From patchwork Wed May 9 10:35:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: robbieko X-Patchwork-Id: 10389077 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C7D0B60353 for ; Wed, 9 May 2018 10:35:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B86F728A69 for ; Wed, 9 May 2018 10:35:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AC99428A84; Wed, 9 May 2018 10:35:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A13E328A69 for ; Wed, 9 May 2018 10:35:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934609AbeEIKfv (ORCPT ); Wed, 9 May 2018 06:35:51 -0400 Received: from synology.com ([59.124.61.242]:49203 "EHLO synology.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933864AbeEIKfu (ORCPT ); Wed, 9 May 2018 06:35:50 -0400 Received: from localhost.localdomain (unknown [10.13.20.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by synology.com (Postfix) with ESMTPSA id CF01D7490911; Wed, 9 May 2018 18:35:47 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=synology.com; s=123; t=1525862147; bh=wT+ubgGSGCN3nzn3EY3qbdl/NWbxqf5Hj/v8zrQc4dg=; h=From:To:Cc:Subject:Date; b=GG1CsIcD3dUkxWP8AVKjyLJ4ua+0/0KNBiTVZ2pBeE5yEPh9YFQmz6IdKbrVtjIuf 6v2Km1+TU+fn+wEfePrU32jSC+8g0sI5kRcPR3SrS+XGybKqGnP52KbCTMkhscvxIl 6HALwczdEhTKhRVxD3Vj3AqcEAS3H30VjSJ41Za8= From: robbieko To: linux-btrfs@vger.kernel.org Cc: Robbie Ko Subject: [PATCH] btrfs: fix invalid memory access with journal_info Date: Wed, 9 May 2018 18:35:25 +0800 Message-Id: <1525862125-15228-1-git-send-email-robbieko@synology.com> X-Mailer: git-send-email 1.9.1 X-Synology-MCP-Status: no X-Synology-Spam-Flag: no X-Synology-Spam-Status: score=0, required 5, WHITELIST_FROM_ADDRESS 0 X-Synology-Virus-Status: no Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Robbie Ko When send process requires memory allocation, shrinker may be triggered due to insufficient memory. Then evict_inode gets called when inode is freed, and this function may need to start transaction. However, the journal_info is already points to BTRFS_SEND_TRANS_STUB, it passed the if condition, and the following use yields illegal memory access. if (current->journal_info) { WARN_ON(type & TRANS_EXTWRITERS); h = current->journal_info; refcount_inc(&h->use_count); WARN_ON(refcount_read(&h->use_count) > 2); h->orig_rsv = h->block_rsv; h->block_rsv = NULL; goto got_it; } Direct IO has a similar problem, journal_info will store btrfs_dio_data, which will lead to illegal memory access. We fixed the problem by save the journal_info and restore afterwards. CallTrace looks like this: BUG: unable to handle kernel NULL pointer dereference at 0000000000000021 IP: [] start_transaction+0x64/0x450 [btrfs] PGD 8fea4b067 PUD a33bea067 PMD 0 Oops: 0000 [#1] SMP CPU: 3 PID: 12681 Comm: btrfs Tainted: P C O 3.10.102 #15266 RIP: 0010:[] start_transaction+0x64/0x450 [btrfs] Call Trace: [] ? btrfs_evict_inode+0x3d8/0x580 [btrfs] [] ? evict+0xa2/0x1a0 [] ? shrink_dentry_list+0x308/0x3d0 [] ? prune_dcache_sb+0x133/0x160 [] ? prune_super+0xcf/0x1a0 [] ? shrink_slab+0x11f/0x1d0 [] ? do_try_to_free_pages+0x452/0x560 [] ? throttle_direct_reclaim+0x74/0x240 [] ? try_to_free_pages+0xae/0xc0 [] ? __alloc_pages_nodemask+0x53b/0x9f0 [] ? __do_page_cache_readahead+0xec/0x270 [] ? ondemand_readahead+0xbb/0x220 [] ? fill_read_buf+0x2b3/0x3a0 [btrfs] [] ? send_extent_data+0x10e/0x300 [btrfs] [] ? process_extent+0x1fb/0x1310 [btrfs] [] ? iterate_dir_item.isra.28+0x1b0/0x250 [btrfs] [] ? send_set_xattr+0xa0/0xa0 [btrfs] [] ? changed_cb+0xd5/0xc40 [btrfs] [] ? full_send_tree+0xf2/0x1a0 [btrfs] [] ? btrfs_ioctl_send+0xfbb/0x1040 [btrfs] [] ? btrfs_ioctl+0x1084/0x32a0 [btrfs] Signed-off-by: Robbie Ko --- fs/btrfs/inode.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index f534701..77aec8d 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -5295,6 +5295,7 @@ void btrfs_evict_inode(struct inode *inode) int steal_from_global = 0; u64 min_size; int ret; + void *journal_info = NULL; trace_btrfs_inode_evict(inode); @@ -5303,6 +5304,16 @@ void btrfs_evict_inode(struct inode *inode) return; } + /* + * Send or Direct IO may store information in journal_info. + * However, this function may use start_transaction and + * start_transaction will use journal_info. + * To avoid accessing invalid memory, we can save the journal_info + * and restore it later. + */ + journal_info = current->journal_info; + current->journal_info = NULL; + min_size = btrfs_calc_trunc_metadata_size(fs_info, 1); evict_inode_truncate_pages(inode); @@ -5462,6 +5473,7 @@ void btrfs_evict_inode(struct inode *inode) no_delete: btrfs_remove_delayed_node(BTRFS_I(inode)); clear_inode(inode); + current->journal_info = journal_info; } /*