Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3707885pxv;
        Mon, 26 Jul 2021 09:54:53 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyBw3HXeN4qG9CRH8SfZ5p6ntQoHbckUvTPuCT5S/Nw7UxHtbqQJduYdwvJa2pflw9He3eV
X-Received: by 2002:a5d:9b9a:: with SMTP id r26mr15543141iom.34.1627318492866;
        Mon, 26 Jul 2021 09:54:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627318492; cv=none;
        d=google.com; s=arc-20160816;
        b=eFuVnqifChvPM6Eb1C40PExamJmw4m6mGdvdEJ7t8gy17EnolQsRv/+EOy6IdKJmjo
         lN1gFNSs54MOVyOmrxz+ANVh9Ydcp+aUVS+JNLN6G1Y6C18whpEEst8RJEGgo+Gt9wSn
         jyXvt/PqrQJMt7Ck0WdUtZ29iMboM1dlizKZAnCbJ5Vz8AnuxxkCPgWdIOR1mpG5XuwV
         C/0wYKXZF//mra6CNklGFllqKT85rAYPWfa+o3mA917lJpxwJv/yYbwBJS7rAf/4ouNo
         lT2V9AEl9BVQ2ZGH8VLklYWtuhHmRQCCVA5atvIc5kLRZoxfrr58Br/35Is3XN+6+UNR
         YzoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=65UolLWH3iuk5J7mu4/QL+BLtAnhGIdEqEFMewmolTE=;
        b=ldIHXaXlt3Da1Mp2Ijsi5UljQ3ZqePuA3BX8uPUUpd+30zhn/XbwQKbSizYZjlHkza
         M4i/WkmnlVbAA8xkLA9qKmRCif0OcOC6lGWK0BZjPLcqZ1nkRYrP3t646Inyc90ms1NF
         VffL2Qgms+Igl7agnpMZEmJGRJUyw/esFqE0NZbK+jFisZ/B3HnLpmbfC5b/9ck195XK
         QtDbxPHf3I0BZzpEumXuymqyIa7ww8+IuqPEBHGaeTIbX87VK4L+pzghYVF4Hlh01+HH
         PyOW9nyZSWrjXT3W+Ej7U2skanfJB5TqphEkvJbtpdh1N24ex0OD8PaH6ieZJCYO2lLC
         SX0g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NofBOtSz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 7si412714ilx.20.2021.07.26.09.54.40;
        Mon, 26 Jul 2021 09:54:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=NofBOtSz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231205AbhGZPdA (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Mon, 26 Jul 2021 11:33:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:59388 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236368AbhGZPSg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Jul 2021 11:18:36 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8503E60F70;
        Mon, 26 Jul 2021 15:59:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1627315145;
        bh=XiIiaC+j5IXRrGIgIpPGyr+/IhwvEiJGvExfm+/UcpM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NofBOtSzJHQtY7Dt8jxp44BfZm5SMDa4Iy2Ca3LvaPK9meYK2a+D830LVzfMKRhIJ
         nsNVDL2bKhrb6wAVR2RYNXqyF+0ZpT2gKOIgotlarBQbF2+uHHjP+f9KVkp0onE7wb
         U0pxdSQKpHEHj58LbVyTvk+KHOWOzReMMMztS5vw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Filipe Manana <fdmanana@suse.com>,
        Anand Jain <anand.jain@oracle.com>,
        David Sterba <dsterba@suse.com>
Subject: [PATCH 5.4 091/108] btrfs: check for missing device in btrfs_trim_fs
Date:   Mon, 26 Jul 2021 17:39:32 +0200
Message-Id: <20210726153834.597009305@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210726153831.696295003@linuxfoundation.org>
References: <20210726153831.696295003@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Anand Jain <anand.jain@oracle.com>

commit 16a200f66ede3f9afa2e51d90ade017aaa18d213 upstream.

A fstrim on a degraded raid1 can trigger the following null pointer
dereference:

  BTRFS info (device loop0): allowing degraded mounts
  BTRFS info (device loop0): disk space caching is enabled
  BTRFS info (device loop0): has skinny extents
  BTRFS warning (device loop0): devid 2 uuid 97ac16f7-e14d-4db1-95bc-3d489b424adb is missing
  BTRFS warning (device loop0): devid 2 uuid 97ac16f7-e14d-4db1-95bc-3d489b424adb is missing
  BTRFS info (device loop0): enabling ssd optimizations
  BUG: kernel NULL pointer dereference, address: 0000000000000620
  PGD 0 P4D 0
  Oops: 0000 [#1] SMP NOPTI
  CPU: 0 PID: 4574 Comm: fstrim Not tainted 5.13.0-rc7+ #31
  Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
  RIP: 0010:btrfs_trim_fs+0x199/0x4a0 [btrfs]
  RSP: 0018:ffff959541797d28 EFLAGS: 00010293
  RAX: 0000000000000000 RBX: ffff946f84eca508 RCX: a7a67937adff8608
  RDX: ffff946e8122d000 RSI: 0000000000000000 RDI: ffffffffc02fdbf0
  RBP: ffff946ea4615000 R08: 0000000000000001 R09: 0000000000000000
  R10: 0000000000000000 R11: ffff946e8122d960 R12: 0000000000000000
  R13: ffff959541797db8 R14: ffff946e8122d000 R15: ffff959541797db8
  FS:  00007f55917a5080(0000) GS:ffff946f9bc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000620 CR3: 000000002d2c8001 CR4: 00000000000706f0
  Call Trace:
  btrfs_ioctl_fitrim+0x167/0x260 [btrfs]
  btrfs_ioctl+0x1c00/0x2fe0 [btrfs]
  ? selinux_file_ioctl+0x140/0x240
  ? syscall_trace_enter.constprop.0+0x188/0x240
  ? __x64_sys_ioctl+0x83/0xb0
  __x64_sys_ioctl+0x83/0xb0

Reproducer:

  $ mkfs.btrfs -fq -d raid1 -m raid1 /dev/loop0 /dev/loop1
  $ mount /dev/loop0 /btrfs
  $ umount /btrfs
  $ btrfs dev scan --forget
  $ mount -o degraded /dev/loop0 /btrfs

  $ fstrim /btrfs

The reason is we call btrfs_trim_free_extents() for the missing device,
which uses device->bdev (NULL for missing device) to find if the device
supports discard.

Fix is to check if the device is missing before calling
btrfs_trim_free_extents().

CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent-tree.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -5768,6 +5768,9 @@ int btrfs_trim_fs(struct btrfs_fs_info *
 	mutex_lock(&fs_info->fs_devices->device_list_mutex);
 	devices = &fs_info->fs_devices->devices;
 	list_for_each_entry(device, devices, dev_list) {
+		if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state))
+			continue;
+
 		ret = btrfs_trim_free_extents(device, &group_trimmed);
 		if (ret) {
 			dev_failed++;