_info->buffer_radix).
So before calling btrfs_init_new_buffer() in btrfs_alloc_tree_block(),
we call find_extent_buffer() explicitly to verify it's not used by
ourselves.
Please note this is just a basic check, it is not and will never be as
good as btrfs check on detecting extent tree corruption, but at least we
won't dead lock so easily.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=200405
Reported-by: Xu Wen <wen.xu@gatech.edu>
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/extent-tree.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 3578fa5b30ef..782dd96b7c5e 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8435,6 +8435,20 @@ struct extent_buffer *btrfs_alloc_tree_block(struct btrfs_trans_handle *trans,
if (ret)
goto out_unuse;
+ /*
+ * Newly allocated tree block should never be cached in radix tree,
+ * Or we have a corrupted extent tree.
+ */
+ buf = find_extent_buffer(fs_info, ins.objectid);
+ if (buf) {
+ btrfs_err_rl(fs_info,
+ "tree block %llu is already in use, extent tree may be corrupted",
+ ins.objectid);
+ ret = -EUCLEAN;
+ free_extent_buffer(buf);
+ goto out_unuse;
+ }
+
buf = btrfs_init_new_buffer(trans, root, ins.objectid, level);
if (IS_ERR(buf)) {
ret = PTR_ERR(buf);
--
2.18.0
next reply other threads:[~2018-07-17 8:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-17 7:46 Qu Wenruo [this message]
2018-07-17 8:01 ` [PATCH] btrfs: extent-tree: Check if the newly reserved tree block is already in use Nikolay Borisov
2018-07-17 8:11 ` Su Yue
2018-07-17 8:24 ` Qu Wenruo
2018-07-17 8:28 ` Nikolay Borisov
2018-07-17 8:33 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180717074658.22331-1-wqu@suse.com \
--to=wqu@suse.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.