From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hao Sun <sunhao.th@gmail.com>,
Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>,
Denis Efremov <denis.e.efremov@oracle.com>
Subject: [PATCH 4.19 27/30] btrfs: unlock newly allocated extent buffer after error
Date: Mon, 14 Mar 2022 12:34:45 +0100 [thread overview]
Message-ID: <20220314112732.559680874@linuxfoundation.org> (raw)
In-Reply-To: <20220314112731.785042288@linuxfoundation.org>
From: Qu Wenruo <wqu@suse.com>
commit 19ea40dddf1833db868533958ca066f368862211 upstream.
[BUG]
There is a bug report that injected ENOMEM error could leave a tree
block locked while we return to user-space:
BTRFS info (device loop0): enabling ssd optimizations
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail+0x13c/0x160 lib/fault-inject.c:146
should_failslab+0x5/0x10 mm/slab_common.c:1328
slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
slab_alloc_node mm/slub.c:3120 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
__btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
lookup_open+0x660/0x780 fs/namei.c:3282
open_last_lookups fs/namei.c:3352 [inline]
path_openat+0x465/0xe20 fs/namei.c:3557
do_filp_open+0xe3/0x170 fs/namei.c:3588
do_sys_openat2+0x357/0x4a0 fs/open.c:1200
do_sys_open+0x87/0xd0 fs/open.c:1216
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46ae99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0
================================================
WARNING: lock held when returning to user space!
5.15.0-rc1 #16 Not tainted
------------------------------------------------
syz-executor/7579 is leaving the kernel with locks still held!
1 lock held by syz-executor/7579:
#0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
__btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112
[CAUSE]
In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
extent buffer @buf is locked, but if later operations like adding
delayed tree ref fail, we just free @buf without unlocking it,
resulting above warning.
[FIX]
Unlock @buf in out_free_buf: label.
Reported-by: Hao Sun <sunhao.th@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8327,6 +8327,7 @@ struct extent_buffer *btrfs_alloc_tree_b
out_free_delayed:
btrfs_free_delayed_extent_op(extent_op);
out_free_buf:
+ btrfs_tree_unlock(buf);
free_extent_buffer(buf);
out_free_reserved:
btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);
next prev parent reply other threads:[~2022-03-14 11:43 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-14 11:34 [PATCH 4.19 00/30] 4.19.235-rc1 review Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 01/30] net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 02/30] qed: return status of qed_iov_get_link Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 03/30] ethernet: Fix error handling in xemaclite_of_probe Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 04/30] net: ethernet: ti: cpts: Handle error for clk_enable Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 05/30] net: ethernet: lpc_eth: " Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 06/30] ax25: Fix NULL pointer dereference in ax25_kill_by_device Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 07/30] net/mlx5: Fix size field in bufferx_reg struct Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 08/30] NFC: port100: fix use-after-free in port100_send_complete Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 09/30] gpio: ts4900: Do not set DAT and OE together Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 10/30] gianfar: ethtool: Fix refcount leak in gfar_get_ts_info Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 11/30] net: phy: DP83822: clear MISR2 register to disable interrupts Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 12/30] sctp: fix kernel-infoleak for SCTP sockets Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 13/30] net-sysfs: add check for netdevice being present to speed_show Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 14/30] Revert "xen-netback: remove hotplug-status once it has served its purpose" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 15/30] Revert "xen-netback: Check for hotplug-status existence before watching" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 16/30] tracing: Ensure trace buffer is at least 4096 bytes large Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 17/30] selftests/memfd: clean up mapping in mfd_fail_write Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 18/30] ARM: Spectre-BHB: provide empty stub for non-config Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 19/30] staging: gdm724x: fix use after free in gdm_lte_rx() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 20/30] net: macb: Fix lost RX packet wakeup race in NAPI receive Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 21/30] riscv: Fix auipc+jalr relocation range checks Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 22/30] KVM: arm64: Reset PMC_EL0 to avoid a panic() on systems with no PMU Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 23/30] virtio: unexport virtio_finalize_features Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 24/30] virtio: acknowledge all features before access Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 25/30] ARM: fix Thumb2 regression with Spectre BHB Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 26/30] ext4: add check to prevent attempting to resize an fs with sparse_super2 Greg Kroah-Hartman
2022-03-14 11:34 ` Greg Kroah-Hartman [this message]
2022-03-14 11:34 ` [PATCH 4.19 28/30] sched/topology: Make sched_init_numa() use a set for the deduplicating sort Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 29/30] sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 30/30] ia64: ensure proper NUMA distance and possible map initialization Greg Kroah-Hartman
2022-03-14 13:58 ` [PATCH 4.19 00/30] 4.19.235-rc1 review Jon Hunter
2022-03-14 14:05 ` Greg Kroah-Hartman
2022-03-14 14:14 ` Jon Hunter
2022-03-14 14:57 ` Greg Kroah-Hartman
2022-03-15 12:14 ` James Morse
2022-03-15 12:28 ` Greg Kroah-Hartman
2022-03-14 14:32 ` Naresh Kamboju
2022-03-14 15:00 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220314112732.559680874@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=denis.e.efremov@oracle.com \
--cc=dsterba@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunhao.th@gmail.com \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).