iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs/btrfs
History
Qu Wenruo d9bb77d51e btrfs: subpage: fix wild pointer access during metadata read failure 
[BUG]
When running fstests for btrfs subpage read-write test, it has a very
high chance to crash at generic/475 with the following stack:

 BTRFS warning (device dm-8): direct IO failed ino 510 rw 1,34817 sector 0xcdf0 len 94208 err no 10
 Unable to handle kernel paging request at virtual address ffff80001157e7c0
 CPU: 2 PID: 687125 Comm: kworker/u12:4 Tainted: G        WC        5.12.0-rc2-custom+ #5
 Hardware name: Khadas VIM3 (DT)
 Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
 pc : queued_spin_lock_slowpath+0x1a0/0x390
 lr : do_raw_spin_lock+0xc4/0x11c
 Call trace:
  queued_spin_lock_slowpath+0x1a0/0x390
  _raw_spin_lock+0x68/0x84
  btree_readahead_hook+0x38/0xc0 [btrfs]
  end_bio_extent_readpage+0x504/0x5f4 [btrfs]
  bio_endio+0x170/0x1a4
  end_workqueue_fn+0x3c/0x60 [btrfs]
  btrfs_work_helper+0x1b0/0x1b4 [btrfs]
  process_one_work+0x22c/0x430
  worker_thread+0x70/0x3a0
  kthread+0x13c/0x140
  ret_from_fork+0x10/0x30
 Code: 910020e0 8b0200c2 f861d884 aa0203e1 (f8246827)

[CAUSE]
In end_bio_extent_readpage(), if we hit an error during read, we will
handle the error differently for data and metadata.
For data we queue a repair, while for metadata, we record the error and
let the caller choose what to do.

But the code is still using page->private to grab extent buffer, which
no longer points to extent buffer for subpage metadata pages.

Thus this wild pointer access leads to above crash.

[FIX]
Introduce a helper, find_extent_buffer_readpage(), to grab extent
buffer.

The difference against find_extent_buffer_nospinlock() is:

- Also handles regular sectorsize == PAGE_SIZE case
- No extent buffer refs increase/decrease
  As extent buffer under IO must have non-zero refs, so this is safe

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2021-03-16 11:06:18 +01:00
..
tests
btrfs: extend btrfs_rmap_block for specifying a device
2021-02-09 02:46:05 +01:00
acl.c
btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter
2019-04-29 19:02:44 +02:00
async-thread.c
Btrfs: fix crash during unmount due to race with delayed inode workers
2020-03-23 17:01:51 +01:00
async-thread.h
Btrfs: fix crash during unmount due to race with delayed inode workers
2020-03-23 17:01:51 +01:00
backref.c
btrfs: do not warn if we can't find the reloc root when looking up backref
2021-02-08 22:58:56 +01:00
backref.h
btrfs: add asserts for deleting backref cache nodes
2021-02-08 22:58:56 +01:00
block-group.c
btrfs: fix race between writes to swap files and scrub
2021-02-22 18:07:15 +01:00
block-group.h
btrfs: fix race between writes to swap files and scrub
2021-02-22 18:07:15 +01:00
block-rsv.c
btrfs: introduce mount option rescue=ignorebadroots
2020-12-08 15:53:41 +01:00
block-rsv.h
btrfs: Remove __ prefix from btrfs_block_rsv_release
2020-03-23 17:01:55 +01:00
btrfs_inode.h
btrfs: make btrfs_dio_private::bytes u32
2021-02-08 22:58:51 +01:00
check-integrity.c
btrfs: drop casts of bio bi_sector
2020-12-09 19:16:05 +01:00
check-integrity.h
btrfs: remove btrfsic_submit_bh()
2020-03-23 17:01:39 +01:00
compression.c
btrfs: make check_compressed_csum() to be subpage compatible
2021-02-22 17:15:27 +01:00
compression.h
btrfs: compression: move declarations to header
2020-10-07 12:06:55 +02:00
ctree.c
btrfs: fix extent buffer leak on failure to copy root
2021-02-08 22:59:04 +01:00
ctree.h
btrfs: fix race between writes to swap files and scrub
2021-02-22 18:07:15 +01:00
delalloc-space.c
btrfs: fix parameter description of btrfs_inode_rsv_release/btrfs_delalloc_release_space
2021-02-08 22:58:54 +01:00
delalloc-space.h
btrfs: make btrfs_delalloc_reserve_space take btrfs_inode
2020-07-27 12:55:36 +02:00
delayed-inode.c
btrfs: don't flush from btrfs_delayed_inode_reserve_metadata
2021-03-02 17:17:09 +01:00
delayed-inode.h
btrfs: make btrfs_delayed_update_inode take btrfs_inode
2020-12-08 15:54:10 +01:00
delayed-ref.c
btrfs: account for new extents being deleted in total_bytes_pinned
2021-02-08 22:58:55 +01:00
delayed-ref.h
btrfs: only let one thread pre-flush delayed refs in commit
2021-02-08 22:58:56 +01:00
dev-replace.c
btrfs: zoned: mark block groups to copy for device-replace
2021-02-09 02:46:07 +01:00
dev-replace.h
btrfs: zoned: mark block groups to copy for device-replace
2021-02-09 02:46:07 +01:00
dir-item.c
btrfs: locking: rip out path->leave_spinning
2020-12-08 15:54:02 +01:00
discard.c
btrfs: document now parameter of peek_discard_list
2021-02-08 22:58:53 +01:00
discard.h
btrfs: cleanup btrfs_discard_update_discardable usage
2020-12-08 15:54:02 +01:00
disk-io.c
btrfs: zoned: reorder log node allocation on zoned filesystem
2021-02-09 02:48:41 +01:00
disk-io.h
btrfs: split alloc_log_tree()
2021-02-09 02:46:07 +01:00
export.c
btrfs: locking: rip out path->leave_spinning
2020-12-08 15:54:02 +01:00
export.h
btrfs: export helpers for subvolume name/id resolution
2020-03-23 17:01:42 +01:00
extent_io.c
btrfs: subpage: fix wild pointer access during metadata read failure
2021-03-16 11:06:18 +01:00
extent_io.h
btrfs: zoned: redirty released extent buffers
2021-02-09 02:46:04 +01:00
extent_map.c
btrfs: fix parameter description of btrfs_add_extent_mapping
2021-02-08 22:58:53 +01:00
extent_map.h
btrfs: remove extent_map::bdev
2019-11-18 23:43:44 +01:00
extent-io-tree.h
btrfs: use fixed width int type for extent_state::state
2020-12-08 15:54:13 +01:00
extent-tree.c
btrfs: zoned: extend zoned allocator to use dedicated tree-log block group
2021-02-09 02:46:08 +01:00
file-item.c
btrfs: fix function description formats in file-item.c
2021-02-08 22:58:53 +01:00
file.c
btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors
2021-03-02 16:55:44 +01:00
free-space-cache.c
btrfs: zoned: do not account freed region of read-only block group as zone_unusable
2021-03-04 16:16:58 +01:00
free-space-cache.h
btrfs: zoned: track unusable bytes for zones
2021-02-09 02:46:03 +01:00
free-space-tree.c
btrfs: fix possible free space tree corruption with online conversion
2021-01-25 18:44:37 +01:00
free-space-tree.h
btrfs: rename btrfs_block_group_cache
2019-11-18 17:51:51 +01:00
inode-item.c
btrfs: locking: rip out path->leave_spinning
2020-12-08 15:54:02 +01:00
inode.c
btrfs: fix qgroup data rsv leak caused by falloc failure
2021-03-15 16:57:15 +01:00
ioctl.c
btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl
2021-03-02 16:55:47 +01:00
Kconfig
btrfs: switch to iomap for direct IO
2020-10-07 12:06:57 +02:00
locking.c
btrfs: remove the recurse parameter from __btrfs_tree_read_lock
2020-12-08 15:54:09 +01:00
locking.h
btrfs: remove the recurse parameter from __btrfs_tree_read_lock
2020-12-08 15:54:09 +01:00
lzo.c
btrfs: compression: inline free_workspace
2019-11-18 12:46:59 +01:00
Makefile
btrfs: introduce the skeleton of btrfs_subpage structure
2021-02-08 22:59:01 +01:00
misc.h
btrfs: rename tree_entry to rb_simple_node and export it
2020-05-25 11:25:19 +02:00
ordered-data.c
btrfs: zoned: use ZONE_APPEND write for zoned mode
2021-02-09 02:46:06 +01:00
ordered-data.h
btrfs: zoned: use ZONE_APPEND write for zoned mode
2021-02-09 02:46:06 +01:00
orphan.c
print-tree.c
btrfs: print the actual offset in btrfs_root_name
2021-01-07 17:25:05 +01:00
print-tree.h
btrfs: print the actual offset in btrfs_root_name
2021-01-07 17:25:05 +01:00
props.c
btrfs: simplify iget helpers
2020-05-25 11:25:37 +02:00
props.h
btrfs: delete unused function btrfs_set_prop_trans
2019-04-29 19:02:54 +02:00
qgroup.c
btrfs: export and rename qgroup_reserve_meta
2021-03-02 16:58:30 +01:00
qgroup.h
btrfs: export and rename qgroup_reserve_meta
2021-03-02 16:58:30 +01:00
raid56.c
btrfs: fix raid6 qstripe kmap
2021-02-22 17:15:21 +01:00
raid56.h
btrfs: constify map parameter for nr_parity_stripes and nr_data_stripes
2019-07-01 13:34:58 +02:00
rcu-string.h
btrfs: rcu-string: Replace zero-length array with flexible-array member
2020-03-23 17:01:53 +01:00
reada.c
btrfs: pass the owner_root and level to alloc_extent_buffer
2020-12-08 15:54:07 +01:00
ref-verify.c
btrfs: ref-verify: use 'inline void' keyword ordering
2021-03-02 16:55:40 +01:00
ref-verify.h
btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod()
2019-04-29 19:02:49 +02:00
reflink.c
btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled
2021-02-22 18:07:45 +01:00
reflink.h
Btrfs: move all reflink implementation code into its own file
2020-03-23 17:01:54 +01:00
relocation.c
btrfs: zoned: enable relocation on a zoned filesystem
2021-02-09 02:46:07 +01:00
root-tree.c
btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations
2020-10-07 12:12:13 +02:00
scrub.c
btrfs: fix race between writes to swap files and scrub
2021-02-22 18:07:15 +01:00
send.c
btrfs: send: use struct send_ctx *sctx for btrfs_compare_trees and changed_cb
2021-02-08 22:58:57 +01:00
send.h
btrfs: send: avoid copying file data
2020-10-07 12:13:17 +02:00
space-info.c
btrfs: zoned: track unusable bytes for zones
2021-02-09 02:46:03 +01:00
space-info.h
btrfs: zoned: track unusable bytes for zones
2021-02-09 02:46:03 +01:00
struct-funcs.c
btrfs: handle sectorsize < PAGE_SIZE case for extent buffer accessors
2020-12-09 19:16:10 +01:00
subpage.c
btrfs: integrate page status update for data read path into begin/end_page_read
2021-02-08 22:59:03 +01:00
subpage.h
btrfs: integrate page status update for data read path into begin/end_page_read
2021-02-08 22:59:03 +01:00
super.c
btrfs: fix spurious free_space_tree remount warning
2021-03-02 16:55:55 +01:00
sysfs.c
btrfs: zoned: track unusable bytes for zones
2021-02-09 02:46:03 +01:00
sysfs.h
btrfs: split and refactor btrfs_sysfs_remove_devices_dir
2020-10-07 12:12:21 +02:00
transaction.c
btrfs: zoned: redirty released extent buffers
2021-02-09 02:46:04 +01:00
transaction.h
btrfs: zoned: redirty released extent buffers
2021-02-09 02:46:04 +01:00
tree-checker.c
btrfs: tree-checker: do not error out if extent ref hash doesn't match
2021-02-22 18:07:44 +01:00
tree-checker.h
btrfs: get fs_info from eb in btrfs_check_chunk_valid
2019-04-29 19:02:39 +02:00
tree-defrag.c
btrfs: locking: remove all the blocking helpers
2020-12-08 15:54:01 +01:00
tree-log.c
btrfs: zoned: fix linked list corruption after log root tree allocation failure
2021-03-15 16:57:19 +01:00
tree-log.h
btrfs: make fast fsyncs wait only for writeback
2020-10-07 12:06:56 +02:00
ulist.c
ulist.h
uuid-tree.c
btrfs: remove unnecessary casts in printk
2020-12-08 15:53:52 +01:00
volumes.c
btrfs: zoned: relocate block group to repair IO failure in zoned filesystems
2021-02-09 02:46:07 +01:00
volumes.h
btrfs: zoned: relocate block group to repair IO failure in zoned filesystems
2021-02-09 02:46:07 +01:00
xattr.c
btrfs: fix warning when creating a directory with smack enabled
2021-03-02 17:47:56 +01:00
xattr.h
btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter
2019-04-29 19:02:44 +02:00
zlib.c
btrfs: use larger zlib buffer for s390 hardware compression
2020-01-31 10:30:40 -08:00
zoned.c
btrfs: zoned: use sector_t for zone sectors
2021-03-04 16:16:55 +01:00
zoned.h
btrfs: zoned: extend zoned allocator to use dedicated tree-log block group
2021-02-09 02:46:08 +01:00
zstd.c
btrfs: compression: inline free_workspace
2019-11-18 12:46:59 +01:00