[PATCH] Btrfs: fix null pointer dereference when replacing missing device

[PATCH] Btrfs: fix null pointer dereference when replacing missing device

[fdmanana]

From: Filipe Manana <fdmanana@suse.com>

When we are replacing a missing device we mount the filesystem with the
degraded mode option in which case we are allowed to have a btrfs device
structure without a backing device member (its bdev member is NULL) and
therefore we can't dereference that member. Commit 38b5f68e9811
("btrfs: drop btrfs_device::can_discard to query directly") started to
dereference that member when discarding extents, resulting in a null
pointer dereference:

 [ 3145.322257] BTRFS warning (device sdf): devid 2 uuid 4d922414-58eb-4880-8fed-9c3840f6c5d5 is missing
 [ 3145.364116] BTRFS info (device sdf): dev_replace from <missing disk> (devid 2) to /dev/sdg started
 [ 3145.413489] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
 [ 3145.415085] IP: btrfs_discard_extent+0x6a/0xf8 [btrfs]
 [ 3145.415085] PGD 0 P4D 0
 [ 3145.415085] Oops: 0000 [#1] PREEMPT SMP PTI
 [ 3145.415085] Modules linked in: ppdev ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper evdev psmouse parport_pc serio_raw i2c_piix4 i2
 [ 3145.415085] CPU: 0 PID: 11989 Comm: btrfs Tainted: G        W        4.15.0-rc9-btrfs-next-55+ #1
 [ 3145.415085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
 [ 3145.415085] RIP: 0010:btrfs_discard_extent+0x6a/0xf8 [btrfs]
 [ 3145.415085] RSP: 0018:ffffc90004813c60 EFLAGS: 00010293
 [ 3145.415085] RAX: ffff88020d39cc00 RBX: ffff88020c4ea2a0 RCX: 0000000000000002
 [ 3145.415085] RDX: 0000000000000000 RSI: ffff88020c4ea240 RDI: 0000000000000000
 [ 3145.415085] RBP: 0000000000000000 R08: 0000000000004000 R09: 0000000000000000
 [ 3145.415085] R10: ffffc90004813ae8 R11: 0000000000000000 R12: 0000000000000000
 [ 3145.415085] R13: ffff88020c418000 R14: 0000000000000000 R15: 0000000000000000
 [ 3145.415085] FS:  00007f565681f8c0(0000) GS:ffff88023fc00000(0000) knlGS:0000000000000000
 [ 3145.415085] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [ 3145.415085] CR2: 00000000000000e0 CR3: 000000020d208006 CR4: 00000000001606f0
 [ 3145.415085] Call Trace:
 [ 3145.415085]  btrfs_finish_extent_commit+0x9a/0x1be [btrfs]
 [ 3145.415085]  btrfs_commit_transaction+0x649/0x7a0 [btrfs]
 [ 3145.415085]  ? start_transaction+0x2b0/0x3b3 [btrfs]
 [ 3145.415085]  btrfs_dev_replace_start+0x274/0x30c [btrfs]
 [ 3145.415085]  btrfs_dev_replace_by_ioctl+0x45/0x59 [btrfs]
 [ 3145.415085]  btrfs_ioctl+0x1a91/0x1d62 [btrfs]
 [ 3145.415085]  ? lock_acquire+0x16a/0x1af
 [ 3145.415085]  ? vfs_ioctl+0x1b/0x28
 [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
 [ 3145.415085]  vfs_ioctl+0x1b/0x28
 [ 3145.415085]  do_vfs_ioctl+0x5a9/0x5e0
 [ 3145.415085]  ? _raw_spin_unlock_irq+0x34/0x46
 [ 3145.415085]  ? entry_SYSCALL_64_fastpath+0x5/0x8b
 [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
 [ 3145.415085]  SyS_ioctl+0x52/0x76
 [ 3145.415085]  entry_SYSCALL_64_fastpath+0x1e/0x8b
 [ 3145.415085] RIP: 0033:0x7f56558b3c47
 [ 3145.415085] RSP: 002b:00007ffdcfac4c58 EFLAGS: 00000202
 [ 3145.415085] Code: be 02 00 00 00 4c 89 ef e8 b9 e7 03 00 85 c0 89 c5 75 75 48 8b 44 24 08 45 31 f6 48 8d 58 60 eb 52 48 8b 03 48 8b b8 a0 00 00 00 <48> 8b 87 e0 00
 [ 3145.415085] RIP: btrfs_discard_extent+0x6a/0xf8 [btrfs] RSP: ffffc90004813c60
 [ 3145.415085] CR2: 00000000000000e0
 [ 3145.458185] ---[ end trace 06302e7ac31902bf ]---

This is trivially reproduced by running the test btrfs/027 from fstests
like this:

  $ MOUNT_OPTIONS="-o discard" ./check btrfs/027

Fix this by skipping devices without a backing device before attempting
to discard.

Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query directly")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
---
 fs/btrfs/extent-tree.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9d220b276c8f..d59ee24645e3 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2147,6 +2147,10 @@ int btrfs_discard_extent(struct btrfs_fs_info *fs_info, u64 bytenr,
 			u64 bytes;
 			struct request_queue *req_q;
 
+			if (!stripe->dev->bdev) {
+				ASSERT(btrfs_test_opt(fs_info, DEGRADED));
+				continue;
+			}
 			req_q = bdev_get_queue(stripe->dev->bdev);
 			if (!blk_queue_discard(req_q))
 				continue;
-- 
2.11.0

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

[Anand Jain]

On 01/31/2018 02:40 AM, fdmanana@kernel.org wrote:
> From: Filipe Manana <fdmanana@suse.com>
> 
> When we are replacing a missing device we mount the filesystem with the
> degraded mode option in which case we are allowed to have a btrfs device
> structure without a backing device member (its bdev member is NULL) and
> therefore we can't dereference that member. Commit 38b5f68e9811
> ("btrfs: drop btrfs_device::can_discard to query directly") started to
> dereference that member when discarding extents, resulting in a null
> pointer dereference:
> 
>   [ 3145.322257] BTRFS warning (device sdf): devid 2 uuid 4d922414-58eb-4880-8fed-9c3840f6c5d5 is missing
>   [ 3145.364116] BTRFS info (device sdf): dev_replace from <missing disk> (devid 2) to /dev/sdg started
>   [ 3145.413489] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
>   [ 3145.415085] IP: btrfs_discard_extent+0x6a/0xf8 [btrfs]
>   [ 3145.415085] PGD 0 P4D 0
>   [ 3145.415085] Oops: 0000 [#1] PREEMPT SMP PTI
>   [ 3145.415085] Modules linked in: ppdev ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper evdev psmouse parport_pc serio_raw i2c_piix4 i2
>   [ 3145.415085] CPU: 0 PID: 11989 Comm: btrfs Tainted: G        W        4.15.0-rc9-btrfs-next-55+ #1
>   [ 3145.415085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>   [ 3145.415085] RIP: 0010:btrfs_discard_extent+0x6a/0xf8 [btrfs]
>   [ 3145.415085] RSP: 0018:ffffc90004813c60 EFLAGS: 00010293
>   [ 3145.415085] RAX: ffff88020d39cc00 RBX: ffff88020c4ea2a0 RCX: 0000000000000002
>   [ 3145.415085] RDX: 0000000000000000 RSI: ffff88020c4ea240 RDI: 0000000000000000
>   [ 3145.415085] RBP: 0000000000000000 R08: 0000000000004000 R09: 0000000000000000
>   [ 3145.415085] R10: ffffc90004813ae8 R11: 0000000000000000 R12: 0000000000000000
>   [ 3145.415085] R13: ffff88020c418000 R14: 0000000000000000 R15: 0000000000000000
>   [ 3145.415085] FS:  00007f565681f8c0(0000) GS:ffff88023fc00000(0000) knlGS:0000000000000000
>   [ 3145.415085] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   [ 3145.415085] CR2: 00000000000000e0 CR3: 000000020d208006 CR4: 00000000001606f0
>   [ 3145.415085] Call Trace:
>   [ 3145.415085]  btrfs_finish_extent_commit+0x9a/0x1be [btrfs]
>   [ 3145.415085]  btrfs_commit_transaction+0x649/0x7a0 [btrfs]
>   [ 3145.415085]  ? start_transaction+0x2b0/0x3b3 [btrfs]
>   [ 3145.415085]  btrfs_dev_replace_start+0x274/0x30c [btrfs]
>   [ 3145.415085]  btrfs_dev_replace_by_ioctl+0x45/0x59 [btrfs]
>   [ 3145.415085]  btrfs_ioctl+0x1a91/0x1d62 [btrfs]
>   [ 3145.415085]  ? lock_acquire+0x16a/0x1af
>   [ 3145.415085]  ? vfs_ioctl+0x1b/0x28
>   [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
>   [ 3145.415085]  vfs_ioctl+0x1b/0x28
>   [ 3145.415085]  do_vfs_ioctl+0x5a9/0x5e0
>   [ 3145.415085]  ? _raw_spin_unlock_irq+0x34/0x46
>   [ 3145.415085]  ? entry_SYSCALL_64_fastpath+0x5/0x8b
>   [ 3145.415085]  ? trace_hardirqs_on_caller+0x14c/0x1a6
>   [ 3145.415085]  SyS_ioctl+0x52/0x76
>   [ 3145.415085]  entry_SYSCALL_64_fastpath+0x1e/0x8b
>   [ 3145.415085] RIP: 0033:0x7f56558b3c47
>   [ 3145.415085] RSP: 002b:00007ffdcfac4c58 EFLAGS: 00000202
>   [ 3145.415085] Code: be 02 00 00 00 4c 89 ef e8 b9 e7 03 00 85 c0 89 c5 75 75 48 8b 44 24 08 45 31 f6 48 8d 58 60 eb 52 48 8b 03 48 8b b8 a0 00 00 00 <48> 8b 87 e0 00
>   [ 3145.415085] RIP: btrfs_discard_extent+0x6a/0xf8 [btrfs] RSP: ffffc90004813c60
>   [ 3145.415085] CR2: 00000000000000e0
>   [ 3145.458185] ---[ end trace 06302e7ac31902bf ]---
> 
> This is trivially reproduced by running the test btrfs/027 from fstests
> like this:
> 
>    $ MOUNT_OPTIONS="-o discard" ./check btrfs/027
> 
> Fix this by skipping devices without a backing device before attempting
> to discard.
> 
> Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query directly")
> Signed-off-by: Filipe Manana <fdmanana@suse.com>


  oh no, I missed the context of degraded when writing this patch.
  Thanks for the fix.

  Reviewed-by: Anand Jain <anand.jain@oracle.com>

Thanks, Anand

> ---
>   fs/btrfs/extent-tree.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
> index 9d220b276c8f..d59ee24645e3 100644
> --- a/fs/btrfs/extent-tree.c
> +++ b/fs/btrfs/extent-tree.c
> @@ -2147,6 +2147,10 @@ int btrfs_discard_extent(struct btrfs_fs_info *fs_info, u64 bytenr,
>   			u64 bytes;
>   			struct request_queue *req_q;
>   
> +			if (!stripe->dev->bdev) {
> +				ASSERT(btrfs_test_opt(fs_info, DEGRADED));
> +				continue;
> +			}
>   			req_q = bdev_get_queue(stripe->dev->bdev);
>   			if (!blk_queue_discard(req_q))
>   				continue;
> 

Re: [PATCH] Btrfs: fix null pointer dereference when replacing missing device

[David Sterba]

On Wed, Jan 31, 2018 at 11:25:49AM +0800, Anand Jain wrote:
> > This is trivially reproduced by running the test btrfs/027 from fstests
> > like this:
> > 
> >    $ MOUNT_OPTIONS="-o discard" ./check btrfs/027
> > 
> > Fix this by skipping devices without a backing device before attempting
> > to discard.
> > 
> > Fixes: 38b5f68e9811 ("btrfs: drop btrfs_device::can_discard to query directly")
> > Signed-off-by: Filipe Manana <fdmanana@suse.com>
>   oh no, I missed the context of degraded when writing this patch.
>   Thanks for the fix.
> 
>   Reviewed-by: Anand Jain <anand.jain@oracle.com>

Added to next and will add it to the next 4.16 pull.