From patchwork Fri Jun 13 23:43:56 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Buchbinder X-Patchwork-Id: 4352001 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 34FFC9F314 for ; Fri, 13 Jun 2014 23:44:09 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4407E20320 for ; Fri, 13 Jun 2014 23:44:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 25118201D5 for ; Fri, 13 Jun 2014 23:44:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754052AbaFMXoD (ORCPT ); Fri, 13 Jun 2014 19:44:03 -0400 Received: from mail-pa0-f49.google.com ([209.85.220.49]:51682 "EHLO mail-pa0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753356AbaFMXoB (ORCPT ); Fri, 13 Jun 2014 19:44:01 -0400 Received: by mail-pa0-f49.google.com with SMTP id lj1so2607117pab.22 for ; Fri, 13 Jun 2014 16:44:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=heJMQCk4ux2Z/wlUazR8E8vi+QcCwlLPaTbgpO4uy0E=; b=OQl2ALu/ehrBVc0c9aBBEU5jI5oiJNgls++c92Vrm77GsxWkkgsREzkZuj3zo2OV7B 2V7RkQ13PsuvJVqqUF7Ewrqp33SBi8pM7M2cbaYwUVSQya/Xn6jyLIbaVuoTYs2XF1xM 7WD48QTuvQM6IfNX2qfdmcr72vyix11z0jWDj7PMLU345PlL2VNEp4qpLernspYetnaE kckDhL/10tX89F1xeZBQEAzDQA4BpN0VJE7lA6z/1w4gNfhLyP+VWeTxbJyxC1NM+zA0 9HTLjND2RpvqFl0dH18tlCoyz2hnyop53S8cU6QlKLGrvybIPiYgpVagRsLhhxd5kXuS 8V/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=heJMQCk4ux2Z/wlUazR8E8vi+QcCwlLPaTbgpO4uy0E=; b=D1WcXRyTZQzmCxfe4QUtjiyk8HKqKfVS7Ltc3M4wIfq83OxQqoXvY/l2tyEjUe73bx Liw9k20JCDrkm2GKphv/iYZOmsCtiFCdHA+1j7wa6ApUnh2eLY9iFXJVb6A2kqdvqabF zJrWUvcmFYmzxtVjo3yO7ERgqmUHO9BUOwLHZ0b7PuZn0SNNri4BQm97w0agxV/7Q6Zf 2uC2plIiXzHVaRP4A1WzjP8KjjW+m+l+bUWszBirFK3w+TKXZ1+oASYqQQAK5ikmztzI El37FO/n+EaVZDkj6Y0PDdVWM6ZhrRTSQIckPbAWNE1AZLzub624NAm+fC9Ku/sdMhWF DSew== X-Gm-Message-State: ALoCoQkreN0fkuBiOJnNB3TSbYEU9lp5T3S/QZp8chc8Zlq80DNjhMxjub/IuHxXVeuh6IGtxEWipP6uYlzut0/YqOX0YECZ+GDp/4zF3IBaZSKFiZUZta6qL2SWVTTioi0QiMblskd4cyabeAugqOgMg3luym2iVA== X-Received: by 10.69.31.97 with SMTP id kl1mr6965684pbd.162.1402703041090; Fri, 13 Jun 2014 16:44:01 -0700 (PDT) Received: from abuchbinder-glaptop.corp.google.com (dhcp-172-19-65-142.mtv.corp.google.com [172.19.65.142]) by mx.google.com with ESMTPSA id tl3sm28022023pac.41.2014.06.13.16.44.00 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Jun 2014 16:44:00 -0700 (PDT) From: Adam Buchbinder To: linux-btrfs@vger.kernel.org Cc: dave@jikos.cz, Adam Buchbinder Subject: [PATCH] Fix a use-after-free in the volumes code. Date: Fri, 13 Jun 2014 16:43:56 -0700 Message-Id: <1402703036-2447-1-git-send-email-abuchbinder@google.com> X-Mailer: git-send-email 2.0.0.526.g5318336 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When a struct btrfs_fs_devices was being torn down by btrfs_close_devices(), there was an invalidated pointer in the global list fs_uuids which still pointed to it; if a device was closed and then reopened (which btrfs-convert does), freed memory would be accessed. This was found using ThreadSanitizer (pretty much doing what AddressSanitizer would, but not exiting after the first failure). To reproduce, build with -fsanitize=thread and run 'make test'. Representative output is below. This change makes the current tests TSan-clean. WARNING: ThreadSanitizer: heap-use-after-free (pid=29161) Read of size 8 at 0x7d180000eee0 by main thread: #0 memcmp ??:0 #1 find_fsid .../volumes.c:81 #2 device_list_add .../volumes.c:95 #3 btrfs_scan_one_device .../volumes.c:259 #4 btrfs_scan_fs_devices .../disk-io.c:1002 #5 __open_ctree_fd .../disk-io.c:1090 #6 open_ctree_fd .../disk-io.c:1191 #7 do_convert .../btrfs-convert.c:2317 #8 main .../btrfs-convert.c:2745 Previous write of size 8 at 0x7d180000eee0 by main thread: #0 free ??:0 #1 btrfs_close_devices .../volumes.c:191 #2 close_ctree .../disk-io.c:1401 #3 do_convert .../btrfs-convert.c:2300 #4 main .../btrfs-convert.c:2745 Location is heap block of size 96 at 0x7d180000eee0 allocated by main thread: #0 calloc ??:0 (exe+0x00000002acc6) #1 device_list_add .../volumes.c:97 #2 btrfs_scan_one_device .../volumes.c:259 #3 btrfs_scan_fs_devices .../disk-io.c:1002 #4 __open_ctree_fd .../disk-io.c:1090 #5 open_ctree_fd .../disk-io.c:1191 #6 do_convert .../btrfs-convert.c:2256 #7 main .../btrfs-convert.c:2745 Signed-off-by: Adam Buchbinder Reviewed-by: Satoru Takeuchi --- volumes.c | 1 + volumes.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/volumes.c b/volumes.c index a61928c..36f6050 100644 --- a/volumes.c +++ b/volumes.c @@ -188,6 +188,7 @@ again: goto again; } + list_del(&fs_devices->list); free(fs_devices); return 0; } diff --git a/volumes.h b/volumes.h index b1ff3d0..2e960b5 100644 --- a/volumes.h +++ b/volumes.h @@ -67,7 +67,7 @@ struct btrfs_device { struct btrfs_fs_devices { u8 fsid[BTRFS_FSID_SIZE]; /* FS specific uuid */ - /* the device with this id has the most recent coyp of the super */ + /* the device with this id has the most recent copy of the super */ u64 latest_devid; u64 latest_trans; u64 lowest_devid;