Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp60896ybp; Thu, 3 Oct 2019 10:10:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqwJ9etDW5in3u1b1AZJmREfVtP01yyjw84ogzU6u7ZnRFVUs0Mco6VVcjmEW1nbeS3d4z7t X-Received: by 2002:a50:9e0a:: with SMTP id z10mr10800024ede.202.1570122636863; Thu, 03 Oct 2019 10:10:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570122636; cv=none; d=google.com; s=arc-20160816; b=jW9NEESdipXpPURNz/XlOBijzZyClbAWj2nuaaEAKeyAhGm3mYQWhc009at0RR8iNt ssq9l7V96amnHpIx9+5QVGj5e7RUxdN/+r0/cGM+SUgVlgyIcP+eF31yDuWh5QPe3lTy mNpSY0r02HKrb145JBkd9MQ154LF36pRyMQ0Xh25IgHirXIIW6wv1w8H+6MF+5wZlxEo rl2FkGa/E5AXZk3DkVKtBlplwP1VQWS2Wr7QBr0htTP1QCEAuiux+PtspszWAt5/ddI0 bQmMtB1Z7eF5HwMbY5rlIqGZ0l0urmwYA41iCE4CTo/3xEAITHNamLt5bUIWZjUIANDq aEQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WbEh/PKn81jDlFJc6QUIQjLldgd4sdgXasF3iOjb9N8=; b=adidjLEL7giz26fhC8GrsYDdsbOdw7qrrK0x9MDSMp+WQwVc3nRHQFf7m9AYyecdiY WKE1CmKx1HLYptLlNlxOgV7NvOvPI7vWjPHpFSA6t4FhJsp5JqqHI5J7DMhQkrG6BtIm 2RXbmItujmIoXFrZ0DUK6p6e6+YDT5hJDQkH18fTEUeWiNEgsBkfYgIBJ2atSQE9M4gD fN+sTGeBD+a7Vaien9W68+TRQ/60A/bfj2mSNhlYHmoNFs7sSd9kymvodzfIIFVZwHdC VhGuYpISwBjao/orQTuY4MFMYSIBnE6TECOa4BnJxDJg99V2n/Eeu+qtMdALQplScgIB WA5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=p3wWF95Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h14si1833466edb.425.2019.10.03.10.10.12; Thu, 03 Oct 2019 10:10:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=p3wWF95Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392673AbfJCRIs (ORCPT + 99 others); Thu, 3 Oct 2019 13:08:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:43792 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391832AbfJCQfE (ORCPT ); Thu, 3 Oct 2019 12:35:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6E02A2070B; Thu, 3 Oct 2019 16:35:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570120502; bh=wcMVuAqbMTHTWZ9CBU+HlR2sUqfwj8hv95CeiKNkwOY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p3wWF95QpUbXLeA5kPOR2PUheEYuFRUN8uPYqJFc0i/2nChuwSY8D2M1AV/NsHL3W 54Xha8Z/D/zGeIIL3X4z+WkBItjf1s/ZH13o6ytWY99PSu4FwlTZfKrw2xTD+YdxMh VYGZevXnMVUHxM2wOSY1K/gamHH3n0N8oMEUMaAo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jungyeon Yoon , Qu Wenruo , David Sterba , Sasha Levin Subject: [PATCH 5.2 207/313] btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type Date: Thu, 3 Oct 2019 17:53:05 +0200 Message-Id: <20191003154553.372022346@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191003154533.590915454@linuxfoundation.org> References: <20191003154533.590915454@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qu Wenruo [ Upstream commit 2a28468e525f3924efed7f29f2bc5a2926e7e19a ] [BUG] With fuzzed image and MIXED_GROUPS super flag, we can hit the following BUG_ON(): kernel BUG at fs/btrfs/delayed-ref.c:491! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 1849 Comm: sync Tainted: G O 5.2.0-custom #27 RIP: 0010:update_existing_head_ref.cold+0x44/0x46 [btrfs] Call Trace: add_delayed_ref_head+0x20c/0x2d0 [btrfs] btrfs_add_delayed_tree_ref+0x1fc/0x490 [btrfs] btrfs_free_tree_block+0x123/0x380 [btrfs] __btrfs_cow_block+0x435/0x500 [btrfs] btrfs_cow_block+0x110/0x240 [btrfs] btrfs_search_slot+0x230/0xa00 [btrfs] ? __lock_acquire+0x105e/0x1e20 btrfs_insert_empty_items+0x67/0xc0 [btrfs] alloc_reserved_file_extent+0x9e/0x340 [btrfs] __btrfs_run_delayed_refs+0x78e/0x1240 [btrfs] ? kvm_clock_read+0x18/0x30 ? __sched_clock_gtod_offset+0x21/0x50 btrfs_run_delayed_refs.part.0+0x4e/0x180 [btrfs] btrfs_run_delayed_refs+0x23/0x30 [btrfs] btrfs_commit_transaction+0x53/0x9f0 [btrfs] btrfs_sync_fs+0x7c/0x1c0 [btrfs] ? __ia32_sys_fdatasync+0x20/0x20 sync_fs_one_sb+0x23/0x30 iterate_supers+0x95/0x100 ksys_sync+0x62/0xb0 __ia32_sys_sync+0xe/0x20 do_syscall_64+0x65/0x240 entry_SYSCALL_64_after_hwframe+0x49/0xbe [CAUSE] This situation is caused by several factors: - Fuzzed image The extent tree of this fs missed one backref for extent tree root. So we can allocated space from that slot. - MIXED_BG feature Super block has MIXED_BG flag. - No mixed block groups exists All block groups are just regular ones. This makes data space_info->block_groups[] contains metadata block groups. And when we reserve space for data, we can use space in metadata block group. Then we hit the following file operations: - fallocate We need to allocate data extents. find_free_extent() choose to use the metadata block to allocate space from, and choose the space of extent tree root, since its backref is missing. This generate one delayed ref head with is_data = 1. - extent tree update We need to update extent tree at run_delayed_ref time. This generate one delayed ref head with is_data = 0, for the same bytenr of old extent tree root. Then we trigger the BUG_ON(). [FIX] The quick fix here is to check block_group->flags before using it. The problem can only happen for MIXED_GROUPS fs. Regular filesystems won't have space_info with DATA|METADATA flag, and no way to hit the bug. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203255 Reported-by: Jungyeon Yoon Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/extent-tree.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index b8f4720879021..37865929fdc22 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -7875,6 +7875,14 @@ static noinline int find_free_extent(struct btrfs_fs_info *fs_info, */ if ((flags & extra) && !(block_group->flags & extra)) goto loop; + + /* + * This block group has different flags than we want. + * It's possible that we have MIXED_GROUP flag but no + * block group is mixed. Just skip such block group. + */ + btrfs_release_block_group(block_group, delalloc); + continue; } have_block_group: -- 2.20.1