1. 02 Mar, 2024 6 commits
  2. 01 Mar, 2024 25 commits
  3. 29 Feb, 2024 9 commits
    • Filipe Manana's avatar
      btrfs: fix double free of anonymous device after snapshot creation failure · e2b54eaf
      Filipe Manana authored
      When creating a snapshot we may do a double free of an anonymous device
      in case there's an error committing the transaction. The second free may
      result in freeing an anonymous device number that was allocated by some
      other subsystem in the kernel or another btrfs filesystem.
      
      The steps that lead to this:
      
      1) At ioctl.c:create_snapshot() we allocate an anonymous device number
         and assign it to pending_snapshot->anon_dev;
      
      2) Then we call btrfs_commit_transaction() and end up at
         transaction.c:create_pending_snapshot();
      
      3) There we call btrfs_get_new_fs_root() and pass it the anonymous device
         number stored in pending_snapshot->anon_dev;
      
      4) btrfs_get_new_fs_root() frees that anonymous device number because
         btrfs_lookup_fs_root() returned a root - someone else did a lookup
         of the new root already, which could some task doing backref walking;
      
      5) After that some error happens in the transaction commit path, and at
         ioctl.c:create_snapshot() we jump to the 'fail' label, and after
         that we free again the same anonymous device number, which in the
         meanwhile may have been reallocated somewhere else, because
         pending_snapshot->anon_dev still has the same value as in step 1.
      
      Recently syzbot ran into this and reported the following trace:
      
        ------------[ cut here ]------------
        ida_free called for id=51 which is not allocated.
        WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
        Modules linked in:
        CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc #0
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
        RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
        Code: 10 42 80 3c 28 (...)
        RSP: 0018:ffffc90015a67300 EFLAGS: 00010246
        RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000
        RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000
        RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4
        R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246
        R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246
        FS:  00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0
        Call Trace:
         <TASK>
         btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346
         create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837
         create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931
         btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404
         create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848
         btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998
         btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044
         __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306
         btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393
         btrfs_ioctl+0xa74/0xd40
         vfs_ioctl fs/ioctl.c:51 [inline]
         __do_sys_ioctl fs/ioctl.c:871 [inline]
         __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857
         do_syscall_64+0xfb/0x240
         entry_SYSCALL_64_after_hwframe+0x6f/0x77
        RIP: 0033:0x7fca3e67dda9
        Code: 28 00 00 00 (...)
        RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
        RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9
        RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003
        RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000
        R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
        R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658
         </TASK>
      
      Where we get an explicit message where we attempt to free an anonymous
      device number that is not currently allocated. It happens in a different
      code path from the example below, at btrfs_get_root_ref(), so this change
      may not fix the case triggered by syzbot.
      
      To fix at least the code path from the example above, change
      btrfs_get_root_ref() and its callers to receive a dev_t pointer argument
      for the anonymous device number, so that in case it frees the number, it
      also resets it to 0, so that up in the call chain we don't attempt to do
      the double free.
      
      CC: stable@vger.kernel.org # 5.10+
      Link: https://lore.kernel.org/linux-btrfs/000000000000f673a1061202f630@google.com/
      Fixes: e03ee2fe ("btrfs: do not ASSERT() if the newly created subvolume already got read")
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      e2b54eaf
    • Filipe Manana's avatar
      btrfs: ensure fiemap doesn't race with writes when FIEMAP_FLAG_SYNC is given · 418b0902
      Filipe Manana authored
      When FIEMAP_FLAG_SYNC is given to fiemap the expectation is that that
      are no concurrent writes and we get a stable view of the inode's extent
      layout.
      
      When the flag is given we flush all IO (and wait for ordered extents to
      complete) and then lock the inode in shared mode, however that leaves open
      the possibility that a write might happen right after the flushing and
      before locking the inode. So fix this by flushing again after locking the
      inode - we leave the initial flushing before locking the inode to avoid
      holding the lock and blocking other RO operations while waiting for IO
      and ordered extents to complete. The second flushing while holding the
      inode's lock will most of the time do nothing or very little since the
      time window for new writes to have happened is small.
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      418b0902
    • Filipe Manana's avatar
      btrfs: fix race between ordered extent completion and fiemap · a1a4a9ca
      Filipe Manana authored
      For fiemap we recently stopped locking the target extent range for the
      whole duration of the fiemap call, in order to avoid a deadlock in a
      scenario where the fiemap buffer happens to be a memory mapped range of
      the same file. This use case is very unlikely to be useful in practice but
      it may be triggered by fuzz testing (syzbot, etc).
      
      However by not locking the target extent range for the whole duration of
      the fiemap call we can race with an ordered extent. This happens like
      this:
      
      1) The fiemap task finishes processing a file extent item that covers
         the file range [512K, 1M[, and that file extent item is the last item
         in the leaf currently being processed;
      
      2) And ordered extent for the file range [768K, 2M[, in COW mode,
         completes (btrfs_finish_one_ordered()) and the file extent item
         covering the range [512K, 1M[ is trimmed to cover the range
         [512K, 768K[ and then a new file extent item for the range [768K, 2M[
         is inserted in the inode's subvolume tree;
      
      3) The fiemap task calls fiemap_next_leaf_item(), which then calls
         btrfs_next_leaf() to find the next leaf / item. This finds that the
         the next key following the one we previously processed (its type is
         BTRFS_EXTENT_DATA_KEY and its offset is 512K), is the key corresponding
         to the new file extent item inserted by the ordered extent, which has
         a type of BTRFS_EXTENT_DATA_KEY and an offset of 768K;
      
      4) Later the fiemap code ends up at emit_fiemap_extent() and triggers
         the warning:
      
            if (cache->offset + cache->len > offset) {
                     WARN_ON(1);
                     return -EINVAL;
            }
      
         Since we get 1M > 768K, because the previously emitted entry for the
         old extent covering the file range [512K, 1M[ ends at an offset that
         is greater than the new extent's start offset (768K). This makes fiemap
         fail with -EINVAL besides triggering the warning that produces a stack
         trace like the following:
      
           [1621.677651] ------------[ cut here ]------------
           [1621.677656] WARNING: CPU: 1 PID: 204366 at fs/btrfs/extent_io.c:2492 emit_fiemap_extent+0x84/0x90 [btrfs]
           [1621.677899] Modules linked in: btrfs blake2b_generic (...)
           [1621.677951] CPU: 1 PID: 204366 Comm: pool Not tainted 6.8.0-rc5-btrfs-next-151+ #1
           [1621.677954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
           [1621.677956] RIP: 0010:emit_fiemap_extent+0x84/0x90 [btrfs]
           [1621.678033] Code: 2b 4c 89 63 (...)
           [1621.678035] RSP: 0018:ffffab16089ffd20 EFLAGS: 00010206
           [1621.678037] RAX: 00000000004fa000 RBX: ffffab16089ffe08 RCX: 0000000000009000
           [1621.678039] RDX: 00000000004f9000 RSI: 00000000004f1000 RDI: ffffab16089ffe90
           [1621.678040] RBP: 00000000004f9000 R08: 0000000000001000 R09: 0000000000000000
           [1621.678041] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000041d78000
           [1621.678043] R13: 0000000000001000 R14: 0000000000000000 R15: ffff9434f0b17850
           [1621.678044] FS:  00007fa6e20006c0(0000) GS:ffff943bdfa40000(0000) knlGS:0000000000000000
           [1621.678046] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
           [1621.678048] CR2: 00007fa6b0801000 CR3: 000000012d404002 CR4: 0000000000370ef0
           [1621.678053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
           [1621.678055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
           [1621.678056] Call Trace:
           [1621.678074]  <TASK>
           [1621.678076]  ? __warn+0x80/0x130
           [1621.678082]  ? emit_fiemap_extent+0x84/0x90 [btrfs]
           [1621.678159]  ? report_bug+0x1f4/0x200
           [1621.678164]  ? handle_bug+0x42/0x70
           [1621.678167]  ? exc_invalid_op+0x14/0x70
           [1621.678170]  ? asm_exc_invalid_op+0x16/0x20
           [1621.678178]  ? emit_fiemap_extent+0x84/0x90 [btrfs]
           [1621.678253]  extent_fiemap+0x766/0xa30 [btrfs]
           [1621.678339]  btrfs_fiemap+0x45/0x80 [btrfs]
           [1621.678420]  do_vfs_ioctl+0x1e4/0x870
           [1621.678431]  __x64_sys_ioctl+0x6a/0xc0
           [1621.678434]  do_syscall_64+0x52/0x120
           [1621.678445]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
      
      There's also another case where before calling btrfs_next_leaf() we are
      processing a hole or a prealloc extent and we had several delalloc ranges
      within that hole or prealloc extent. In that case if the ordered extents
      complete before we find the next key, we may end up finding an extent item
      with an offset smaller than (or equals to) the offset in cache->offset.
      
      So fix this by changing emit_fiemap_extent() to address these three
      scenarios like this:
      
      1) For the first case, steps listed above, adjust the length of the
         previously cached extent so that it does not overlap with the current
         extent, emit the previous one and cache the current file extent item;
      
      2) For the second case where he had a hole or prealloc extent with
         multiple delalloc ranges inside the hole or prealloc extent's range,
         and the current file extent item has an offset that matches the offset
         in the fiemap cache, just discard what we have in the fiemap cache and
         assign the current file extent item to the cache, since it's more up
         to date;
      
      3) For the third case where he had a hole or prealloc extent with
         multiple delalloc ranges inside the hole or prealloc extent's range
         and the offset of the file extent item we just found is smaller than
         what we have in the cache, just skip the current file extent item
         if its range end at or behind the cached extent's end, because we may
         have emitted (to the fiemap user space buffer) delalloc ranges that
         overlap with the current file extent item's range. If the file extent
         item's range goes beyond the end offset of the cached extent, just
         emit the cached extent and cache a subrange of the file extent item,
         that goes from the end offset of the cached extent to the end offset
         of the file extent item.
      
      Dealing with those cases in those ways makes everything consistent by
      reflecting the current state of file extent items in the btree and
      without emitting extents that have overlapping ranges (which would be
      confusing and violating expectations).
      
      This issue could be triggered often with test case generic/561, and was
      also hit and reported by Wang Yugui.
      Reported-by: default avatarWang Yugui <wangyugui@e16-tech.com>
      Link: https://lore.kernel.org/linux-btrfs/20240223104619.701F.409509F4@e16-tech.com/
      Fixes: b0ad381f ("btrfs: fix deadlock with fiemap and extent locking")
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      a1a4a9ca
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 87adedeb
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, WiFi and netfilter.
      
        We have one outstanding issue with the stmmac driver, which may be a
        LOCKDEP false positive, not a blocker.
      
        Current release - regressions:
      
         - netfilter: nf_tables: re-allow NFPROTO_INET in
           nft_(match/target)_validate()
      
         - eth: ionic: fix error handling in PCI reset code
      
        Current release - new code bugs:
      
         - eth: stmmac: complete meta data only when enabled, fix null-deref
      
         - kunit: fix again checksum tests on big endian CPUs
      
        Previous releases - regressions:
      
         - veth: try harder when allocating queue memory
      
         - Bluetooth:
            - hci_bcm4377: do not mark valid bd_addr as invalid
            - hci_event: fix handling of HCI_EV_IO_CAPA_REQUEST
      
        Previous releases - always broken:
      
         - info leak in __skb_datagram_iter() on netlink socket
      
         - mptcp:
            - map v4 address to v6 when destroying subflow
            - fix potential wake-up event loss due to sndbuf auto-tuning
            - fix double-free on socket dismantle
      
         - wifi: nl80211: reject iftype change with mesh ID change
      
         - fix small out-of-bound read when validating netlink be16/32 types
      
         - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
      
         - ipv6: fix potential "struct net" ref-leak in inet6_rtm_getaddr()
      
         - ip_tunnel: prevent perpetual headroom growth with huge number of
           tunnels on top of each other
      
         - mctp: fix skb leaks on error paths of mctp_local_output()
      
         - eth: ice: fixes for DPLL state reporting
      
         - dpll: rely on rcu for netdev_dpll_pin() to prevent UaF
      
         - eth: dpaa: accept phy-interface-type = '10gbase-r' in the device
           tree"
      
      * tag 'net-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (73 commits)
        dpll: fix build failure due to rcu_dereference_check() on unknown type
        kunit: Fix again checksum tests on big endian CPUs
        tls: fix use-after-free on failed backlog decryption
        tls: separate no-async decryption request handling from async
        tls: fix peeking with sync+async decryption
        tls: decrement decrypt_pending if no async completion will be called
        gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
        net: hsr: Use correct offset for HSR TLV values in supervisory HSR frames
        igb: extend PTP timestamp adjustments to i211
        rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
        tools: ynl: fix handling of multiple mcast groups
        selftests: netfilter: add bridge conntrack + multicast test case
        netfilter: bridge: confirm multicast packets before passing them up the stack
        netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
        Bluetooth: qca: Fix triggering coredump implementation
        Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT
        Bluetooth: qca: Fix wrong event type for patch config command
        Bluetooth: Enforce validation on max value of connection interval
        Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
        Bluetooth: mgmt: Fix limited discoverable off timeout
        ...
      87adedeb
    • Linus Torvalds's avatar
      Merge tag 'landlock-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux · d4f76f80
      Linus Torvalds authored
      Pull Landlock fix from Mickaël Salaün:
       "Fix a potential issue when handling inodes with inconsistent
        properties"
      
      * tag 'landlock-6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
        landlock: Fix asymmetric private inodes referring
      d4f76f80
    • Dimitris Vlachos's avatar
      riscv: Sparse-Memory/vmemmap out-of-bounds fix · a11dd49d
      Dimitris Vlachos authored
      Offset vmemmap so that the first page of vmemmap will be mapped
      to the first page of physical memory in order to ensure that
      vmemmap’s bounds will be respected during
      pfn_to_page()/page_to_pfn() operations.
      The conversion macros will produce correct SV39/48/57 addresses
      for every possible/valid DRAM_BASE inside the physical memory limits.
      
      v2:Address Alex's comments
      Suggested-by: default avatarAlexandre Ghiti <alexghiti@rivosinc.com>
      Signed-off-by: default avatarDimitris Vlachos <dvlachos@ics.forth.gr>
      Reported-by: default avatarDimitris Vlachos <dvlachos@ics.forth.gr>
      Closes: https://lore.kernel.org/linux-riscv/20240202135030.42265-1-csd4492@csd.uoc.gr
      Fixes: d95f1a54 ("RISC-V: Implement sparsemem")
      Reviewed-by: default avatarAlexandre Ghiti <alexghiti@rivosinc.com>
      Link: https://lore.kernel.org/r/20240229191723.32779-1-dvlachos@ics.forth.grSigned-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      a11dd49d
    • Eric Dumazet's avatar
      dpll: fix build failure due to rcu_dereference_check() on unknown type · 640f41ed
      Eric Dumazet authored
      Tasmiya reports that their compiler complains that we deref
      a pointer to unknown type with rcu_dereference_rtnl():
      
      include/linux/rcupdate.h:439:9: error: dereferencing pointer to incomplete type ‘struct dpll_pin’
      
      Unclear what compiler it is, at the moment, and we can't report
      but since DPLL can't be a module - move the code from the header
      into the source file.
      
      Fixes: 0d60d8df ("dpll: rely on rcu for netdev_dpll_pin()")
      Reported-by: default avatarTasmiya Nalatwad <tasmiya@linux.vnet.ibm.com>
      Link: https://lore.kernel.org/all/3fcf3a2c-1c1b-42c1-bacb-78fdcd700389@linux.vnet.ibm.com/Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20240229190515.2740221-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      640f41ed
    • Palmer Dabbelt's avatar
      Merge patch series "NAPOT Fixes" · 2b8acd71
      Palmer Dabbelt authored
      Alexandre Ghiti <alexghiti@rivosinc.com> says:
      
      This contains 2 fixes for NAPOT: patch 1 disables the use of NAPOT
      mapping for vmalloc/vmap and patch 2 implements pte_leaf_size() to
      report NAPOT size.
      
      * b4-shazam-merge:
        riscv: Fix pte_leaf_size() for NAPOT
        Revert "riscv: mm: support Svnapot in huge vmap"
      
      Link: https://lore.kernel.org/r/20240227205016.121901-1-alexghiti@rivosinc.comSigned-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      2b8acd71
    • Alexandre Ghiti's avatar
      riscv: Fix pte_leaf_size() for NAPOT · e0fe5ab4
      Alexandre Ghiti authored
      pte_leaf_size() must be reimplemented to add support for NAPOT mappings.
      
      Fixes: 82a1a1f3 ("riscv: mm: support Svnapot in hugetlb page")
      Signed-off-by: default avatarAlexandre Ghiti <alexghiti@rivosinc.com>
      Link: https://lore.kernel.org/r/20240227205016.121901-3-alexghiti@rivosinc.comSigned-off-by: default avatarPalmer Dabbelt <palmer@rivosinc.com>
      e0fe5ab4