stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Hao Sun <sunhao.th@gmail.com>,
	Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>,
	Denis Efremov <denis.e.efremov@oracle.com>
Subject: [PATCH 4.19 27/30] btrfs: unlock newly allocated extent buffer after error
Date: Mon, 14 Mar 2022 12:34:45 +0100	[thread overview]
Message-ID: <20220314112732.559680874@linuxfoundation.org> (raw)
In-Reply-To: <20220314112731.785042288@linuxfoundation.org>

From: Qu Wenruo <wqu@suse.com>

commit 19ea40dddf1833db868533958ca066f368862211 upstream.

[BUG]
There is a bug report that injected ENOMEM error could leave a tree
block locked while we return to user-space:

  BTRFS info (device loop0): enabling ssd optimizations
  FAULT_INJECTION: forcing a failure.
  name failslab, interval 1, probability 0, space 0, times 0
  CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
   fail_dump lib/fault-inject.c:52 [inline]
   should_fail+0x13c/0x160 lib/fault-inject.c:146
   should_failslab+0x5/0x10 mm/slab_common.c:1328
   slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
   slab_alloc_node mm/slub.c:3120 [inline]
   slab_alloc mm/slub.c:3214 [inline]
   kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
   btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
   btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
   __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
   btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
   btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
   btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
   btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
   btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
   lookup_open+0x660/0x780 fs/namei.c:3282
   open_last_lookups fs/namei.c:3352 [inline]
   path_openat+0x465/0xe20 fs/namei.c:3557
   do_filp_open+0xe3/0x170 fs/namei.c:3588
   do_sys_openat2+0x357/0x4a0 fs/open.c:1200
   do_sys_open+0x87/0xd0 fs/open.c:1216
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae
  RIP: 0033:0x46ae99
  Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
  89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
  01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
  RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
  RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
  RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
  R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0

  ================================================
  WARNING: lock held when returning to user space!
  5.15.0-rc1 #16 Not tainted
  ------------------------------------------------
  syz-executor/7579 is leaving the kernel with locks still held!
  1 lock held by syz-executor/7579:
   #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
  __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112

[CAUSE]
In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
extent buffer @buf is locked, but if later operations like adding
delayed tree ref fail, we just free @buf without unlocking it,
resulting above warning.

[FIX]
Unlock @buf in out_free_buf: label.

Reported-by: Hao Sun <sunhao.th@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent-tree.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8327,6 +8327,7 @@ struct extent_buffer *btrfs_alloc_tree_b
 out_free_delayed:
 	btrfs_free_delayed_extent_op(extent_op);
 out_free_buf:
+	btrfs_tree_unlock(buf);
 	free_extent_buffer(buf);
 out_free_reserved:
 	btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);



  parent reply	other threads:[~2022-03-14 11:43 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-14 11:34 [PATCH 4.19 00/30] 4.19.235-rc1 review Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 01/30] net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 02/30] qed: return status of qed_iov_get_link Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 03/30] ethernet: Fix error handling in xemaclite_of_probe Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 04/30] net: ethernet: ti: cpts: Handle error for clk_enable Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 05/30] net: ethernet: lpc_eth: " Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 06/30] ax25: Fix NULL pointer dereference in ax25_kill_by_device Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 07/30] net/mlx5: Fix size field in bufferx_reg struct Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 08/30] NFC: port100: fix use-after-free in port100_send_complete Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 09/30] gpio: ts4900: Do not set DAT and OE together Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 10/30] gianfar: ethtool: Fix refcount leak in gfar_get_ts_info Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 11/30] net: phy: DP83822: clear MISR2 register to disable interrupts Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 12/30] sctp: fix kernel-infoleak for SCTP sockets Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 13/30] net-sysfs: add check for netdevice being present to speed_show Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 14/30] Revert "xen-netback: remove hotplug-status once it has served its purpose" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 15/30] Revert "xen-netback: Check for hotplug-status existence before watching" Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 16/30] tracing: Ensure trace buffer is at least 4096 bytes large Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 17/30] selftests/memfd: clean up mapping in mfd_fail_write Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 18/30] ARM: Spectre-BHB: provide empty stub for non-config Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 19/30] staging: gdm724x: fix use after free in gdm_lte_rx() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 20/30] net: macb: Fix lost RX packet wakeup race in NAPI receive Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 21/30] riscv: Fix auipc+jalr relocation range checks Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 22/30] KVM: arm64: Reset PMC_EL0 to avoid a panic() on systems with no PMU Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 23/30] virtio: unexport virtio_finalize_features Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 24/30] virtio: acknowledge all features before access Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 25/30] ARM: fix Thumb2 regression with Spectre BHB Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 26/30] ext4: add check to prevent attempting to resize an fs with sparse_super2 Greg Kroah-Hartman
2022-03-14 11:34 ` Greg Kroah-Hartman [this message]
2022-03-14 11:34 ` [PATCH 4.19 28/30] sched/topology: Make sched_init_numa() use a set for the deduplicating sort Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 29/30] sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Greg Kroah-Hartman
2022-03-14 11:34 ` [PATCH 4.19 30/30] ia64: ensure proper NUMA distance and possible map initialization Greg Kroah-Hartman
2022-03-14 13:58 ` [PATCH 4.19 00/30] 4.19.235-rc1 review Jon Hunter
2022-03-14 14:05   ` Greg Kroah-Hartman
2022-03-14 14:14     ` Jon Hunter
2022-03-14 14:57       ` Greg Kroah-Hartman
2022-03-15 12:14         ` James Morse
2022-03-15 12:28           ` Greg Kroah-Hartman
2022-03-14 14:32     ` Naresh Kamboju
2022-03-14 15:00       ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220314112732.559680874@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=denis.e.efremov@oracle.com \
    --cc=dsterba@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=sunhao.th@gmail.com \
    --cc=wqu@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).