From patchwork Fri Sep 18 03:27:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Ruffell X-Patchwork-Id: 1366548 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bszn91nGjz9sTN; Fri, 18 Sep 2020 13:28:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kJ74D-0005Cj-Dl; Fri, 18 Sep 2020 03:28:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kJ74B-0005CD-H3 for kernel-team@lists.ubuntu.com; Fri, 18 Sep 2020 03:28:07 +0000 Received: from mail-pg1-f200.google.com ([209.85.215.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kJ74B-0006HI-05 for kernel-team@lists.ubuntu.com; Fri, 18 Sep 2020 03:28:07 +0000 Received: by mail-pg1-f200.google.com with SMTP id 78so2672460pgf.5 for ; Thu, 17 Sep 2020 20:28:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/2tj/p4XJ7XjERu7NlyCOOl9pq/gJdCclHlPEfzInAc=; b=ODccNSRTpCAYFo2XeCsfCEk93/WeVjINDLLJ3CYshlSAnCie70fKgWX6vsNQnsyJp1 oBNzEe1ZlmMKCM4FNd96ROWt/ZN4v4B07v9aanynGSjU4r7/24RX7OFYQ3NhR5SNWFAP 1YMXEL7ijW66ynXBxK4lz13CGeC0aROpvwGYFtMQq3fhWtzOxy0sqnKMdCq6BtD2Q1x5 8Agolpz0cYeaFkNqD6+gL9w48e8vUcmyx1a6mYdklqHbZ9/xIjSVyDmGSFZBtMSKeWD1 AyAxJTGsYoleEMbjj79oAQ/EpO5svej6b6Y8aU2OXmf5Mw7mxS3sgmrqSHquOAdiKj3I yyGQ== X-Gm-Message-State: AOAM532e9xA0AJHcWgeGx7ltnD2rtqbPUe7q5YAYhgdJsw4b199nXSnH p1VeViN1hdgK8NbuU00LFwOQJE3OyZouIzFrxBo3lNIsBIxWQLKUR+2uzPTLuzJO0MdlvgxtU0b XxwS/SvDUJpro+TuZg/Eh8lIUBzbMnYrRGMmLyrX7GQ== X-Received: by 2002:a17:90a:72c7:: with SMTP id l7mr11672727pjk.19.1600399685359; Thu, 17 Sep 2020 20:28:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5QxKtgQjt7STo4fh0DDPdfgdNQqVZHjqMvJ/Y4WhwE4QGe5PGOfMyk/m5kYOrZzCdX3xjrA== X-Received: by 2002:a17:90a:72c7:: with SMTP id l7mr11672704pjk.19.1600399684996; Thu, 17 Sep 2020 20:28:04 -0700 (PDT) Received: from localhost.localdomain (222-152-178-139-fibre.sparkbb.co.nz. [222.152.178.139]) by smtp.gmail.com with ESMTPSA id n127sm1130383pfn.155.2020.09.17.20.28.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Sep 2020 20:28:04 -0700 (PDT) From: Matthew Ruffell To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/1] btrfs: trim: fix underflow in trim length to prevent access beyond device boundary Date: Fri, 18 Sep 2020 15:27:56 +1200 Message-Id: <20200918032756.18315-2-matthew.ruffell@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200918032756.18315-1-matthew.ruffell@canonical.com> References: <20200918032756.18315-1-matthew.ruffell@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Qu Wenruo BugLink: https://bugs.launchpad.net/bugs/1896154 [BUG] The following script can lead to tons of beyond device boundary access: mkfs.btrfs -f $dev -b 10G mount $dev $mnt trimfs $mnt btrfs filesystem resize 1:-1G $mnt trimfs $mnt [CAUSE] Since commit 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to find_first_clear_extent_bit"), we try to avoid trimming ranges that's already trimmed. So we check device->alloc_state by finding the first range which doesn't have CHUNK_TRIMMED and CHUNK_ALLOCATED not set. But if we shrunk the device, that bits are not cleared, thus we could easily got a range starts beyond the shrunk device size. This results the returned @start and @end are all beyond device size, then we call "end = min(end, device->total_bytes -1);" making @end smaller than device size. Then finally we goes "len = end - start + 1", totally underflow the result, and lead to the beyond-device-boundary access. [FIX] This patch will fix the problem in two ways: - Clear CHUNK_TRIMMED | CHUNK_ALLOCATED bits when shrinking device This is the root fix - Add extra safety check when trimming free device extents We check and warn if the returned range is already beyond current device. Link: https://github.com/kdave/btrfs-progs/issues/282 Fixes: 929be17a9b49 ("btrfs: Switch btrfs_trim_free_extents to find_first_clear_extent_bit") CC: stable@vger.kernel.org # 5.4+ Signed-off-by: Qu Wenruo Reviewed-by: Filipe Manana Signed-off-by: David Sterba (backported from commit c57dd1f2f6a7cd1bb61802344f59ccdc5278c983) [mruffell: CHUNK_STATE_MASK file changed to extent_io.h, context fixups] Signed-off-by: Matthew Ruffell Acked-by: Colin Ian King Acked-by: Stefan Bader --- fs/btrfs/extent-tree.c | 14 ++++++++++++++ fs/btrfs/extent_io.h | 2 ++ fs/btrfs/volumes.c | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 541497036cc2..aad83d3b8f93 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -32,6 +32,7 @@ #include "block-rsv.h" #include "delalloc-space.h" #include "block-group.h" +#include "rcu-string.h" #undef SCRAMBLE_DELAYED_REFS @@ -5599,6 +5600,19 @@ static int btrfs_trim_free_extents(struct btrfs_device *device, u64 *trimmed) &start, &end, CHUNK_TRIMMED | CHUNK_ALLOCATED); + /* Check if there are any CHUNK_* bits left */ + if (start > device->total_bytes) { + WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG)); + btrfs_warn_in_rcu(fs_info, +"ignoring attempt to trim beyond device size: offset %llu length %llu device %s device size %llu", + start, end - start + 1, + rcu_str_deref(device->name), + device->total_bytes); + mutex_unlock(&fs_info->chunk_mutex); + ret = 0; + break; + } + /* Ensure we skip the reserved area in the first 1M */ start = max_t(u64, start, SZ_1M); diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h index bc858c8cef0a..fcf1807cc8dd 100644 --- a/fs/btrfs/extent_io.h +++ b/fs/btrfs/extent_io.h @@ -35,6 +35,8 @@ */ #define CHUNK_ALLOCATED EXTENT_DIRTY #define CHUNK_TRIMMED EXTENT_DEFRAG +#define CHUNK_STATE_MASK (CHUNK_ALLOCATED | \ + CHUNK_TRIMMED) /* * flags for bio submission. The high bits indicate the compression diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 81be71fb569e..489cc21d7c6f 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -4907,6 +4907,10 @@ int btrfs_shrink_device(struct btrfs_device *device, u64 new_size) } mutex_lock(&fs_info->chunk_mutex); + /* Clear all state bits beyond the shrunk device size */ + clear_extent_bits(&device->alloc_state, new_size, (u64)-1, + CHUNK_STATE_MASK); + btrfs_device_set_disk_total_bytes(device, new_size); if (list_empty(&device->post_commit_list)) list_add_tail(&device->post_commit_list,