linux/fs/btrfs
Qu Wenruo 57949d033a btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference
[BUG]
When mounting a fs with reloc tree and has qgroup enabled, it can cause
NULL pointer dereference at mount time:

  BUG: kernel NULL pointer dereference, address: 00000000000000a8
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP NOPTI
  RIP: 0010:btrfs_qgroup_add_swapped_blocks+0x186/0x300 [btrfs]
  Call Trace:
   replace_path.isra.23+0x685/0x900 [btrfs]
   merge_reloc_root+0x26e/0x5f0 [btrfs]
   merge_reloc_roots+0x10a/0x1a0 [btrfs]
   btrfs_recover_relocation+0x3cd/0x420 [btrfs]
   open_ctree+0x1bc8/0x1ed0 [btrfs]
   btrfs_mount_root+0x544/0x680 [btrfs]
   legacy_get_tree+0x34/0x60
   vfs_get_tree+0x2d/0xf0
   fc_mount+0x12/0x40
   vfs_kern_mount.part.12+0x61/0xa0
   vfs_kern_mount+0x13/0x20
   btrfs_mount+0x16f/0x860 [btrfs]
   legacy_get_tree+0x34/0x60
   vfs_get_tree+0x2d/0xf0
   do_mount+0x81f/0xac0
   ksys_mount+0xbf/0xe0
   __x64_sys_mount+0x25/0x30
   do_syscall_64+0x65/0x240
   entry_SYSCALL_64_after_hwframe+0x49/0xbe

[CAUSE]
In btrfs_recover_relocation(), we don't have enough info to determine
which block group we're relocating, but only to merge existing reloc
trees.

Thus in btrfs_recover_relocation(), rc->block_group is NULL.
btrfs_qgroup_add_swapped_blocks() hasn't taken this into consideration,
and causes a NULL pointer dereference.

The bug is introduced by commit 3d0174f78e ("btrfs: qgroup: Only trace
data extents in leaves if we're relocating data block group"), and
later qgroup refactoring still keeps this optimization.

[FIX]
Thankfully in the context of btrfs_recover_relocation(), there is no
other progress can modify tree blocks, thus those swapped tree blocks
pair will never affect qgroup numbers, no matter whatever we set for
block->trace_leaf.

So we only need to check if @bg is NULL before accessing @bg->flags.

Reported-by: Juan Erbes <jerbes@gmail.com>
Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1134806
Fixes: 3d0174f78e ("btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group")
CC: stable@vger.kernel.org # 4.20+
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2019-05-28 18:54:10 +02:00
..
tests btrfs: get fs_info from block group in search_free_space_info 2019-04-29 19:02:46 +02:00
acl.c btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter 2019-04-29 19:02:44 +02:00
async-thread.c btrfs: simplify workqueue name when allocating 2019-02-25 14:13:24 +01:00
async-thread.h
backref.c Btrfs: do not start a transaction during fiemap 2019-04-29 19:02:51 +02:00
backref.h
btrfs_inode.h Btrfs: improve performance on fsync of files with multiple hardlinks 2019-04-29 19:02:52 +02:00
check-integrity.c btrfs: Fix typos in comments and strings 2018-12-17 14:51:50 +01:00
check-integrity.h
compression.c btrfs: Check the compression level before getting a workspace 2019-05-03 18:21:25 +02:00
compression.h btrfs: change set_level() to bound the level passed in 2019-02-25 14:13:32 +01:00
ctree.c btrfs: ctree: Dump the leaf before BUG_ON in btrfs_set_item_key_safe 2019-04-29 19:02:52 +02:00
ctree.h btrfs: track DIO bytes in flight 2019-04-29 19:25:37 +02:00
dedupe.h
delayed-inode.c btrfs: get fs_info from eb in btrfs_leaf_free_space 2019-04-29 19:02:30 +02:00
delayed-inode.h Btrfs: delayed-inode: use rb_first_cached for ins_root and del_root 2018-10-15 17:23:33 +02:00
delayed-ref.c btrfs: remove unused parameter fs_info from btrfs_add_delayed_extent_op 2019-04-29 19:02:51 +02:00
delayed-ref.h btrfs: remove unused parameter fs_info from btrfs_add_delayed_extent_op 2019-04-29 19:02:51 +02:00
dev-replace.c btrfs: Ensure replaced device doesn't have pending chunk allocation 2019-05-28 18:54:00 +02:00
dev-replace.h btrfs: get fs_info from trans in btrfs_run_dev_replace 2019-04-29 19:02:43 +02:00
dir-item.c btrfs: remove unused parameter fs_info from btrfs_extend_item 2019-04-29 19:02:50 +02:00
disk-io.c btrfs: track DIO bytes in flight 2019-04-29 19:25:37 +02:00
disk-io.h btrfs: get fs_info from trans in btrfs_create_tree 2019-04-29 19:02:41 +02:00
export.c
export.h
extent_io.c btrfs: remove unused parameter fs_info from emit_last_fiemap_cache 2019-04-29 19:02:51 +02:00
extent_io.h btrfs: Remove bio_offset argument from submit_bio_hook 2019-04-29 19:02:47 +02:00
extent_map.c btrfs: Optimize unallocated chunks discard 2019-04-29 19:02:38 +02:00
extent_map.h btrfs: Remove impossible condition from mergable_maps 2019-02-25 14:13:21 +01:00
extent-tree.c btrfs: extent-tree: Fix a bug that btrfs is unable to add pinned bytes 2019-05-16 14:31:13 +02:00
file-item.c btrfs: Document btrfs_csum_one_bio 2019-04-29 19:02:52 +02:00
file.c Btrfs: fix race between ranged fsync and writeback of adjacent ranges 2019-05-16 14:31:13 +02:00
free-space-cache.c btrfs: get fs_info from block group in btrfs_find_space_cluster 2019-04-29 19:02:46 +02:00
free-space-cache.h btrfs: get fs_info from block group in btrfs_find_space_cluster 2019-04-29 19:02:46 +02:00
free-space-tree.c btrfs: get fs_info from block group in search_free_space_info 2019-04-29 19:02:46 +02:00
free-space-tree.h btrfs: get fs_info from block group in search_free_space_info 2019-04-29 19:02:46 +02:00
inode-item.c btrfs: remove unused parameter fs_info from btrfs_extend_item 2019-04-29 19:02:50 +02:00
inode-map.c
inode-map.h
inode.c btrfs: Use kvmalloc for allocating compressed path context 2019-05-02 13:48:19 +02:00
ioctl.c btrfs: drop local copy of inode i_mode 2019-04-29 19:02:53 +02:00
Kconfig
locking.c btrfs: trace: Introduce trace events for all btrfs tree locking events 2019-04-29 19:02:43 +02:00
locking.h btrfs: merge btrfs_set_lock_blocking_rw with it's caller 2019-02-25 14:13:28 +01:00
lzo.c btrfs: change set_level() to bound the level passed in 2019-02-25 14:13:32 +01:00
Makefile
math.h
ordered-data.c btrfs: track DIO bytes in flight 2019-04-29 19:25:37 +02:00
ordered-data.h btrfs: Remove redundant inode argument from btrfs_add_ordered_sum 2019-04-29 19:02:40 +02:00
orphan.c
print-tree.c btrfs: get fs_info from eb in btrfs_leaf_free_space 2019-04-29 19:02:30 +02:00
print-tree.h
props.c btrfs: use the existing reserved items for our first prop for inheritance 2019-05-09 11:18:14 +02:00
props.h btrfs: delete unused function btrfs_set_prop_trans 2019-04-29 19:02:54 +02:00
qgroup.c btrfs: qgroup: Check bg while resuming relocation to avoid NULL pointer dereference 2019-05-28 18:54:10 +02:00
qgroup.h btrfs: qgroup: Move reserved data accounting from btrfs_delayed_ref_head to btrfs_qgroup_extent_record 2019-02-25 14:13:39 +01:00
raid56.c for-5.1-rc2-tag 2019-03-26 10:32:13 -07:00
raid56.h
rcu-string.h
reada.c btrfs: dev-replace: open code trivial locking helpers 2018-12-17 14:51:45 +01:00
ref-verify.c btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod() 2019-04-29 19:02:49 +02:00
ref-verify.h btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod() 2019-04-29 19:02:49 +02:00
relocation.c btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid BUG_ON() 2019-05-28 18:54:10 +02:00
root-tree.c Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path 2019-05-09 11:25:27 +02:00
scrub.c btrfs: get fs_info from device in btrfs_scrub_cancel_dev 2019-04-29 19:02:47 +02:00
send.c Btrfs: incremental send, fix emission of invalid clone operations 2019-05-28 18:54:10 +02:00
send.h
struct-funcs.c
super.c btrfs: drop unused parameter in mount_subvol 2019-04-29 19:02:35 +02:00
sysfs.c btrfs: sysfs: don't leak memory when failing add fsid 2019-05-16 14:31:12 +02:00
sysfs.h btrfs: drop extra enum initialization where using defaults 2018-12-17 14:51:43 +01:00
transaction.c Btrfs: remove no longer used member num_dirty_bgs from transaction 2019-04-29 19:02:43 +02:00
transaction.h Btrfs: remove no longer used member num_dirty_bgs from transaction 2019-04-29 19:02:43 +02:00
tree-checker.c Btrfs: tree-checker: detect file extent items with overlapping ranges 2019-05-16 14:33:51 +02:00
tree-checker.h btrfs: get fs_info from eb in btrfs_check_chunk_valid 2019-04-29 19:02:39 +02:00
tree-defrag.c btrfs: open code now trivial btrfs_set_lock_blocking 2019-02-25 14:13:27 +01:00
tree-log.c Btrfs: avoid fallback to transaction commit during fsync of files with holes 2019-05-16 14:31:13 +02:00
tree-log.h btrfs: get fs_info from trans in btrfs_set_log_full_commit 2019-04-29 19:02:41 +02:00
ulist.c
ulist.h
uuid-tree.c btrfs: remove unused parameter fs_info from btrfs_extend_item 2019-04-29 19:02:50 +02:00
volumes.c btrfs: get fs_info from device in btrfs_rm_dev_replace_free_srcdev 2019-04-29 19:02:48 +02:00
volumes.h btrfs: get fs_info from device in btrfs_rm_dev_replace_free_srcdev 2019-04-29 19:02:48 +02:00
xattr.c btrfs: start transaction in xattr_handler_set_prop 2019-04-29 19:02:54 +02:00
xattr.h btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter 2019-04-29 19:02:44 +02:00
zlib.c btrfs: change set_level() to bound the level passed in 2019-02-25 14:13:32 +01:00
zstd.c btrfs: correct zstd workspace manager lock to use spin_lock_bh() 2019-05-28 18:54:09 +02:00