From patchwork Thu Jun 22 23:55:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1798730 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=AyQIveW9; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QnHM72D7nz20Xp for ; Fri, 23 Jun 2023 09:56:03 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qCU9b-0000w9-Op; Thu, 22 Jun 2023 23:55:55 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qCU9Z-0000vo-KQ for kernel-team@lists.ubuntu.com; Thu, 22 Jun 2023 23:55:53 +0000 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 583184246C for ; Thu, 22 Jun 2023 23:55:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1687478153; bh=Xbz3uxbOZ1mdxJVzHeAOreh5Hotffmn4nRd0+IqJ0jw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AyQIveW9uTe4ldYXKQ/osBtx4iuyu6wc9+Py8qHdQuSnYWgCJBuIy57sQdEaRYsmw LtkL6w6RJ+65UIPUkVvjvue638+w1TFsLQZCb/gKi/UzjCFDAosyoJnZAHziyDQOnE Pgozx41Wdt0eTtdY0cvwKMZmbQgn1rbN8RMevih9m0VS1BzF3cmUoL8ZLVWC79Zdk/ 94HB8zvxq3b6UwmzJsyHU0VHa1bBWRxOcV41V4r56/Ftr+8oXUhfWfPCD0ry5bpLiZ TJLkk3jtfLHOMnjEi3nPeuNoDgXGcFn0khwpdIs/d69m023IHscmhF5OqnsduJAXzd xHBqApNVcDCMQ== Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-764682d0533so221775385a.1 for ; Thu, 22 Jun 2023 16:55:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687478151; x=1690070151; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xbz3uxbOZ1mdxJVzHeAOreh5Hotffmn4nRd0+IqJ0jw=; b=B+Xoa4mSxE0sC7KZD9MVB6qFjCZIuVlpInTT50vBQIDeqsF3jBRqKvv3453VeqXrcr B/rbWo2PAAIR46B1AIzyxdAEwBXosW92muUINsHR+JDygU5AtSXZ27q3QqrBc6stBbXO gy400piExbMgcSxQ36SiB4bUI0UgaJJG6u0kPBoInkjymtE7r6X7mSni5WClR+pXd9bw v2pcGWWVKwYxb+pJjwylEoe0K1vtRlS+dfw8oGJN0ok8bWX4ey0Tp2odpTbTxqErxHA6 innqD+gYNL20txxwqrnqNk3pnmNJbdcl1qNKHVOsNZMRlSx+t//8ZX7aVr+PcZFBGy9H 5NJA== X-Gm-Message-State: AC+VfDyqrTs2mOR/8I5JgLZLGMmreS1ruS+OeYZEAey4UteHiVQt27vY ziidgfvnEwKUgQ9LeIbcYvCKFNnCWHm3ps3XMfPlv6HyHgKgPeASrdStalAV5ZM4rKkYO+rAnFQ +8aGvgdIUeZ26ria1arbEq8ckHeKoWsOxYcz3rnZsTiHrtgZI2g== X-Received: by 2002:a05:620a:ed3:b0:75d:4de8:aec0 with SMTP id x19-20020a05620a0ed300b0075d4de8aec0mr17099108qkm.3.1687478151716; Thu, 22 Jun 2023 16:55:51 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4yh4K9d+ZDwp+R6VD8W9R5Fg2dQJjd80u98eMwJoG2zFpXpBXMAJCl3gOcgBOUmWPgiIC4/g== X-Received: by 2002:a05:620a:ed3:b0:75d:4de8:aec0 with SMTP id x19-20020a05620a0ed300b0075d4de8aec0mr17099099qkm.3.1687478151457; Thu, 22 Jun 2023 16:55:51 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:9ce5:9367:9ec1:3892]) by smtp.gmail.com with ESMTPSA id x14-20020ae9f80e000000b007578b6d060bsm3903858qkh.126.2023.06.22.16.55.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jun 2023 16:55:51 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 1/2] btrfs: check return value of btrfs_commit_transaction in relocation Date: Thu, 22 Jun 2023 19:55:46 -0400 Message-Id: <20230622235547.56485-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230622235547.56485-1-yuxuan.luo@canonical.com> References: <20230622235547.56485-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Josef Bacik There are a few places where we don't check the return value of btrfs_commit_transaction in relocation.c. Thankfully all these places have straightforward error handling, so simply change all of the sites at once. Reviewed-by: Qu Wenruo Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba (cherry picked from commit fb686c6824dd6294ca772b92424b8fba666e7d00) CVE-2023-3111 Signed-off-by: Yuxuan Luo --- fs/btrfs/relocation.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index ba68b0b41dff3..c196863420571 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -2511,7 +2511,7 @@ int prepare_to_merge(struct reloc_control *rc, int err) list_splice(&reloc_roots, &rc->reloc_roots); if (!err) - btrfs_commit_transaction(trans); + err = btrfs_commit_transaction(trans); else btrfs_end_transaction(trans); return err; @@ -4102,8 +4102,7 @@ int prepare_to_relocate(struct reloc_control *rc) */ return PTR_ERR(trans); } - btrfs_commit_transaction(trans); - return 0; + return btrfs_commit_transaction(trans); } static noinline_for_stack int relocate_block_group(struct reloc_control *rc) @@ -4263,7 +4262,9 @@ static noinline_for_stack int relocate_block_group(struct reloc_control *rc) err = PTR_ERR(trans); goto out_free; } - btrfs_commit_transaction(trans); + ret = btrfs_commit_transaction(trans); + if (ret && !err) + err = ret; out_free: ret = clean_dirty_subvols(rc); if (ret < 0 && !err) From patchwork Thu Jun 22 23:55:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1798732 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=rT+cDGva; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QnHMC0wvmz20Xp for ; Fri, 23 Jun 2023 09:56:07 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qCU9g-0000zt-F5; Thu, 22 Jun 2023 23:56:00 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qCU9c-0000wG-Sc for kernel-team@lists.ubuntu.com; Thu, 22 Jun 2023 23:55:56 +0000 Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6AF013F214 for ; Thu, 22 Jun 2023 23:55:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1687478155; bh=ZTMlVKsr95FR/8G1pzZ/vgjoBw/tWxJM1zpKnMobIeE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rT+cDGvaYfrq0Uig0enHkwrT4svpqfiuFe/8P9bhwl/YQDbYlwCmDAq0xBXVAheWL GhqYZi/zJhbjr7n5MmG6erb0Vh+Y0tz82GQau/ogFjUMkeN58sOx6sJpDCNO5U2sDv K/aKnYTwOxHUiE2Nmbrd/lExw5Lz5RnVgwMZ/b38fLbT8303FzxI3aMwTp945C7/C3 qPZ4GhV6Vn46By3CldwGtCN2L2b4ShGltxu1MkyrFWrzVfkUPa3Uv8WiM+RgX/xHQv XdOkEHMBQDRJFeWdO7wKbdDByARYErS7OPjYbHfiBrGCb0OiiRMOTwbM5N/1JSqjFK RkU0HIE6V8q8g== Received: by mail-qk1-f198.google.com with SMTP id af79cd13be357-763ddc425b7so271498785a.1 for ; Thu, 22 Jun 2023 16:55:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687478152; x=1690070152; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZTMlVKsr95FR/8G1pzZ/vgjoBw/tWxJM1zpKnMobIeE=; b=hX8lNYvRnQ824Zq2l/Z3yg3yT8kI/DgDbpMqOW5RhakE6OjabTm5/AUX9DVaQIgmRA o0VFvXdh+OWygjlwAZb4OOJW2Bw81O2SyJJz+Hopm8BtydElsK6w9otJCe42uSm2Qn/w hqzHlm+svMFlKN5xtDWOIslQm1yS1VaLP0Cva9XEMREit8QHHkyAtiuhG5wKBqd0Hx+Z GRDElhqGw3sjmwD8rV3nhM8Zhb2+Wh12UJ7PA9kZteklAwxDU9fB3qn251ewRC1uAq3p wd6de0eqNWeuAFx4LCCjMZfY/0Wo8vBcNPkTZ7QzgrLDdBuOJ2oseqxMwY5yXg7Zx6pw 1UDQ== X-Gm-Message-State: AC+VfDzo6NP4ZnEzUiW6GYrQw1ptONqw+ob2M5Hji/GyjANyO2TUxXRv ejpA8Fkw72bjXc1D3fG+SR34I+Jfdr1DpQWXmm3ZczKpEY79CEytdbDc1eEC2xgthnTbehJZjfq NAOj9rJCk428mp51CWp7oPZLKTNuvhoUDbZpxUcl7KojFm8XRRQ== X-Received: by 2002:a05:620a:4248:b0:761:fbb5:7421 with SMTP id w8-20020a05620a424800b00761fbb57421mr21306260qko.77.1687478152457; Thu, 22 Jun 2023 16:55:52 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4WPj5P5ZhHB6pPqPvB5Xk+h4EYn1xxcjmNPTXhfr9z+VyQQN7CC8TUU8lp8t6sAqDGX1opOg== X-Received: by 2002:a05:620a:4248:b0:761:fbb5:7421 with SMTP id w8-20020a05620a424800b00761fbb57421mr21306252qko.77.1687478152114; Thu, 22 Jun 2023 16:55:52 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:9ce5:9367:9ec1:3892]) by smtp.gmail.com with ESMTPSA id x14-20020ae9f80e000000b007578b6d060bsm3903858qkh.126.2023.06.22.16.55.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jun 2023 16:55:51 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 2/2] btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() Date: Thu, 22 Jun 2023 19:55:47 -0400 Message-Id: <20230622235547.56485-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230622235547.56485-1-yuxuan.luo@canonical.com> References: <20230622235547.56485-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Zixuan Fu In btrfs_relocate_block_group(), the rc is allocated. Then btrfs_relocate_block_group() calls relocate_block_group() prepare_to_relocate() set_reloc_control() that assigns rc to the variable fs_info->reloc_ctl. When prepare_to_relocate() returns, it calls btrfs_commit_transaction() btrfs_start_dirty_block_groups() btrfs_alloc_path() kmem_cache_zalloc() which may fail for example (or other errors could happen). When the failure occurs, btrfs_relocate_block_group() detects the error and frees rc and doesn't set fs_info->reloc_ctl to NULL. After that, in btrfs_init_reloc_root(), rc is retrieved from fs_info->reloc_ctl and then used, which may cause a use-after-free bug. This possible bug can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). To fix this possible bug, in prepare_to_relocate(), check if btrfs_commit_transaction() fails. If the failure occurs, unset_reloc_control() is called to set fs_info->reloc_ctl to NULL. The error log in our fault-injection testing is shown as follows: [ 58.751070] BUG: KASAN: use-after-free in btrfs_init_reloc_root+0x7ca/0x920 [btrfs] ... [ 58.753577] Call Trace: ... [ 58.755800] kasan_report+0x45/0x60 [ 58.756066] btrfs_init_reloc_root+0x7ca/0x920 [btrfs] [ 58.757304] record_root_in_trans+0x792/0xa10 [btrfs] [ 58.757748] btrfs_record_root_in_trans+0x463/0x4f0 [btrfs] [ 58.758231] start_transaction+0x896/0x2950 [btrfs] [ 58.758661] btrfs_defrag_root+0x250/0xc00 [btrfs] [ 58.759083] btrfs_ioctl_defrag+0x467/0xa00 [btrfs] [ 58.759513] btrfs_ioctl+0x3c95/0x114e0 [btrfs] ... [ 58.768510] Allocated by task 23683: [ 58.768777] ____kasan_kmalloc+0xb5/0xf0 [ 58.769069] __kmalloc+0x227/0x3d0 [ 58.769325] alloc_reloc_control+0x10a/0x3d0 [btrfs] [ 58.769755] btrfs_relocate_block_group+0x7aa/0x1e20 [btrfs] [ 58.770228] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.770655] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.771071] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.771472] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.771902] btrfs_ioctl+0x4caa/0x114e0 [btrfs] ... [ 58.773337] Freed by task 23683: ... [ 58.774815] kfree+0xda/0x2b0 [ 58.775038] free_reloc_control+0x1d6/0x220 [btrfs] [ 58.775465] btrfs_relocate_block_group+0x115c/0x1e20 [btrfs] [ 58.775944] btrfs_relocate_chunk+0xf1/0x760 [btrfs] [ 58.776369] __btrfs_balance+0x1326/0x1f10 [btrfs] [ 58.776784] btrfs_balance+0x3150/0x3d30 [btrfs] [ 58.777185] btrfs_ioctl_balance+0xd84/0x1410 [btrfs] [ 58.777621] btrfs_ioctl+0x4caa/0x114e0 [btrfs] ... Reported-by: TOTE Robot CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Sweet Tea Dorminy Reviewed-by: Nikolay Borisov Signed-off-by: Zixuan Fu Signed-off-by: David Sterba (cherry picked from commit 85f02d6c856b9f3a0acf5219de6e32f58b9778eb) CVE-2023-3111 Signed-off-by: Yuxuan Luo --- fs/btrfs/relocation.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index c196863420571..e603cc8c141e9 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -4102,7 +4102,12 @@ int prepare_to_relocate(struct reloc_control *rc) */ return PTR_ERR(trans); } - return btrfs_commit_transaction(trans); + + ret = btrfs_commit_transaction(trans); + if (ret) + unset_reloc_control(rc); + + return ret; } static noinline_for_stack int relocate_block_group(struct reloc_control *rc)