On 2019/9/15 上午4:52, Cebtenzzre wrote: > I have been able to trigger a use-after-free in btrfs on a stock Arch > Linux kernel, versions 5.2.9 and 5.2.11. I also reproduced it on > kernel.org mainline 5.3-rc8, resulting in this KASAN report: > > > [49286.511157] BTRFS info (device sdi1): balance: start > -dvrange=2221681934336..2221681934337 > [49286.515651] BTRFS info (device sdi1): relocating block group 2221681934336 > flags data|raid0 > [49294.092536] > ================================================================== > [49294.092637] BUG: KASAN: use-after-free in > btrfs_init_reloc_root+0x2bf/0x330 [btrfs]
It would be much nicer if you could provide the code context by using
1) gdb:
$gdb fs/btrfs/btrfs.ko
list *(btrfs_init_reloc_root+0x2bf)
2) faddr2line scripts:
<in linux kernel source code directory>
$ ./scripts/faddr2line fs/btrfs/btrfs.kobtrfs_init_reloc_root+0x2bf
My config results something doesn't make sense at all.
> [49294.092645] Write of size 8 at addr ffff8885b4901440 by task
> kworker/u24:6/10894
>
> [49294.092657] CPU: 8 PID: 10894 Comm: kworker/u24:6 Tainted: P OE
> 5.3.0-rc8-rc-kasan #2
> [49294.092661] Hardware name: To Be Filled By O.E.M. To Be Filled By
> O.E.M./X99 Extreme4, BIOS P3.80 04/06/2018
> [49294.092726] Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
> [49294.092730] Call Trace:
> [49294.092743] dump_stack+0x71/0xa0
> [49294.092751] print_address_description+0x67/0x323
> [49294.092817] ? btrfs_init_reloc_root+0x2bf/0x330 [btrfs]
> [49294.092879] ? btrfs_init_reloc_root+0x2bf/0x330 [btrfs]
> [49294.092884] __kasan_report.cold+0x1a/0x3d
> [49294.092945] ? btrfs_init_reloc_root+0x2bf/0x330 [btrfs]
> [49294.092951] kasan_report+0xe/0x12
> [49294.093012] btrfs_init_reloc_root+0x2bf/0x330 [btrfs]
^^^^^^^^^^^^^^^^^^^^^^^^^^^
We need code contex of this,
> [49294.093066] record_root_in_trans+0x2ba/0x3a0 [btrfs]
> [49294.093119] btrfs_record_root_in_trans+0xd2/0x150 [btrfs]
> [49294.093170] start_transaction+0x1c3/0xea0 [btrfs]
> [49294.093226] btrfs_finish_ordered_io+0x811/0x1610 [btrfs]
> [49294.093233] ? syscall_return_via_sysret+0xf/0x7f
> [49294.093238] ? syscall_return_via_sysret+0xf/0x7f
> [49294.093243] ? __switch_to_asm+0x40/0x70
> [49294.093248] ? __switch_to_asm+0x34/0x70
> [49294.093300] ? btrfs_unlink_subvol+0xa30/0xa30 [btrfs]
> [49294.093307] ? finish_task_switch+0x1a1/0x760
> [49294.093312] ? __switch_to+0x457/0xe90
> [49294.093317] ? __switch_to_asm+0x34/0x70
> [49294.093378] normal_work_helper+0x15a/0xb90 [btrfs]
> [49294.093387] process_one_work+0x706/0x1200
> [49294.093394] worker_thread+0x92/0xfb0
> [49294.093401] ? __kthread_parkme+0x85/0x100
> [49294.093406] ? process_one_work+0x1200/0x1200
> [49294.093410] kthread+0x2ba/0x3b0
> [49294.093414] ? kthread_park+0x130/0x130
> [49294.093420] ret_from_fork+0x35/0x40
>
> [49294.093431] Allocated by task 11689:
> [49294.093441] __kasan_kmalloc.part.0+0x3c/0xa0
> [49294.093493] btrfs_read_tree_root+0x8f/0x350 [btrfs]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This,
> [49294.093542] btrfs_read_fs_root+0xc/0xc0 [btrfs]
> [49294.093601] create_reloc_root+0x445/0x920 [btrfs]
> [49294.093660] btrfs_init_reloc_root+0x1da/0x330 [btrfs]
> [49294.093709] record_root_in_trans+0x2ba/0x3a0 [btrfs]
> [49294.093758] btrfs_record_root_in_trans+0xd2/0x150 [btrfs]
> [49294.093806] start_transaction+0x1c3/0xea0 [btrfs]
> [49294.093856] __btrfs_prealloc_file_range+0x1c2/0xa50 [btrfs]
> [49294.093907] btrfs_prealloc_file_range+0x10/0x20 [btrfs]
> [49294.093966] prealloc_file_extent_cluster+0x24e/0x4a0 [btrfs]
> [49294.094025] relocate_file_extent_cluster+0x193/0xc90 [btrfs]
> [49294.094083] relocate_data_extent+0x1f2/0x460 [btrfs]
> [49294.094142] relocate_block_group+0x5a5/0xf50 [btrfs]
> [49294.094200] btrfs_relocate_block_group+0x38f/0x990 [btrfs]
> [49294.094258] btrfs_relocate_chunk+0x5c/0x100 [btrfs]
> [49294.094315] btrfs_balance+0x1292/0x2f00 [btrfs]
> [49294.094373] btrfs_ioctl_balance+0x4c2/0x6a0 [btrfs]
> [49294.094430] btrfs_ioctl+0xe56/0x82d0 [btrfs]
> [49294.094434] do_vfs_ioctl+0x99f/0xf10
> [49294.094437] ksys_ioctl+0x5e/0x90
> [49294.094440] __x64_sys_ioctl+0x6f/0xb0
> [49294.094446] do_syscall_64+0xa0/0x370
> [49294.094451] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [49294.094457] Freed by task 11689:
> [49294.094464] __kasan_slab_free+0x144/0x1f0
> [49294.094468] kfree+0x95/0x2a0
> [49294.094516] btrfs_drop_snapshot+0x1529/0x1c40 [btrfs]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And this.
> [49294.094573] clean_dirty_subvols+0x23f/0x380 [btrfs]
> [49294.094632] relocate_block_group+0x95b/0xf50 [btrfs]
> [49294.094691] btrfs_relocate_block_group+0x38f/0x990 [btrfs]
> [49294.094748] btrfs_relocate_chunk+0x5c/0x100 [btrfs]
> [49294.094805] btrfs_balance+0x1292/0x2f00 [btrfs]
> [49294.094863] btrfs_ioctl_balance+0x4c2/0x6a0 [btrfs]
> [49294.094920] btrfs_ioctl+0xe56/0x82d0 [btrfs]
> [49294.094923] do_vfs_ioctl+0x99f/0xf10
> [49294.094926] ksys_ioctl+0x5e/0x90
> [49294.094929] __x64_sys_ioctl+0x6f/0xb0
> [49294.094934] do_syscall_64+0xa0/0x370
> [49294.094939] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> [49294.094946] The buggy address belongs to the object at ffff8885b4901100
> which belongs to the cache kmalloc-2k of size 2048
> [49294.094953] The buggy address is located 832 bytes inside of
> 2048-byte region [ffff8885b4901100, ffff8885b4901900)
> [49294.094957] The buggy address belongs to the page:
> [49294.094962] page:ffffea0016d24000 refcount:1 mapcount:0
> mapping:ffff88864400e800 index:0x0 compound_mapcount: 0
> [49294.094968] flags: 0x2ffff0000010200(slab|head)
> [49294.094976] raw: 02ffff0000010200 dead000000000100 dead000000000122
> ffff88864400e800
> [49294.094981] raw: 0000000000000000 00000000800f000f 00000001ffffffff
> 0000000000000000
> [49294.094983] page dumped because: kasan: bad access detected
>
> [49294.094987] Memory state around the buggy address:
> [49294.094992] ffff8885b4901300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [49294.094997] ffff8885b4901380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [49294.095002] >ffff8885b4901400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [49294.095006] ^
> [49294.095010] ffff8885b4901480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [49294.095015] ffff8885b4901500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> fb fb
> [49294.095018]
> ==================================================================
> [49301.893672] BTRFS info (device sdi1): 1 enospc errors during balance
> [49301.893675] BTRFS info (device sdi1): balance: ended with status: -28
>
>
> Without KASAN, I would eventually get an oops like this:
>
>[...]
>
> I only noticed this bug because I keep an eye on dmesg. In one instance,
> I ignored it for a few hours, then my graphics driver crashed because of
> memory allocation failure and/or heap corruption. Aside from that, I
> have seen no obvious effects.
>
> I have hit this bug at least 5 times over the last two weeks. Every
> time, it has been caused by a balance on various volumes (typically to
> balance a single block group). I was able to trigger it somewhat
> reliably by attempting a balance on a volume with a size of 596.18GiB
> and 1.68GiB of estimated free space, but that stopped working
> eventually.
Is it always that particular fs?
Have you ever hit it on another fs?
Furthermore, did you hit it in v5.1?
I guess there is a chance my previous change of reloc tree lifespan
screwed up something, but it's introduced in v5.1...
Thanks,
Qu
signature.asc
Description: OpenPGP digital signature
