From: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
To: "Zhang, Qiang" <Qiang.Zhang@windriver.com>,
"clm@fb.com" <clm@fb.com>,
"josef@toxicpanda.com" <josef@toxicpanda.com>,
"dsterba@suse.com" <dsterba@suse.com>,
"syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com"
<syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com>
Cc: "linux-btrfs@vger.kernel.org" <linux-btrfs@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: 回复: [PATCH] btrfs: Fix missing close devices
Date: Mon, 21 Sep 2020 09:17:27 +0000 [thread overview]
Message-ID: <SN4PR0401MB359820738AC6479F9F47FEE59B3A0@SN4PR0401MB3598.namprd04.prod.outlook.com> (raw)
In-Reply-To: BYAPR11MB2632211F4D65A009DAF5D507FF3A0@BYAPR11MB2632.namprd11.prod.outlook.com
On 21/09/2020 11:14, Zhang, Qiang wrote:
>
>
> ________________________________________
> 发件人: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
> 发送时间: 2020年9月21日 16:52
> 收件人: Zhang, Qiang; clm@fb.com; josef@toxicpanda.com; dsterba@suse.com
> 抄送: linux-btrfs@vger.kernel.org; linux-kernel@vger.kernel.org
> 主题: Re: [PATCH] btrfs: Fix missing close devices
>
> On 21/09/2020 10:27, qiang.zhang@windriver.com wrote:
>> From: Zqiang <qiang.zhang@windriver.com>
>>
>> When the btrfs fill super error, we should first close devices and
>> then call deactivate_locked_super func to free fs_info.
>>
>> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
>> ---
>> fs/btrfs/super.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
>> index 8840a4fa81eb..3bfd54e8f388 100644
>> --- a/fs/btrfs/super.c
>> +++ b/fs/btrfs/super.c
>> @@ -1675,6 +1675,7 @@ static struct dentry *btrfs_mount_root(struct file_system_type *fs_type,
>> error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
>> security_free_mnt_opts(&new_sec_opts);
>> if (error) {
>> + btrfs_close_devices(fs_devices);
>> deactivate_locked_super(s);
>> return ERR_PTR(error);
>> }
>>
>
>> I think this is the fix for the syzkaller issue:
>> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>
> Please try this patch.
>
Nope, with this patch I get the following Null-ptr-deref:
[ 39.065209] ==================================================================
[ 39.066318] BUG: KASAN: null-ptr-deref in bdev_name.constprop.0+0xd4/0x240
[ 39.067307] Read of size 4 at addr 00000000000003ac by task syz-repro/273
[ 39.068289]
[ 39.069602] ==================================================================
[ 39.070837] BUG: kernel NULL pointer dereference, address: 00000000000003ac
[ 39.071837] #PF: supervisor read access in kernel mode
[ 39.072580] #PF: error_code(0x0000) - not-present page
[ 39.073318] PGD 80000001cd3b1067 P4D 80000001cd3b1067 PUD 1c6de7067 PMD 0
[ 39.074306] Oops: 0000 [#1] SMP KASAN PTI
[ 39.074887] CPU: 0 PID: 273 Comm: syz-repro Tainted: G B 5.9.0-rc5+ #772
[ 39.076031] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
[ 39.077638] RIP: 0010:bdev_name.constprop.0+0xd4/0x240
[ 39.078387] Code: ca 4c 89 4c 24 08 e8 0b e9 ff ff 48 89 df 49 89 c6 e8 40 42 c6 ff 49 8b ac 24 e0 00 00 00 48 8d bd ac 03 00 00 e8 2c 41 c6 ff <8b> 85 ac 03 00 00 4c 8b 4c 24 08 85 c0 0f 84 fe 00 00 00 4c 89 cf
[ 39.080991] RSP: 0018:ffff8881f1a97878 EFLAGS: 00010286
[ 39.081728] RAX: 0000000000000001 RBX: ffff8881c9fb80e0 RCX: dffffc0000000000
[ 39.082725] RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffffffff81acd784
[ 39.083717] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 39.084722] R10: fffffbfff0539591 R11: 0000000000000001 R12: ffff8881c9fb8000
[ 39.085711] R13: ffff8881ef6e2698 R14: ffff8881ef6e2680 R15: 0000000000000000
[ 39.086704] FS: 00007f5d36eb9540(0000) GS:ffff8881f7600000(0000) knlGS:0000000000000000
[ 39.087827] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 39.088623] CR2: 00000000000003ac CR3: 00000001ef552000 CR4: 00000000000006b0
[ 39.089607] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 39.090603] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 39.091583] Call Trace:
[ 39.091943] ? mac_address_string+0x380/0x380
[ 39.092559] ? mark_held_locks+0x65/0x90
[ 39.093116] pointer+0x21c/0x650
[ 39.093578] ? format_decode+0x1cf/0x4e0
[ 39.094139] ? resource_string.isra.0+0xc10/0xc10
[ 39.094809] vsnprintf+0x2e0/0x820
[ 39.095292] ? pointer+0x650/0x650
[ 39.095785] snprintf+0x88/0xa0
[ 39.096234] ? vsprintf+0x10/0x10
[ 39.096708] ? rcu_read_lock_sched_held+0x3a/0x70
[ 39.097378] ? sget+0x200/0x240
[ 39.097908] ? btrfs_kill_super+0x30/0x30 [btrfs]
[ 39.098644] btrfs_mount_root+0x442/0x5d0 [btrfs]
[ 39.099377] ? parse_rescue_options+0x150/0x150 [btrfs]
[ 39.100103] ? rcu_read_lock_sched_held+0x3a/0x70
[ 39.100759] ? vfs_parse_fs_string+0xbc/0xf0
[ 39.101355] ? kfree+0x1e0/0x310
[ 39.101816] ? vfs_parse_fs_string+0xbc/0xf0
[ 39.102493] ? parse_rescue_options+0x150/0x150 [btrfs]
[ 39.103219] legacy_get_tree+0x7d/0xc0
[ 39.103750] vfs_get_tree+0x48/0x100
[ 39.104263] ? parse_monolithic_mount_data+0x1c/0x40
[ 39.104960] vfs_kern_mount.part.0+0x70/0xd0
[ 39.105649] btrfs_mount+0x187/0x550 [btrfs]
[ 39.106268] ? mark_held_locks+0x24/0x90
[ 39.106918] ? btrfs_show_options+0x730/0x730 [btrfs]
[ 39.107641] ? lockdep_hardirqs_on_prepare+0x146/0x240
[ 39.108368] ? strcmp+0x2e/0x50
[ 39.108810] ? rcu_read_lock_sched_held+0x3a/0x70
[ 39.109461] ? vfs_parse_fs_string+0xbc/0xf0
[ 39.110054] ? kfree+0x1e0/0x310
[ 39.110519] ? vfs_parse_fs_string+0xbc/0xf0
[ 39.111197] ? btrfs_show_options+0x730/0x730 [btrfs]
[ 39.111898] legacy_get_tree+0x7d/0xc0
[ 39.112427] vfs_get_tree+0x48/0x100
[ 39.112928] path_mount+0xa37/0xfc0
[ 39.113422] ? strncpy_from_user+0xde/0x1f0
[ 39.114011] ? copy_mount_string+0x20/0x20
[ 39.114588] ? getname_flags+0xa7/0x220
[ 39.115132] ? _copy_from_user+0x8e/0xd0
[ 39.115686] __x64_sys_mount+0x16b/0x1a0
[ 39.116242] ? copy_mnt_ns+0x540/0x540
[ 39.116770] ? trace_hardirqs_on+0x34/0x130
[ 39.117370] do_syscall_64+0x33/0x40
[ 39.117886] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 39.118604] RIP: 0033:0x7f5d36df1eda
next prev parent reply other threads:[~2020-09-21 9:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 8:26 [PATCH] btrfs: Fix missing close devices qiang.zhang
2020-09-21 8:52 ` Johannes Thumshirn
2020-09-21 9:14 ` 回复: " Zhang, Qiang
2020-09-21 9:17 ` Johannes Thumshirn [this message]
2020-09-23 6:03 ` 回复: " Zhang, Qiang
2020-09-23 8:17 ` Johannes Thumshirn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SN4PR0401MB359820738AC6479F9F47FEE59B3A0@SN4PR0401MB3598.namprd04.prod.outlook.com \
--to=johannes.thumshirn@wdc.com \
--cc=Qiang.Zhang@windriver.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.