subject:"\[PATCH\] Btrfs\: fix null pointer dereference when replacing missing device"

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

2018-01-31 Thread David Sterba

On Wed, Jan 31, 2018 at 11:25:49AM +0800, Anand Jain wrote:
> > This is trivially reproduced by running the test btrfs/027 from fstests
> > like this:
> > 
> >$ MOUNT_OPTIONS="-o discard" ./check btrfs/027
> > 
> > Fix this by skipping devices without a backing device before attempting
> > to discard.
> > 
> > Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query 
> > directly")
> > Signed-off-by: Filipe Manana 
>   oh no, I missed the context of degraded when writing this patch.
>   Thanks for the fix.
> 
>   Reviewed-by: Anand Jain 

Added to next and will add it to the next 4.16 pull.
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

2018-01-30 Thread Anand Jain




On 01/31/2018 02:40 AM, fdman...@kernel.org wrote:

From: Filipe Manana 

When we are replacing a missing device we mount the filesystem with the
degraded mode option in which case we are allowed to have a btrfs device
structure without a backing device member (its bdev member is NULL) and
therefore we can't dereference that member. Commit 38b5f68e9811
("btrfs: drop btrfs_device::can_discard to query directly") started to
dereference that member when discarding extents, resulting in a null
pointer dereference:

  [ 3145.322257] BTRFS warning (device sdf): devid 2 uuid 
4d922414-58eb-4880-8fed-9c3840f6c5d5 is missing
  [ 3145.364116] BTRFS info (device sdf): dev_replace from  
(devid 2) to /dev/sdg started
  [ 3145.413489] BUG: unable to handle kernel NULL pointer dereference at 
00e0
  [ 3145.415085] IP: btrfs_discard_extent+0x6a/0xf8 [btrfs]
  [ 3145.415085] PGD 0 P4D 0
  [ 3145.415085] Oops:  [#1] PREEMPT SMP PTI
  [ 3145.415085] Modules linked in: ppdev ghash_clmulni_intel pcbc aesni_intel 
aes_x86_64 crypto_simd cryptd glue_helper evdev psmouse parport_pc serio_raw 
i2c_piix4 i2
  [ 3145.415085] CPU: 0 PID: 11989 Comm: btrfs Tainted: GW
4.15.0-rc9-btrfs-next-55+ #1
  [ 3145.415085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
  [ 3145.415085] RIP: 0010:btrfs_discard_extent+0x6a/0xf8 [btrfs]
  [ 3145.415085] RSP: 0018:c90004813c60 EFLAGS: 00010293
  [ 3145.415085] RAX: 88020d39cc00 RBX: 88020c4ea2a0 RCX: 
0002
  [ 3145.415085] RDX:  RSI: 88020c4ea240 RDI: 

  [ 3145.415085] RBP:  R08: 4000 R09: 

  [ 3145.415085] R10: c90004813ae8 R11:  R12: 

  [ 3145.415085] R13: 88020c418000 R14:  R15: 

  [ 3145.415085] FS:  7f565681f8c0() GS:88023fc0() 
knlGS:
  [ 3145.415085] CS:  0010 DS:  ES:  CR0: 80050033
  [ 3145.415085] CR2: 00e0 CR3: 00020d208006 CR4: 
001606f0
  [ 3145.415085] Call Trace:
  [ 3145.415085]  btrfs_finish_extent_commit+0x9a/0x1be [btrfs]
  [ 3145.415085]  btrfs_commit_transaction+0x649/0x7a0 [btrfs]
  [ 3145.415085]  ? start_transaction+0x2b0/0x3b3 [btrfs]
  [ 3145.415085]  btrfs_dev_replace_start+0x274/0x30c [btrfs]
  [ 3145.415085]  btrfs_dev_replace_by_ioctl+0x45/0x59 [btrfs]
  [ 3145.415085]  btrfs_ioctl+0x1a91/0x1d62 [btrfs]
  [ 3145.415085]  ? lock_acquire+0x16a/0x1af
  [ 3145.415085]  ? vfs_ioctl+0x1b/0x28
  [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
  [ 3145.415085]  vfs_ioctl+0x1b/0x28
  [ 3145.415085]  do_vfs_ioctl+0x5a9/0x5e0
  [ 3145.415085]  ? _raw_spin_unlock_irq+0x34/0x46
  [ 3145.415085]  ? entry_SYSCALL_64_fastpath+0x5/0x8b
  [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
  [ 3145.415085]  SyS_ioctl+0x52/0x76
  [ 3145.415085]  entry_SYSCALL_64_fastpath+0x1e/0x8b
  [ 3145.415085] RIP: 0033:0x7f56558b3c47
  [ 3145.415085] RSP: 002b:7ffdcfac4c58 EFLAGS: 0202
  [ 3145.415085] Code: be 02 00 00 00 4c 89 ef e8 b9 e7 03 00 85 c0 89 c5 75 75 48 8b 
44 24 08 45 31 f6 48 8d 58 60 eb 52 48 8b 03 48 8b b8 a0 00 00 00 <48> 8b 87 e0 
00
  [ 3145.415085] RIP: btrfs_discard_extent+0x6a/0xf8 [btrfs] RSP: 
c90004813c60
  [ 3145.415085] CR2: 00e0
  [ 3145.458185] ---[ end trace 06302e7ac31902bf ]---

This is trivially reproduced by running the test btrfs/027 from fstests
like this:

   $ MOUNT_OPTIONS="-o discard" ./check btrfs/027

Fix this by skipping devices without a backing device before attempting
to discard.

Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query directly")
Signed-off-by: Filipe Manana 



 oh no, I missed the context of degraded when writing this patch.
 Thanks for the fix.

 Reviewed-by: Anand Jain 

Thanks, Anand


---
  fs/btrfs/extent-tree.c | 4 
  1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9d220b276c8f..d59ee24645e3 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2147,6 +2147,10 @@ int btrfs_discard_extent(struct btrfs_fs_info *fs_info, 
u64 bytenr,
u64 bytes;
struct request_queue *req_q;
  
+			if (!stripe->dev->bdev) {

+   ASSERT(btrfs_test_opt(fs_info, DEGRADED));
+   continue;
+   }
req_q = bdev_get_queue(stripe->dev->bdev);
if (!blk_queue_discard(req_q))
continue;


--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Btrfs: fix null pointer dereference when replacing missing device

2018-01-30 Thread fdmanana

From: Filipe Manana 

When we are replacing a missing device we mount the filesystem with the
degraded mode option in which case we are allowed to have a btrfs device
structure without a backing device member (its bdev member is NULL) and
therefore we can't dereference that member. Commit 38b5f68e9811
("btrfs: drop btrfs_device::can_discard to query directly") started to
dereference that member when discarding extents, resulting in a null
pointer dereference:

 [ 3145.322257] BTRFS warning (device sdf): devid 2 uuid 
4d922414-58eb-4880-8fed-9c3840f6c5d5 is missing
 [ 3145.364116] BTRFS info (device sdf): dev_replace from  (devid 
2) to /dev/sdg started
 [ 3145.413489] BUG: unable to handle kernel NULL pointer dereference at 
00e0
 [ 3145.415085] IP: btrfs_discard_extent+0x6a/0xf8 [btrfs]
 [ 3145.415085] PGD 0 P4D 0
 [ 3145.415085] Oops:  [#1] PREEMPT SMP PTI
 [ 3145.415085] Modules linked in: ppdev ghash_clmulni_intel pcbc aesni_intel 
aes_x86_64 crypto_simd cryptd glue_helper evdev psmouse parport_pc serio_raw 
i2c_piix4 i2
 [ 3145.415085] CPU: 0 PID: 11989 Comm: btrfs Tainted: GW
4.15.0-rc9-btrfs-next-55+ #1
 [ 3145.415085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
 [ 3145.415085] RIP: 0010:btrfs_discard_extent+0x6a/0xf8 [btrfs]
 [ 3145.415085] RSP: 0018:c90004813c60 EFLAGS: 00010293
 [ 3145.415085] RAX: 88020d39cc00 RBX: 88020c4ea2a0 RCX: 
0002
 [ 3145.415085] RDX:  RSI: 88020c4ea240 RDI: 

 [ 3145.415085] RBP:  R08: 4000 R09: 

 [ 3145.415085] R10: c90004813ae8 R11:  R12: 

 [ 3145.415085] R13: 88020c418000 R14:  R15: 

 [ 3145.415085] FS:  7f565681f8c0() GS:88023fc0() 
knlGS:
 [ 3145.415085] CS:  0010 DS:  ES:  CR0: 80050033
 [ 3145.415085] CR2: 00e0 CR3: 00020d208006 CR4: 
001606f0
 [ 3145.415085] Call Trace:
 [ 3145.415085]  btrfs_finish_extent_commit+0x9a/0x1be [btrfs]
 [ 3145.415085]  btrfs_commit_transaction+0x649/0x7a0 [btrfs]
 [ 3145.415085]  ? start_transaction+0x2b0/0x3b3 [btrfs]
 [ 3145.415085]  btrfs_dev_replace_start+0x274/0x30c [btrfs]
 [ 3145.415085]  btrfs_dev_replace_by_ioctl+0x45/0x59 [btrfs]
 [ 3145.415085]  btrfs_ioctl+0x1a91/0x1d62 [btrfs]
 [ 3145.415085]  ? lock_acquire+0x16a/0x1af
 [ 3145.415085]  ? vfs_ioctl+0x1b/0x28
 [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
 [ 3145.415085]  vfs_ioctl+0x1b/0x28
 [ 3145.415085]  do_vfs_ioctl+0x5a9/0x5e0
 [ 3145.415085]  ? _raw_spin_unlock_irq+0x34/0x46
 [ 3145.415085]  ? entry_SYSCALL_64_fastpath+0x5/0x8b
 [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
 [ 3145.415085]  SyS_ioctl+0x52/0x76
 [ 3145.415085]  entry_SYSCALL_64_fastpath+0x1e/0x8b
 [ 3145.415085] RIP: 0033:0x7f56558b3c47
 [ 3145.415085] RSP: 002b:7ffdcfac4c58 EFLAGS: 0202
 [ 3145.415085] Code: be 02 00 00 00 4c 89 ef e8 b9 e7 03 00 85 c0 89 c5 75 75 
48 8b 44 24 08 45 31 f6 48 8d 58 60 eb 52 48 8b 03 48 8b b8 a0 00 00 00 <48> 8b 
87 e0 00
 [ 3145.415085] RIP: btrfs_discard_extent+0x6a/0xf8 [btrfs] RSP: 
c90004813c60
 [ 3145.415085] CR2: 00e0
 [ 3145.458185] ---[ end trace 06302e7ac31902bf ]---

This is trivially reproduced by running the test btrfs/027 from fstests
like this:

  $ MOUNT_OPTIONS="-o discard" ./check btrfs/027

Fix this by skipping devices without a backing device before attempting
to discard.

Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query directly")
Signed-off-by: Filipe Manana 
---
 fs/btrfs/extent-tree.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9d220b276c8f..d59ee24645e3 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2147,6 +2147,10 @@ int btrfs_discard_extent(struct btrfs_fs_info *fs_info, 
u64 bytenr,
u64 bytes;
struct request_queue *req_q;
 
+   if (!stripe->dev->bdev) {
+   ASSERT(btrfs_test_opt(fs_info, DEGRADED));
+   continue;
+   }
req_q = bdev_get_queue(stripe->dev->bdev);
if (!blk_queue_discard(req_q))
continue;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

[PATCH] Btrfs: fix null pointer dereference when replacing missing device

3 matches

Site Navigation

Mail list logo

Footer information