From patchwork Mon Jul  6 13:14:11 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josef Bacik <josef@toxicpanda.com>
X-Patchwork-Id: 11645739
Return-Path: <SRS0=Izu+=AR=vger.kernel.org=linux-btrfs-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AA72213B4
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
 Mon,  6 Jul 2020 13:14:17 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 859A620724
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
 Mon,  6 Jul 2020 13:14:17 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=toxicpanda-com.20150623.gappssmtp.com
 header.i=@toxicpanda-com.20150623.gappssmtp.com header.b="1SiYi4ML"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729137AbgGFNOQ (ORCPT
        <rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
        Mon, 6 Jul 2020 09:14:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44090 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729048AbgGFNOQ (ORCPT
        <rfc822;linux-btrfs@vger.kernel.org>); Mon, 6 Jul 2020 09:14:16 -0400
Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com
 [IPv6:2607:f8b0:4864:20::f41])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55EE3C061794
        for <linux-btrfs@vger.kernel.org>;
 Mon,  6 Jul 2020 06:14:16 -0700 (PDT)
Received: by mail-qv1-xf41.google.com with SMTP id m8so12917423qvk.7
        for <linux-btrfs@vger.kernel.org>;
 Mon, 06 Jul 2020 06:14:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=kPd+wuKdPicCSKRBKJoeXOZxadBuqbmWtE9B9TN0wGI=;
        b=1SiYi4ML0Vp4Tgbl1pbUWwzxy7sj+9VSfd1SEw80aI+djUrrISzBZ7nX1MVnVNVlsf
         Uo7vkdLzIVNTanTnzPNB+R6kLSSPn3ht5RTSsIJhgDYFwWwNvENp9MDX2Tzz0RORdfj8
         4oxFnQ9aKQfwXCWHqbFiMzQ5f+3PqH3SV+cRcOgEakI+52QiiTYjEFNXudYLBa/VV0Fr
         RdeD+Aj7fCFo+LS75EnJyBGuMKjmwXMI94rY1Bj1+U8sAjcv+0WWpetv7zkWeoJEb2ZM
         OM7ju8fwfBr55MsywWbDCjN2Q31wqaldAQp6RTBhnv5kDL1aMOeCpUsSzxB2/wMuX7Kd
         68bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=kPd+wuKdPicCSKRBKJoeXOZxadBuqbmWtE9B9TN0wGI=;
        b=uPnXMNcmV3z7D3irDFs4vio4t0vo2fV3ooOtKtii1mTRuNd/QPiKUbX8qvyOFlrkpD
         phf/unDvFjtaCLyt6YejOkyLEPHflsrnf8CcdyTNea4W1YH7/qqCfYjTx9zRa3k37WZ+
         7YdgcMkN3W3ocGvdUW5EYt74tGddMEogkUv5iFt1jOFVV3KjyRHwu9C+E9sxj/BF49x2
         7ImX4oAHkDcn1jCSfWXYMO9sWAD/cWbzSstnnS1OglWsmAdj5A4dYXZRW2yKT/UOSbGG
         kAYjSYRyNhDOC4a2Jx1vr+WD1X2jppyFdOHqgMFRUjvwjScbrUq2f7a6mYxtedLwx56C
         C9Ig==
X-Gm-Message-State: AOAM531CqtxLXif3hoRVsBesfoOLUapcuOBrorVq4cVTtwPaehq11XDt
        1RvI+iJWURNHyH/pCaV+plRs6Z6biEWhFg==
X-Google-Smtp-Source: 
 ABdhPJz0UxwdY+VmF1KL1D/FaVidSNyjIcetgOZI4nMj7aa2PjVlvoEVCNwRXTU8i80hiyMqG3wQVg==
X-Received: by 2002:ad4:5148:: with SMTP id g8mr8190318qvq.173.1594041254943;
        Mon, 06 Jul 2020 06:14:14 -0700 (PDT)
Received: from localhost (cpe-174-109-172-136.nc.res.rr.com.
 [174.109.172.136])
        by smtp.gmail.com with ESMTPSA id
 n64sm19497087qke.77.2020.07.06.06.14.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 Jul 2020 06:14:14 -0700 (PDT)
From: Josef Bacik <josef@toxicpanda.com>
To: linux-btrfs@vger.kernel.org, kernel-team@fb.com
Cc: Filipe Manana <fdmanana@suse.com>
Subject: [PATCH 1/2][v2] btrfs: convert block group refcount to refcount_t
Date: Mon,  6 Jul 2020 09:14:11 -0400
Message-Id: <20200706131412.28870-1-josef@toxicpanda.com>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org

We have refcount_t now with the associated library to handle refcounts,
which gives us extra debugging around reference count mistakes that may
be made.  For example it'll warn on any transition from 0->1 or 0->-1,
which is handy for noticing cases where we've messed up reference
counting.  Convert the block group ref counting from an atomic_t to
refcount_t and use the appropriate helpers.

Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
- rename ->count to ->refs.
- updated commit message.

 fs/btrfs/block-group.c | 8 ++++----
 fs/btrfs/block-group.h | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
index 3aa78952a2b7..0a67a50f448a 100644
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -118,12 +118,12 @@ u64 btrfs_get_alloc_profile(struct btrfs_fs_info *fs_info, u64 orig_flags)
 
 void btrfs_get_block_group(struct btrfs_block_group *cache)
 {
-	atomic_inc(&cache->count);
+	refcount_inc(&cache->refs);
 }
 
 void btrfs_put_block_group(struct btrfs_block_group *cache)
 {
-	if (atomic_dec_and_test(&cache->count)) {
+	if (refcount_dec_and_test(&cache->refs)) {
 		WARN_ON(cache->pinned > 0);
 		WARN_ON(cache->reserved > 0);
 
@@ -1805,7 +1805,7 @@ static struct btrfs_block_group *btrfs_create_block_group_cache(
 
 	cache->discard_index = BTRFS_DISCARD_INDEX_UNUSED;
 
-	atomic_set(&cache->count, 1);
+	refcount_set(&cache->refs, 1);
 	spin_lock_init(&cache->lock);
 	init_rwsem(&cache->data_rwsem);
 	INIT_LIST_HEAD(&cache->list);
@@ -3428,7 +3428,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info)
 		ASSERT(list_empty(&block_group->dirty_list));
 		ASSERT(list_empty(&block_group->io_list));
 		ASSERT(list_empty(&block_group->bg_list));
-		ASSERT(atomic_read(&block_group->count) == 1);
+		ASSERT(refcount_read(&block_group->refs) == 1);
 		btrfs_put_block_group(block_group);
 
 		spin_lock(&info->block_group_cache_lock);
diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h
index b6ee70a039c7..adfd7583a17b 100644
--- a/fs/btrfs/block-group.h
+++ b/fs/btrfs/block-group.h
@@ -114,8 +114,7 @@ struct btrfs_block_group {
 	/* For block groups in the same raid type */
 	struct list_head list;
 
-	/* Usage count */
-	atomic_t count;
+	refcount_t refs;
 
 	/*
 	 * List of struct btrfs_free_clusters for this block group.

From patchwork Mon Jul  6 13:14:12 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josef Bacik <josef@toxicpanda.com>
X-Patchwork-Id: 11645741
Return-Path: <SRS0=Izu+=AR=vger.kernel.org=linux-btrfs-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 97FCF13B6
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
 Mon,  6 Jul 2020 13:14:19 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 7F9542082E
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
 Mon,  6 Jul 2020 13:14:19 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=toxicpanda-com.20150623.gappssmtp.com
 header.i=@toxicpanda-com.20150623.gappssmtp.com header.b="GLJV4LWc"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729176AbgGFNOS (ORCPT
        <rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
        Mon, 6 Jul 2020 09:14:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44098 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729048AbgGFNOS (ORCPT
        <rfc822;linux-btrfs@vger.kernel.org>); Mon, 6 Jul 2020 09:14:18 -0400
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com
 [IPv6:2607:f8b0:4864:20::841])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32AB4C061794
        for <linux-btrfs@vger.kernel.org>;
 Mon,  6 Jul 2020 06:14:18 -0700 (PDT)
Received: by mail-qt1-x841.google.com with SMTP id z2so28859725qts.5
        for <linux-btrfs@vger.kernel.org>;
 Mon, 06 Jul 2020 06:14:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=2RgOu5i6wGOxIEKuV8TZWWkzzQVwOdSNcIPGU9mWFi4=;
        b=GLJV4LWcHTa3Tdd2jHz4MqUTRUn7QN43IQI6bjTwAhnJNCGo52YjCCrGIVSuOEJ0w7
         aLpQcjfSVVfPG+rM//6RTEAvRg1pgP9oJ8Gulwu9NgseIyJZwrF5aVMJUOgYxuQoF8Qp
         w72Bhf4qgMKe61P/yNcEdWAe3lPGE6s1bsH9nKdD+XftgmqFI2KfEiNmtv2LWgLvftwA
         ggHt0mF76qR3SSdWA3ma4Tkr3CCUownNSYWYu3cysldUKrhsbOmgWpWpD5Dce4bxsfE+
         QQQ43CGDoxKpXf+wBBxCiOmLVaOSFZjmVo4kfMN2WvixyU5BJSc2cJNSHYPoMkW8dmfq
         N80A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=2RgOu5i6wGOxIEKuV8TZWWkzzQVwOdSNcIPGU9mWFi4=;
        b=dEcnnTKReWZCrr3q60PmxMfgP/W7aytFyi9TzIe+RZVSM81EMmIKLFSRcBjWY9wa7v
         0eJVPvLEU4+C9rAS/Hk3KwO4Ep1WpRzhtNjX6sevMUCcEzfsPcpLmZWOdxWo9n4m5QfP
         mytAv+oAPS2FdMispIc87OALW8ol1TM/ILiKBnkQZX6HnbyXwYDA5MuuqaLCX4AIJZlk
         w6OhiY0uT1rz++TjkR+suECfKmWBn4x7j151a/WJTNRhIKgUB1H8yvjuxTCN6wyWNnwB
         FtoVeBQmCDk3WFWgRlOe+D3Lk3jRT7vtcfYYistHb1CnnCnp8qOTUiFGwOIyyBf6z/HV
         r5EQ==
X-Gm-Message-State: AOAM532yUMWwna44sJhqQvDfYjy/ZHVYicX8onE5YRvgU35ajgz8kevB
        1K8L8g0yMIbOw/GssRnZpTjTy6OO/yL6bQ==
X-Google-Smtp-Source: 
 ABdhPJzK32rKlOyaYtfUzDAfi3uPfRC6AlzvfVRxlDPHsq2B6IpDY8zROYCLqMKZRXTAk3vyV1CSVg==
X-Received: by 2002:ac8:24d:: with SMTP id o13mr20800686qtg.154.1594041257093;
        Mon, 06 Jul 2020 06:14:17 -0700 (PDT)
Received: from localhost (cpe-174-109-172-136.nc.res.rr.com.
 [174.109.172.136])
        by smtp.gmail.com with ESMTPSA id
 a20sm6401335qtw.54.2020.07.06.06.14.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 Jul 2020 06:14:16 -0700 (PDT)
From: Josef Bacik <josef@toxicpanda.com>
To: linux-btrfs@vger.kernel.org, kernel-team@fb.com
Cc: Filipe Manana <fdmanana@suse.com>
Subject: [PATCH 2/2] btrfs: fix block group UAF bug with nocow
Date: Mon,  6 Jul 2020 09:14:12 -0400
Message-Id: <20200706131412.28870-2-josef@toxicpanda.com>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200706131412.28870-1-josef@toxicpanda.com>
References: <20200706131412.28870-1-josef@toxicpanda.com>
MIME-Version: 1.0
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org

While debugging a patch that I wrote I was hitting UAF panics when
accessing block groups on unmount.  This turned out to be because in the
nocow case if we bail out of doing the nocow for whatever reason we need
to call btrfs_dec_nocow_writers() if we called the inc.  This puts our
block group, but a few error cases does

if (nocow) {
    btrfs_dec_nocow_writers();
    goto error;
}

unfortunately, error is

error:
	if (nocow)
		btrfs_dec_nocow_writers();

so we get a double put on our block group.  Fix this by dropping the
error cases calling of btrfs_dec_nocow_writers(), as it's handled at the
error label now.

Fixes: 762bf09893b4 ("btrfs: improve error handling in run_delalloc_nocow")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 fs/btrfs/inode.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index d894d9e41aad..7c03b402529e 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1688,12 +1688,8 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
 			ret = fallback_to_cow(inode, locked_page,
 					      cow_start, found_key.offset - 1,
 					      page_started, nr_written);
-			if (ret) {
-				if (nocow)
-					btrfs_dec_nocow_writers(fs_info,
-								disk_bytenr);
+			if (ret)
 				goto error;
-			}
 			cow_start = (u64)-1;
 		}
 
@@ -1709,9 +1705,6 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
 					  ram_bytes, BTRFS_COMPRESS_NONE,
 					  BTRFS_ORDERED_PREALLOC);
 			if (IS_ERR(em)) {
-				if (nocow)
-					btrfs_dec_nocow_writers(fs_info,
-								disk_bytenr);
 				ret = PTR_ERR(em);
 				goto error;
 			}