Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <e3f0ab62-3d1f-a316-2d7b-a0b791120f87@oracle.com>
Date:   Fri, 4 Mar 2022 07:53:27 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
Subject: Re: [PATCH] btrfs: don't access possibly stale fs_info data in
 device_list_add
Content-Language: en-US
To:     Dongliang Mu <dzm91@hust.edu.cn>,
        Dongliang Mu <mudongliangabcd@gmail.com>
References: <20220303144027.1981835-1-dzm91@hust.edu.cn>
 <20220303182431.GW12643@suse.cz>
Cc:     linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org,
        Chris Mason <clm@fb.com>,
        syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com,
        Josef Bacik <josef@toxicpanda.com>, dsterba@suse.cz,
        David Sterba <dsterba@suse.com>
From:   Anand Jain <anand.jain@oracle.com>
In-Reply-To: <20220303182431.GW12643@suse.cz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MG1GWmJIVEFzQ0hCYTBYS1oxUmtPUkRHNXVYNWR6ZGRyZzNLRkJUTmszNCth?=
 =?utf-8?B?UUZSYktaczR2c1NZandKZkN4Y0ZKd0tRaWVlTUVuTXhYT25VY3Z2eTdiQ0My?=
 =?utf-8?B?aG1QMHdzL09rNDF1cmNPdEQ3QUM2ZGRiaGE3Y29FT0xxUkNwVTY4d2tCWnBa?=
 =?utf-8?B?ZnVpNEFkajh1ZEVhOVVpTElLQ0I2Y3daNW0wTk5qcDN6N0czTGNEQmJDWDQ5?=
 =?utf-8?B?NG1oVjNvbi9ncmpoM0tCcUVLNXVZQmJhNTdFbSthSUlLTEZyNDF2Q1ZOVnhq?=
 =?utf-8?B?cElra2szc0plemQ1T2hIQ285SnVVaHpNVXphQlduVDkzQXpTeE5JeER1c3lY?=
 =?utf-8?B?L3gwVmx4UDhWbEMwK3A2T0x3QngwZjJhUGxhdnBOek5wZ1pHVnNLdUpHbWpp?=
 =?utf-8?B?VmQ0YitRa1VOWVlwbHpIQURvTFhKZThnZ3FsY3NUb1gvKzl0SnY4bmRIQU5w?=
 =?utf-8?B?RmllUHpSYVhKSFVCeHB2M1NWYWtTVjluMnZpc241bE5FR1REMVFXMStnRzFL?=
 =?utf-8?B?KzArT0lMbzVIZlBFYXNmenh1TGwwWWZLSUVoZmszaHJuajBQOGtnRGFnU0tr?=
 =?utf-8?B?TEFRUVRNZG5pbFhrS1czQ1d3bmtOOTN4ekRBR2lHZnlXcGdmaHNKbWNxT0hp?=
 =?utf-8?B?czZIdTBsTjdCbXpoUUVDNDVBRTVoNS9JQXl5QU9GQkY2R1pqbUJGbkxRZ2ta?=
 =?utf-8?B?RDhoMjVPMm95ZzBmU3ZIcGoyUVc0SlcyaU5NQkkwQ1JBUS9wSitLYi9ERVlq?=
 =?utf-8?B?MmV0L0svWG1lRm8yMzltZ0ZTRkdyeE03UWtqZVlNdHJXUDV6d0Jlbmhtakti?=
 =?utf-8?B?TlJDSm5Fd1BFL1NRSTlxTVgzVXRTcmwxSlBJWUtOQ1c0bTA0NEI2R3BxK0M3?=
 =?utf-8?B?UU9aN3hyTGIwVG9BVWMwcER4c2k0aVRPVDN4TVVHSW8yUnZsK2FHeTZVMHVs?=
 =?utf-8?B?b29hS29RdEpneXM1Z0tXOU9vVlFSSWQvaW1vUUw4Q21yWnhaSE1PVmtsbXhs?=
 =?utf-8?B?TmR3MU01TEUrRmNXZkY2R3l5aFoyOFlzZGhUNjJqSVJsamFGZFRYS095ZlVU?=
 =?utf-8?B?Y09zV2M1QllMM0F3Rm5EUlg5a3ppNUEwcDBTWXdFNVZZT2pTa3c0c01oRm5h?=
 =?utf-8?B?ZDdYUGpDTWFDWWdaeWs2eTN2TmdMQVpKbVlRbTdXWkhPRjUxc3VVcEZHZ3lG?=
 =?utf-8?B?QzE4SWQ5YVRRSXNkdkZRY0dTS2xiVlVpcEIrckJLQ0M0QmNwTDgxbTRZa2NS?=
 =?utf-8?B?RFltdGJOK3dUdSsvU2pTY1NmOHc0SXRvd01PSUEydWxuY3MwVHFUQWhITlJ0?=
 =?utf-8?B?UFgySnllVFNLYlN5WXJYZ1o0Z200ZUFPVERUTG5sL21zM1RNUTlTZHI5aHRL?=
 =?utf-8?B?WUtUemljV1E0OVJGK0tPdmtVNFpsWFVkbHpCRTc3Y3F3T3NZeXRwM3J5OS8w?=
 =?utf-8?B?eHpoY1R5czQvQkdZYjZROTF5NDVOK2krME9BZDY2MGFkL012TmRwWnJhczF6?=
 =?utf-8?B?Z2hPRU91VjhSczhkYmllSzBQUTE1RFpNYktqNVF4Uk85Qm8yN3d5b2tMa09B?=
 =?utf-8?B?WGFDTkxpQlJJSjJJcGswWjZkS200R0h2L0EybGVnRjJyaFhJNDVoNzUyRHAw?=
 =?utf-8?B?RjM1TmlXeXlJMjdKcE5vcGpCYzZqMXNFQmVBNGp2VXltdE5iZDliNzd2UkdG?=
 =?utf-8?B?dWpoM0doa01nL04zTWFmVjBVc0lhM3M0WmpxZ3JIcDVZSDlUMU5NQ2hEd2hW?=
 =?utf-8?B?SXUvQisxQlNxMzYzWlpObUhDT3Z3bnNQd1lTcU5FOGRSZUpGT1hKNUxDamFD?=
 =?utf-8?B?K3ZlNzJMb0xhZEVFZ2JRa2VGOEU3WXFjWlV0dHQrbWJEN0FSZ0NsbEhJZmZk?=
 =?utf-8?B?SGp2enVYNjlQc0xvTFJmUUtDdnd3L0JPRmpGaHNuNEJNMGtna3Z2VmQ5QUZU?=
 =?utf-8?B?ODQ3aEcwR3FVTC9GOS9lOExXVW11VTJDbTFqLzkwM281V2R1VldRMnlZVlFp?=
 =?utf-8?B?STJONHFKTVMxZktEd1BwU0hzSCtKQWczT3JVbm03TGJQZ0U1Wm9QeVVyaGcw?=
 =?utf-8?B?QlhjaXJVM1ExMDlxSlpnRWFPbDZSRzFtZCtKZm5HY0VEWWw5V1NLQWVkN1NG?=
 =?utf-8?B?UHJ5RzNFMmphaG1hTFBia0hnMEZFWGx4TFBVYVJuM3lRYWxhUnVBZU4waE9z?=
 =?utf-8?Q?yQcS6yUG21UGfvMlpPvee7U=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 618277c1-01cc-499b-7a64-08d9fd7108ff
X-MS-Exchange-CrossTenant-AuthSource: PH0PR10MB5706.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Mar 2022 23:53:37.7291
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ouXl7gX0wrI82wy/tYPN+i7E/fJd/NEtNQAe6a0Wcn6HwaIvacXNZJbHCC1HhAmE27f1pitR/J49pIHhluedDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB3985
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10275 signatures=686983
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 bulkscore=0
 malwarescore=0 mlxscore=0 spamscore=0 suspectscore=0 mlxlogscore=999
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000
 definitions=main-2203030109
X-Proofpoint-ORIG-GUID: QdRJ3zO2MI6zYQeldPxiZRgx2t6_ABEL
X-Proofpoint-GUID: QdRJ3zO2MI6zYQeldPxiZRgx2t6_ABEL
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 04/03/2022 02:24, David Sterba wrote:
> On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote:
>> From: Dongliang Mu <mudongliangabcd@gmail.com>
>>
>> Syzbot reported a possible use-after-free in printing information
>> in device_list_add.
>>
>> Very similar with the bug fixed by commit 0697d9a61099 ("btrfs: don't
>> access possibly stale fs_info data for printing duplicate device"),
>> but this time the use occurs in btrfs_info_in_rcu.
>>
>> ============================================================
>> Call Trace:
>>   kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
>>   btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
>>   device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957
>>   btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387
>>   btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409
>>   vfs_ioctl fs/ioctl.c:51 [inline]
>>   __do_sys_ioctl fs/ioctl.c:874 [inline]
>>   __se_sys_ioctl fs/ioctl.c:860 [inline]
>>   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
>>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>>   entry_SYSCALL_64_after_hwframe+0x44/0xae
>> ============================================================
>>
>> Fix this by modifying device->fs_info to NULL too.
>>
>> Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com
>> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
>> ---
>>   fs/btrfs/volumes.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>> index b07d382d53a8..c1325bdae9a1 100644
>> --- a/fs/btrfs/volumes.c
>> +++ b/fs/btrfs/volumes.c
>> @@ -954,7 +954,7 @@ static noinline struct btrfs_device *device_list_add(const char *path,
>>   						  task_pid_nr(current));
>>   				return ERR_PTR(-EEXIST);
>>   			}
>> -			btrfs_info_in_rcu(device->fs_info,
>> +			btrfs_info_in_rcu(NULL,
> 
> A few lines above this is also NULL and was fixed by 0697d9a61099
> ("btrfs: don't access possibly stale fs_info data for printing duplicate
> device"), so yeah we probably need the same here.

So it appears that device->fs_info was garbage instead of NULL OR
fs_info->sb was NULL?
Because we always had a check if fs_info is null in btrfs_printk()
further the commit a0f6d924cada ("btrfs: remove stub device info from
messages when we have no fs_info") made it better.

Thanks, Anand