From: Nikolay Borisov <nborisov@suse.com>
To: Qu Wenruo <quwenruo.btrfs@gmx.com>,
Josef Bacik <josef@toxicpanda.com>,
linux-btrfs@vger.kernel.org, kernel-team@fb.com
Subject: Re: [PATCH v4 03/53] btrfs: modify the new_root highest_objectid under a ref count
Date: Mon, 7 Dec 2020 10:35:11 +0200 [thread overview]
Message-ID: <aaefeff4-12d5-ad09-c60f-a1c4b94a0d25@suse.com> (raw)
In-Reply-To: <448e6b22-1a44-a3ac-bf91-632bd8dc9206@gmx.com>
On 4.12.20 г. 10:01 ч., Qu Wenruo wrote:
>
>
> On 2020/12/4 上午2:22, Josef Bacik wrote:
>> Qu pointed out a bug in one of my error handling patches, which made me
>> notice that we modify the new_root->highest_objectid _after_ we've
>> dropped the ref to the new_root. This could lead to a possible UAF, fix
>> this by modifying the ->highest_objectid before we drop our reference to
>> the new_root.
>>
>> Signed-off-by: Josef Bacik <josef@toxicpanda.com>
>
> Reviewed-by: Qu Wenruo <wqu@suse.com>
>
> But found something to cleanup in the future, inlined below.
>> ---
>> fs/btrfs/ioctl.c | 10 ++++++----
>> 1 file changed, 6 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
>> index 703212ff50a5..f240beed4739 100644
>> --- a/fs/btrfs/ioctl.c
>> +++ b/fs/btrfs/ioctl.c
>> @@ -717,6 +717,12 @@ static noinline int create_subvol(struct inode *dir,
>> btrfs_record_root_in_trans(trans, new_root);
>>
>> ret = btrfs_create_subvol_root(trans, new_root, root, new_dirid);
>
> Firstly, btrfs_create_subvol_root() is only called here once, and
> new_dirid is always a fixed value, BTRFS_FIRST_FREE_OBJECTID.
>
> This means, we don't need the parameter at all.
>
>> + if (!ret) {
>> + mutex_lock(&new_root->objectid_mutex);
>> + new_root->highest_objectid = new_dirid;
>> + mutex_unlock(&nBut still find something suspicious for the existing naming, inlined below.ew_root->objectid_mutex);
>> + }
>> +
>
> Secondly, new_root is a new subvolume root which just get allocated.
> It looks more sane to initialize the highest_objectid inside
> btrfs_get_root_ref() for new root.
>
> This should reduce the chance to hit such use-after-free bug completely.
Actually btrfs_init_fs_root already does :
42 ret = btrfs_find_highest_objectid(root,
43 &root->highest_objectid);
Where root would be the newly initialized tree so highest_objectid
should already be correctly initialized. However, looking at the source
of btrfs_find_highest_objectid why do we do BTRFS_FIRST_FREE_OBJECTID -
1 there?
<snip>
next prev parent reply other threads:[~2020-12-07 8:36 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 18:22 [PATCH v4 00/53] Cleanup error handling in relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 01/53] btrfs: fix error handling in commit_fs_roots Josef Bacik
2020-12-03 18:22 ` [PATCH v4 02/53] btrfs: allow error injection for btrfs_search_slot and btrfs_cow_block Josef Bacik
2020-12-03 18:22 ` [PATCH v4 03/53] btrfs: modify the new_root highest_objectid under a ref count Josef Bacik
2020-12-04 8:01 ` Qu Wenruo
2020-12-07 8:35 ` Nikolay Borisov [this message]
2020-12-03 18:22 ` [PATCH v4 04/53] btrfs: fix lockdep splat in btrfs_recover_relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 05/53] btrfs: keep track of the root owner for relocation reads Josef Bacik
2020-12-04 8:03 ` Qu Wenruo
2020-12-03 18:22 ` [PATCH v4 06/53] btrfs: noinline btrfs_should_cancel_balance Josef Bacik
2020-12-03 18:22 ` [PATCH v4 07/53] btrfs: do not cleanup upper nodes in btrfs_backref_cleanup_node Josef Bacik
2020-12-03 18:22 ` [PATCH v4 08/53] btrfs: pass down the tree block level through ref-verify Josef Bacik
2020-12-07 7:53 ` Johannes Thumshirn
2020-12-03 18:22 ` [PATCH v4 09/53] btrfs: make sure owner is set in ref-verify Josef Bacik
2020-12-03 18:22 ` [PATCH v4 10/53] btrfs: don't clear ret in btrfs_start_dirty_block_groups Josef Bacik
2020-12-03 18:22 ` [PATCH v4 11/53] btrfs: convert some BUG_ON()'s to ASSERT()'s in do_relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 12/53] btrfs: convert BUG_ON()'s in relocate_tree_block Josef Bacik
2020-12-03 18:22 ` [PATCH v4 13/53] btrfs: return an error from btrfs_record_root_in_trans Josef Bacik
2020-12-03 18:22 ` [PATCH v4 14/53] btrfs: handle errors from select_reloc_root() Josef Bacik
2020-12-03 18:22 ` [PATCH v4 15/53] btrfs: convert BUG_ON()'s in select_reloc_root() to proper errors Josef Bacik
2020-12-04 8:04 ` Qu Wenruo
2020-12-03 18:22 ` [PATCH v4 16/53] btrfs: check record_root_in_trans related failures in select_reloc_root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 17/53] btrfs: do proper error handling in record_reloc_root_in_trans Josef Bacik
2020-12-04 8:05 ` Qu Wenruo
2020-12-03 18:22 ` [PATCH v4 18/53] btrfs: handle btrfs_record_root_in_trans failure in btrfs_rename_exchange Josef Bacik
2020-12-03 18:22 ` [PATCH v4 19/53] btrfs: handle btrfs_record_root_in_trans failure in btrfs_rename Josef Bacik
2020-12-03 18:22 ` [PATCH v4 20/53] btrfs: handle btrfs_record_root_in_trans failure in btrfs_delete_subvolume Josef Bacik
2020-12-03 18:22 ` [PATCH v4 21/53] btrfs: handle btrfs_record_root_in_trans failure in btrfs_recover_log_trees Josef Bacik
2020-12-03 18:22 ` [PATCH v4 22/53] btrfs: handle btrfs_record_root_in_trans failure in create_subvol Josef Bacik
2020-12-03 18:22 ` [PATCH v4 23/53] btrfs: btrfs: handle btrfs_record_root_in_trans failure in relocate_tree_block Josef Bacik
2020-12-03 18:22 ` [PATCH v4 24/53] btrfs: handle btrfs_record_root_in_trans failure in start_transaction Josef Bacik
2020-12-03 18:22 ` [PATCH v4 25/53] btrfs: handle record_root_in_trans failure in qgroup_account_snapshot Josef Bacik
2020-12-03 18:22 ` [PATCH v4 26/53] btrfs: handle record_root_in_trans failure in btrfs_record_root_in_trans Josef Bacik
2020-12-03 18:22 ` [PATCH v4 27/53] btrfs: handle record_root_in_trans failure in create_pending_snapshot Josef Bacik
2020-12-03 18:22 ` [PATCH v4 28/53] btrfs: do not panic in __add_reloc_root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 29/53] btrfs: have proper error handling in btrfs_init_reloc_root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 30/53] btrfs: do proper error handling in create_reloc_root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 31/53] btrfs: validate ->reloc_root after recording root in trans Josef Bacik
2020-12-03 18:22 ` [PATCH v4 32/53] btrfs: handle btrfs_update_reloc_root failure in commit_fs_roots Josef Bacik
2020-12-03 18:22 ` [PATCH v4 33/53] btrfs: change insert_dirty_subvol to return errors Josef Bacik
2020-12-03 18:22 ` [PATCH v4 34/53] btrfs: handle btrfs_update_reloc_root failure in insert_dirty_subvol Josef Bacik
2020-12-03 18:22 ` [PATCH v4 35/53] btrfs: handle btrfs_update_reloc_root failure in prepare_to_merge Josef Bacik
2020-12-03 18:22 ` [PATCH v4 36/53] btrfs: do proper error handling in btrfs_update_reloc_root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 37/53] btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s Josef Bacik
2020-12-03 18:22 ` [PATCH v4 38/53] btrfs: handle btrfs_cow_block errors in replace_path Josef Bacik
2020-12-03 18:22 ` [PATCH v4 39/53] btrfs: handle btrfs_search_slot failure " Josef Bacik
2020-12-03 18:22 ` [PATCH v4 40/53] btrfs: handle errors in reference count manipulation " Josef Bacik
2020-12-03 18:22 ` [PATCH v4 41/53] btrfs: handle extent reference errors in do_relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 42/53] btrfs: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly Josef Bacik
2020-12-03 18:22 ` [PATCH v4 43/53] btrfs: remove the extent item sanity checks in relocate_block_group Josef Bacik
2020-12-03 18:22 ` [PATCH v4 44/53] btrfs: do proper error handling in create_reloc_inode Josef Bacik
2020-12-03 18:22 ` [PATCH v4 45/53] btrfs: handle __add_reloc_root failures in btrfs_recover_relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 46/53] btrfs: cleanup error handling in prepare_to_merge Josef Bacik
2020-12-03 18:22 ` [PATCH v4 47/53] btrfs: handle extent corruption with select_one_root properly Josef Bacik
2020-12-03 18:22 ` [PATCH v4 48/53] btrfs: do proper error handling in merge_reloc_roots Josef Bacik
2020-12-06 22:10 ` Zygo Blaxell
2020-12-07 1:11 ` Qu Wenruo
2020-12-08 2:39 ` Zygo Blaxell
2020-12-03 18:22 ` [PATCH v4 49/53] btrfs: check return value of btrfs_commit_transaction in relocation Josef Bacik
2020-12-03 18:22 ` [PATCH v4 50/53] btrfs: do not WARN_ON() if we can't find the reloc root Josef Bacik
2020-12-03 18:22 ` [PATCH v4 51/53] btrfs: print the actual offset in btrfs_root_name Josef Bacik
2020-12-03 18:22 ` [PATCH v4 52/53] btrfs: fix reloc root leak with 0 ref reloc roots on recovery Josef Bacik
2020-12-03 18:22 ` [PATCH v4 53/53] btrfs: splice remaining dirty_bg's onto the transaction dirty bg list Josef Bacik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaefeff4-12d5-ad09-c60f-a1c4b94a0d25@suse.com \
--to=nborisov@suse.com \
--cc=josef@toxicpanda.com \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox