| Message ID | 20220303144027.1981835-1-dzm91@hust.edu.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: don't access possibly stale fs_info data in device_list_add | expand |
On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote: > From: Dongliang Mu <mudongliangabcd@gmail.com> > > Syzbot reported a possible use-after-free in printing information > in device_list_add. > > Very similar with the bug fixed by commit 0697d9a61099 ("btrfs: don't > access possibly stale fs_info data for printing duplicate device"), > but this time the use occurs in btrfs_info_in_rcu. > > ============================================================ > Call Trace: > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > btrfs_printk+0x395/0x425 fs/btrfs/super.c:244 > device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957 > btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387 > btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:874 [inline] > __se_sys_ioctl fs/ioctl.c:860 [inline] > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > ============================================================ > > Fix this by modifying device->fs_info to NULL too. > > Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > --- > fs/btrfs/volumes.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c > index b07d382d53a8..c1325bdae9a1 100644 > --- a/fs/btrfs/volumes.c > +++ b/fs/btrfs/volumes.c > @@ -954,7 +954,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, > task_pid_nr(current)); > return ERR_PTR(-EEXIST); > } > - btrfs_info_in_rcu(device->fs_info, > + btrfs_info_in_rcu(NULL, A few lines above this is also NULL and was fixed by 0697d9a61099 ("btrfs: don't access possibly stale fs_info data for printing duplicate device"), so yeah we probably need the same here.
On 04/03/2022 02:24, David Sterba wrote: > On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote: >> From: Dongliang Mu <mudongliangabcd@gmail.com> >> >> Syzbot reported a possible use-after-free in printing information >> in device_list_add. >> >> Very similar with the bug fixed by commit 0697d9a61099 ("btrfs: don't >> access possibly stale fs_info data for printing duplicate device"), >> but this time the use occurs in btrfs_info_in_rcu. >> >> ============================================================ >> Call Trace: >> kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 >> btrfs_printk+0x395/0x425 fs/btrfs/super.c:244 >> device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957 >> btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387 >> btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409 >> vfs_ioctl fs/ioctl.c:51 [inline] >> __do_sys_ioctl fs/ioctl.c:874 [inline] >> __se_sys_ioctl fs/ioctl.c:860 [inline] >> __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x44/0xae >> ============================================================ >> >> Fix this by modifying device->fs_info to NULL too. >> >> Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com >> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> >> --- >> fs/btrfs/volumes.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c >> index b07d382d53a8..c1325bdae9a1 100644 >> --- a/fs/btrfs/volumes.c >> +++ b/fs/btrfs/volumes.c >> @@ -954,7 +954,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, >> task_pid_nr(current)); >> return ERR_PTR(-EEXIST); >> } >> - btrfs_info_in_rcu(device->fs_info, >> + btrfs_info_in_rcu(NULL, > > A few lines above this is also NULL and was fixed by 0697d9a61099 > ("btrfs: don't access possibly stale fs_info data for printing duplicate > device"), so yeah we probably need the same here. So it appears that device->fs_info was garbage instead of NULL OR fs_info->sb was NULL? Because we always had a check if fs_info is null in btrfs_printk() further the commit a0f6d924cada ("btrfs: remove stub device info from messages when we have no fs_info") made it better. Thanks, Anand
On Fri, Mar 04, 2022 at 07:53:27AM +0800, Anand Jain wrote: > On 04/03/2022 02:24, David Sterba wrote: > > On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote: > >> > >> Fix this by modifying device->fs_info to NULL too. > >> > >> Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com > >> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > >> --- > >> fs/btrfs/volumes.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c > >> index b07d382d53a8..c1325bdae9a1 100644 > >> --- a/fs/btrfs/volumes.c > >> +++ b/fs/btrfs/volumes.c > >> @@ -954,7 +954,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, > >> task_pid_nr(current)); > >> return ERR_PTR(-EEXIST); > >> } > >> - btrfs_info_in_rcu(device->fs_info, > >> + btrfs_info_in_rcu(NULL, > > > > A few lines above this is also NULL and was fixed by 0697d9a61099 > > ("btrfs: don't access possibly stale fs_info data for printing duplicate > > device"), so yeah we probably need the same here. > > So it appears that device->fs_info was garbage instead of NULL OR > fs_info->sb was NULL? I think it's a warning that something could happen, in this case potential garbage value of fs_info. > Because we always had a check if fs_info is null in btrfs_printk() > further the commit a0f6d924cada ("btrfs: remove stub device info from > messages when we have no fs_info") made it better. Yeah, that's removing a potential crash but still the NULL value could come from a freed memory. Seems taht we can't rely on fs_info in device_list_add at all and passing NULL is the only safe way.
On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote: > From: Dongliang Mu <mudongliangabcd@gmail.com> > > Syzbot reported a possible use-after-free in printing information > in device_list_add. > > Very similar with the bug fixed by commit 0697d9a61099 ("btrfs: don't > access possibly stale fs_info data for printing duplicate device"), > but this time the use occurs in btrfs_info_in_rcu. > > ============================================================ > Call Trace: > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > btrfs_printk+0x395/0x425 fs/btrfs/super.c:244 > device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957 > btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387 > btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:874 [inline] > __se_sys_ioctl fs/ioctl.c:860 [inline] > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > ============================================================ > > Fix this by modifying device->fs_info to NULL too. > > Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Added to misc-next, thanks.
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index b07d382d53a8..c1325bdae9a1 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -954,7 +954,7 @@ static noinline struct btrfs_device *device_list_add(const char *path, task_pid_nr(current)); return ERR_PTR(-EEXIST); } - btrfs_info_in_rcu(device->fs_info, + btrfs_info_in_rcu(NULL, "devid %llu device path %s changed to %s scanned by %s (%d)", devid, rcu_str_deref(device->name), path, current->comm,