From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nikolay Borisov <nborisov@suse.com>,
Anand Jain <anand.jain@oracle.com>,
Filipe Manana <fdmanana@suse.com>,
David Sterba <dsterba@suse.com>
Subject: [PATCH 4.4 97/99] Btrfs: fix use-after-free when using the tree modification log
Date: Thu, 3 Oct 2019 17:54:00 +0200 [thread overview]
Message-ID: <20191003154344.004143583@linuxfoundation.org> (raw)
In-Reply-To: <20191003154252.297991283@linuxfoundation.org>
From: Filipe Manana <fdmanana@suse.com>
commit efad8a853ad2057f96664328a0d327a05ce39c76 upstream.
At ctree.c:get_old_root(), we are accessing a root's header owner field
after we have freed the respective extent buffer. This results in an
use-after-free that can lead to crashes, and when CONFIG_DEBUG_PAGEALLOC
is set, results in a stack trace like the following:
[ 3876.799331] stack segment: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
[ 3876.799363] CPU: 0 PID: 15436 Comm: pool Not tainted 5.3.0-rc3-btrfs-next-54 #1
[ 3876.799385] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
[ 3876.799433] RIP: 0010:btrfs_search_old_slot+0x652/0xd80 [btrfs]
(...)
[ 3876.799502] RSP: 0018:ffff9f08c1a2f9f0 EFLAGS: 00010286
[ 3876.799518] RAX: ffff8dd300000000 RBX: ffff8dd85a7a9348 RCX: 000000038da26000
[ 3876.799538] RDX: 0000000000000000 RSI: ffffe522ce368980 RDI: 0000000000000246
[ 3876.799559] RBP: dae1922adadad000 R08: 0000000008020000 R09: ffffe522c0000000
[ 3876.799579] R10: ffff8dd57fd788c8 R11: 000000007511b030 R12: ffff8dd781ddc000
[ 3876.799599] R13: ffff8dd9e6240578 R14: ffff8dd6896f7a88 R15: ffff8dd688cf90b8
[ 3876.799620] FS: 00007f23ddd97700(0000) GS:ffff8dda20200000(0000) knlGS:0000000000000000
[ 3876.799643] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3876.799660] CR2: 00007f23d4024000 CR3: 0000000710bb0005 CR4: 00000000003606f0
[ 3876.799682] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3876.799703] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3876.799723] Call Trace:
[ 3876.799735] ? do_raw_spin_unlock+0x49/0xc0
[ 3876.799749] ? _raw_spin_unlock+0x24/0x30
[ 3876.799779] resolve_indirect_refs+0x1eb/0xc80 [btrfs]
[ 3876.799810] find_parent_nodes+0x38d/0x1180 [btrfs]
[ 3876.799841] btrfs_check_shared+0x11a/0x1d0 [btrfs]
[ 3876.799870] ? extent_fiemap+0x598/0x6e0 [btrfs]
[ 3876.799895] extent_fiemap+0x598/0x6e0 [btrfs]
[ 3876.799913] do_vfs_ioctl+0x45a/0x700
[ 3876.799926] ksys_ioctl+0x70/0x80
[ 3876.799938] ? trace_hardirqs_off_thunk+0x1a/0x20
[ 3876.799953] __x64_sys_ioctl+0x16/0x20
[ 3876.799965] do_syscall_64+0x62/0x220
[ 3876.799977] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 3876.799993] RIP: 0033:0x7f23e0013dd7
(...)
[ 3876.800056] RSP: 002b:00007f23ddd96ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 3876.800078] RAX: ffffffffffffffda RBX: 00007f23d80210f8 RCX: 00007f23e0013dd7
[ 3876.800099] RDX: 00007f23d80210f8 RSI: 00000000c020660b RDI: 0000000000000003
[ 3876.800626] RBP: 000055fa2a2a2440 R08: 0000000000000000 R09: 00007f23ddd96d7c
[ 3876.801143] R10: 00007f23d8022000 R11: 0000000000000246 R12: 00007f23ddd96d80
[ 3876.801662] R13: 00007f23ddd96d78 R14: 00007f23d80210f0 R15: 00007f23ddd96d80
(...)
[ 3876.805107] ---[ end trace e53161e179ef04f9 ]---
Fix that by saving the root's header owner field into a local variable
before freeing the root's extent buffer, and then use that local variable
when needed.
Fixes: 30b0463a9394d9 ("Btrfs: fix accessing the root pointer in tree mod log functions")
CC: stable@vger.kernel.org # 3.10+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ctree.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -1418,6 +1418,7 @@ get_old_root(struct btrfs_root *root, u6
struct tree_mod_elem *tm;
struct extent_buffer *eb = NULL;
struct extent_buffer *eb_root;
+ u64 eb_root_owner = 0;
struct extent_buffer *old;
struct tree_mod_root *old_root = NULL;
u64 old_generation = 0;
@@ -1451,6 +1452,7 @@ get_old_root(struct btrfs_root *root, u6
free_extent_buffer(old);
}
} else if (old_root) {
+ eb_root_owner = btrfs_header_owner(eb_root);
btrfs_tree_read_unlock(eb_root);
free_extent_buffer(eb_root);
eb = alloc_dummy_extent_buffer(root->fs_info, logical);
@@ -1468,7 +1470,7 @@ get_old_root(struct btrfs_root *root, u6
if (old_root) {
btrfs_set_header_bytenr(eb, eb->start);
btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV);
- btrfs_set_header_owner(eb, btrfs_header_owner(eb_root));
+ btrfs_set_header_owner(eb, eb_root_owner);
btrfs_set_header_level(eb, old_root->level);
btrfs_set_header_generation(eb, old_generation);
}
next prev parent reply other threads:[~2019-10-03 16:00 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-03 15:52 [PATCH 4.4 00/99] 4.4.195-stable review Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 01/99] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 02/99] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 03/99] HID: lg: make transfer buffers DMA capable Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 04/99] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 05/99] HID: hidraw: Fix invalid read in hidraw_ioctl Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 06/99] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 07/99] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 08/99] [PATCH stable 4.4 net] net: rds: Fix NULL ptr use in rds_tcp_kill_sock Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 09/99] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 10/99] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 11/99] mac80211: Print text for disassociation reason Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 12/99] mac80211: handle deauthentication/disassociation from TDLS peer Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 13/99] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 14/99] irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 15/99] f2fs: check all the data segments against all node ones Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 16/99] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 17/99] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 18/99] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 19/99] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 20/99] arcnet: provide a buffer big enough to actually receive packets Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 21/99] cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 22/99] net/phy: fix DP83865 10 Mbps HDX loopback disable function Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 23/99] openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 24/99] sch_netem: fix a divide by zero in tabledist() Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 25/99] skge: fix checksum byte order Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 26/99] usbnet: ignore endpoints with invalid wMaxPacketSize Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 27/99] usbnet: sanity checking of packet sizes and device mtu Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 28/99] mISDN: enforce CAP_NET_RAW for raw sockets Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 29/99] appletalk: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 30/99] ax25: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 31/99] ieee802154: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 32/99] nfc: " Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 33/99] ALSA: hda: Flush interrupts on disabling Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 34/99] ASoC: sgtl5000: Fix charge pump source assignment Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 35/99] dmaengine: bcm2835: Print error in case setting DMA mask fails Greg Kroah-Hartman
2019-10-03 15:52 ` [PATCH 4.4 36/99] leds: leds-lp5562 allow firmware files up to the maximum length Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 37/99] media: dib0700: fix link error for dibx000_i2c_set_speed Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 38/99] media: hdpvr: Add device num check and handling Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 39/99] sched/fair: Fix imbalance due to CPU affinity Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 40/99] sched/core: Fix CPU controller for !RT_GROUP_SCHED Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 41/99] x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 42/99] x86/apic: Soft disable APIC before initializing it Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 43/99] ALSA: hda - Show the fatal CORB/RIRB error more clearly Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 44/99] ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 45/99] media: iguanair: add sanity checks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 46/99] base: soc: Export soc_device_register/unregister APIs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 47/99] ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 48/99] ia64:unwind: fix double free for mod->arch.init_unw_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 49/99] md: dont call spare_active in md_reap_sync_thread if all member devices cant work Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 50/99] md: dont set In_sync if array is frozen Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 51/99] efi: cper: print AER info of PCIe fatal error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 52/99] media: gspca: zero usb_buf on error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 53/99] dmaengine: iop-adma: use correct printk format strings Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 54/99] media: omap3isp: Dont set streaming state on random subdevs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 55/99] net: lpc-enet: fix printk format strings Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 56/99] media: radio/si470x: kill urb on error Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 57/99] media: hdpvr: add terminating 0 at end of string Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 58/99] media: saa7146: add cleanup in hexium_attach() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 59/99] media: cpia2_usb: fix memory leaks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 60/99] media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 61/99] media: ov9650: add a sanity check Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 62/99] ACPI / CPPC: do not require the _PSD method Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 63/99] libtraceevent: Change users plugin directory Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 64/99] ACPI: custom_method: fix memory leaks Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 65/99] hwmon: (acpi_power_meter) Change log level for unsafe software power cap Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 66/99] md/raid1: fail run raid1 array when active disk less than one Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 67/99] dmaengine: ti: edma: Do not reset reserved paRAM slots Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 68/99] kprobes: Prohibit probing on BUG() and WARN() address Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 69/99] ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 70/99] mmc: sdhci: Fix incorrect switch to HS mode Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 71/99] libertas: Add missing sentinel at end of if_usb.c fw_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 72/99] media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 73/99] ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 74/99] btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 75/99] media: omap3isp: Set device on omap3isp subdevs Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 76/99] ALSA: firewire-tascam: handle error code when getting current source of clock Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 77/99] ALSA: firewire-tascam: check intermediate state of clock status and retry Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 78/99] printk: Do not lose last line in kmsg buffer dump Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 79/99] fuse: fix missing unlock_page in fuse_writepage() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 80/99] parisc: Disable HP HSC-PCI Cards to prevent kernel crash Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 81/99] KVM: x86: always stop emulation on page fault Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 82/99] KVM: x86: set ctxt->have_exception in x86_decode_insn() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 83/99] KVM: x86: Manually calculate reserved bits when loading PDPTRS Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 84/99] media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 85/99] ASoC: Intel: Fix use of potentially uninitialized variable Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 86/99] ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 87/99] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 88/99] md/raid6: Set R5_ReadError when there is read failure on parity disk Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 89/99] cfg80211: Purge frame registrations on iftype change Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 90/99] /dev/mem: Bail out upon SIGKILL Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 91/99] ext4: fix punch hole for inline_data file systems Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 92/99] quota: fix wrong condition in is_quota_modification() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 93/99] hwrng: core - dont wait on add_early_randomness() Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 94/99] i2c: riic: Clear NACK in tend isr Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 95/99] CIFS: Fix oplock handling for SMB 2.1+ protocols Greg Kroah-Hartman
2019-10-03 15:53 ` [PATCH 4.4 96/99] ovl: filter of trusted xattr results in audit Greg Kroah-Hartman
2019-10-03 15:54 ` Greg Kroah-Hartman [this message]
2019-10-03 15:54 ` [PATCH 4.4 98/99] btrfs: Relinquish CPUs in btrfs_compare_trees Greg Kroah-Hartman
2019-10-03 15:54 ` [PATCH 4.4 99/99] Btrfs: fix race setting up and completing qgroup rescan workers Greg Kroah-Hartman
2019-10-03 23:53 ` [PATCH 4.4 00/99] 4.4.195-stable review shuah
2019-10-04 6:41 ` kernelci.org bot
2019-10-04 7:36 ` Jon Hunter
2019-10-04 15:02 ` Dan Rue
2019-10-04 22:55 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191003154344.004143583@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anand.jain@oracle.com \
--cc=dsterba@suse.com \
--cc=fdmanana@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nborisov@suse.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).