xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a932ef4e47984dee227834667b5ff5a334e4805
android_kernel_xiaomi_sm8450/fs/btrfs
History
Liu Bo 1a932ef4e4 Btrfs: fix use-after-free on root->orphan_block_rsv 
I got these from running generic/475,

WARNING: CPU: 0 PID: 26384 at fs/btrfs/inode.c:3326 btrfs_orphan_commit_root+0x1ac/0x2b0 [btrfs]
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: btrfs_block_rsv_release+0x1c/0x70 [btrfs]
Call Trace:
  btrfs_orphan_release_metadata+0x9f/0x200 [btrfs]
  btrfs_orphan_del+0x10d/0x170 [btrfs]
  btrfs_setattr+0x500/0x640 [btrfs]
  notify_change+0x7ae/0x870
  do_truncate+0xca/0x130
  vfs_truncate+0x2ee/0x3d0
  do_sys_truncate+0xaf/0xf0
  SyS_truncate+0xe/0x10
  entry_SYSCALL_64_fastpath+0x1f/0x96

The race is between btrfs_orphan_commit_root and btrfs_orphan_del,
        t1                                        t2
btrfs_orphan_commit_root                     btrfs_orphan_del
   spin_lock
   check (&root->orphan_inodes)
   root->orphan_block_rsv = NULL;
   spin_unlock
                                             atomic_dec(&root->orphan_inodes);
                                             access root->orphan_block_rsv

Accessing root->orphan_block_rsv must be done before decreasing
root->orphan_inodes.

cc: <stable@vger.kernel.org> v3.12+
Fixes: 703c88e035 ("Btrfs: fix tracking of orphan inode count")
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2018-02-02 16:24:40 +01:00
..
tests
Btrfs: extent map selftest: dio write vs dio read
2018-01-22 16:08:22 +01:00
acl.c
btrfs: preserve i_mode if __btrfs_set_acl() fails
2017-08-21 17:47:42 +02:00
async-thread.c
Btrfs: fix confusing worker helper info in stacktrace
2017-10-30 12:27:57 +01:00
async-thread.h
btrfs: constify tracepoint arguments
2017-08-16 14:19:53 +02:00
backref.c
btrfs: make function update_share_count static
2018-01-22 16:08:14 +01:00
backref.h
btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents
2017-11-01 20:45:34 +01:00
btrfs_inode.h
btrfs: make the delalloc block rsv per inode
2017-11-01 20:45:35 +01:00
check-integrity.c
btrfs: Fix bug for misused dev_t when lookup in dev state hash table.
2017-11-01 20:45:36 +01:00
check-integrity.h
btrfs: take an fs_info directly when the root is not used otherwise
2016-12-06 16:06:59 +01:00
compression.c
btrfs: Remove redundant bio_get/set calls in compressed read/write paths
2018-01-22 16:08:19 +01:00
compression.h
btrfs: compression: add helper for type to string conversion
2018-01-22 16:08:16 +01:00
ctree.c
btrfs: Improve btrfs_search_slot description
2018-01-22 16:08:19 +01:00
ctree.h
Btrfs: move extent map specific code to extent_map.c
2018-01-22 16:08:22 +01:00
dedupe.h
btrfs: expand cow_file_range() to support in-band dedup and subpage-blocksize
2016-07-26 13:52:25 +02:00
delayed-inode.c
btrfs: Move checks from btrfs_wq_run_delayed_node to btrfs_balance_delayed_items
2018-01-22 16:08:11 +01:00
delayed-inode.h
btrfs: convert btrfs_delayed_item.refs from atomic_t to refcount_t
2017-04-18 14:07:23 +02:00
delayed-ref.c
Btrfs: add __init macro to btrfs init functions
2018-01-22 16:08:11 +01:00
delayed-ref.h
Btrfs: add __init macro to btrfs init functions
2018-01-22 16:08:11 +01:00
dev-replace.c
btrfs: cleanup device states define BTRFS_DEV_STATE_REPLACE_TGT
2018-01-22 16:08:15 +01:00
dev-replace.h
btrfs: constify device path passed to relevant helpers
2017-02-28 14:26:07 +01:00
dir-item.c
btrfs: Cleanup existing name_len checks
2018-01-22 16:08:12 +01:00
disk-io.c
btrfs: fail mount when sb flag is not in BTRFS_SUPER_FLAG_SUPP
2018-01-22 16:08:21 +01:00
disk-io.h
btrfs: sink get_extent parameter to read_extent_buffer_pages
2018-01-22 16:08:13 +01:00
export.c
btrfs: Cleanup existing name_len checks
2018-01-22 16:08:12 +01:00
export.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
extent_io.c
btrfs: sink unlock_extent parameter gfp_flags
2018-01-22 16:08:19 +01:00
extent_io.h
btrfs: sink unlock_extent parameter gfp_flags
2018-01-22 16:08:19 +01:00
extent_map.c
Btrfs: noinline merge_extent_mapping
2018-01-22 16:08:22 +01:00
extent_map.h
Btrfs: move extent map specific code to extent_map.c
2018-01-22 16:08:22 +01:00
extent-tree.c
btrfs: Make btrfs_inode_rsv_release static
2018-01-22 16:08:21 +01:00
file-item.c
Merge branch 'for-4.13-part1' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
2017-07-05 16:41:23 -07:00
file.c
Btrfs: fix space leak after fallocate and zero range operations
2018-01-22 16:08:20 +01:00
free-space-cache.c
btrfs: sink unlock_extent parameter gfp_flags
2018-01-22 16:08:19 +01:00
free-space-cache.h
btrfs: free-space-cache, clean up unnecessary root arguments
2017-02-17 12:03:56 +01:00
free-space-tree.c
btrfs: Clean up unused variables in free-space-tree.c
2017-10-30 12:27:59 +01:00
free-space-tree.h
btrfs: expose internal free space tree routine only if sanity tests are enabled
2017-08-18 16:36:29 +02:00
hash.c
crypto: Work around deallocated stack frame reference gcc bug on sparc.
2017-06-08 17:36:03 +08:00
hash.h
btrfs: advertise which crc32c implementation is being used at module load
2016-06-06 14:08:28 +02:00
inode-item.c
btrfs: take an fs_info directly when the root is not used otherwise
2016-12-06 16:06:59 +01:00
inode-map.c
Btrfs: rework outstanding_extents
2017-11-01 20:45:35 +01:00
inode-map.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
inode.c
Btrfs: fix use-after-free on root->orphan_block_rsv
2018-02-02 16:24:40 +01:00
ioctl.c
btrfs: use correct string length in DEV_INFO ioctl
2018-01-22 16:08:21 +01:00
Kconfig
Btrfs: add a extent ref verify tool
2017-10-30 12:28:00 +01:00
locking.c
btrfs: cleanup, remove stray return statements
2016-01-07 14:30:52 +01:00
locking.h
btrfs: fix lockups from btrfs_clear_path_blocking
2014-11-19 10:34:35 -08:00
lzo.c
btrfs: allow to set compression level for zlib
2017-11-01 20:45:29 +01:00
Makefile
Btrfs: add extent map selftests
2018-01-22 16:08:22 +01:00
math.h
btrfs: cleanup 64bit/32bit divs, compile time constants
2015-03-03 17:23:57 +01:00
ordered-data.c
Btrfs: rework outstanding_extents
2017-11-01 20:45:35 +01:00
ordered-data.h
btrfs: fix integer overflow in calc_reclaim_items_nr
2017-06-29 20:17:02 +02:00
orphan.c
btrfs: kill the key type accessor helpers
2014-09-17 13:37:12 -07:00
print-tree.c
Btrfs: add one more sanity check for shared ref type
2017-08-21 17:47:43 +02:00
print-tree.h
btrfs: get fs_info from eb in btrfs_print_tree, remove argument
2017-08-16 16:12:03 +02:00
props.c
btrfs: prop: use common helper for type to string conversion
2018-01-22 16:08:16 +01:00
props.h
Btrfs: add support for inode properties
2014-01-28 13:20:24 -08:00
qgroup.c
btrfs: sink gfp parameter to clear_extent_bit
2018-01-22 16:08:12 +01:00
qgroup.h
btrfs: qgroup: Fix qgroup reserved space underflow by only freeing reserved ranges
2017-06-29 20:17:02 +02:00
raid56.c
Btrfs: raid56: fix race between merge_bio and rbio_orig_end_io
2018-01-22 16:08:21 +01:00
raid56.h
btrfs: take an fs_info directly when the root is not used otherwise
2016-12-06 16:06:59 +01:00
rcu-string.h
reada.c
btrfs: remove unused member err from reada_extent
2017-06-19 18:25:59 +02:00
ref-verify.c
btrfs: ref-verify: Remove unused parameter from walk_up_tree() to kill warning
2018-01-22 16:08:13 +01:00
ref-verify.h
Btrfs: add a extent ref verify tool
2017-10-30 12:28:00 +01:00
relocation.c
Btrfs: fix reported number of inode blocks after buffered append writes
2017-11-15 17:27:46 +01:00
root-tree.c
btrfs: Cleanup existing name_len checks
2018-01-22 16:08:12 +01:00
scrub.c
btrfs: rename btrfs_device::scrub_device to scrub_ctx
2018-01-22 16:08:20 +01:00
send.c
btrfs: Cleanup existing name_len checks
2018-01-22 16:08:12 +01:00
send.h
btrfs: fix send ioctl on 32bit with 64bit kernel
2017-10-30 12:27:59 +01:00
struct-funcs.c
btrfs: struct-funcs, constify readers
2017-08-16 14:19:53 +02:00
super.c
btrfS: collapse btrfs_handle_error() into __btrfs_handle_fs_error()
2018-01-22 16:08:20 +01:00
sysfs.c
Btrfs: add __init macro to btrfs init functions
2018-01-22 16:08:11 +01:00
sysfs.h
Merge branch 'for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
2017-11-14 13:35:29 -08:00
transaction.c
btrfs: simplify mutex unlocking code in btrfs_commit_transaction
2018-01-22 16:08:20 +01:00
transaction.h
btrfs: reorder btrfs_transaction members for better packing
2018-01-22 16:08:14 +01:00
tree-checker.c
btrfs: tree-check: reduce stack consumption in check_dir_item
2018-01-22 16:08:21 +01:00
tree-checker.h
btrfs: tree-checker: Fix false panic for sanity test
2017-11-28 14:59:09 +01:00
tree-defrag.c
Btrfs: fix locking bugs when defragging leaves
2015-12-18 02:51:32 +00:00
tree-log.c
Btrfs: fix extent state leak from tree log
2018-02-02 16:24:30 +01:00
tree-log.h
btrfs: Make btrfs_del_inode_ref take btrfs_inode
2017-02-14 15:50:54 +01:00
ulist.c
btrfs: ulist: rename ulist_fini to ulist_release
2017-02-17 12:03:50 +01:00
ulist.h
btrfs: ulist: rename ulist_fini to ulist_release
2017-02-17 12:03:50 +01:00
uuid-tree.c
btrfs: return the actual error value from from btrfs_uuid_tree_iterate
2016-12-19 18:08:15 +01:00
volumes.c
btrfs: drop devid as device_list_add() arg
2018-01-29 19:31:16 +01:00
volumes.h
btrfs: Remove unused readahead spinlock
2018-01-22 16:08:21 +01:00
xattr.c
btrfs: Cleanup existing name_len checks
2018-01-22 16:08:12 +01:00
xattr.h
btrfs: Switch to generic xattr handlers
2016-05-17 19:17:09 -04:00
zlib.c
btrfs: allow to set compression level for zlib
2017-11-01 20:45:29 +01:00
zstd.c
btrfs: move some zstd work data from stack to workspace
2018-01-22 16:08:14 +01:00