| Message ID | 20231110114806.3366681-1-lizhi.xu@windriver.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b129:0:b0:403:3b70:6f57 with SMTP id q9csp1292008vqs;
Fri, 10 Nov 2023 10:08:52 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFiGtdCcnd722cvCE0l/iy5y4Q5PSku+rYEmlbVPwN1rzgOkXtqqM2S/Y/2cwH1lnVITzWQ
X-Received: by 2002:a05:6a00:1881:b0:6c3:1b7d:ecee with SMTP id
x1-20020a056a00188100b006c31b7deceemr9433677pfh.15.1699639732324;
Fri, 10 Nov 2023 10:08:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1699639732; cv=none;
d=google.com; s=arc-20160816;
b=ppVK35OPMNvPawfD2+2y2L2doZF6+ho3r19eFIX0+bTFpxGgaq55+/BfeVSt5CeIXl
RTSkXK21Qn3InXQ3aJ6834ZWRDR26Q0Le1AnNdhpsPcNu4lRvpwsC0TG3dws8GtNOYZe
ymv2gIpXSSm+Bjnfv6fN5m4p0AJVsRwXGgcv/K/5Ztubsak9Qx0WZM9w0Fny56H0VkBj
omaz3Wjq3GWcNIwwRd8S4UCWUeKsZ1UAYY03uOyegm2OG/UHqWLNSFhODIA1U1taXNHv
pXvJOVEmzscOXVUg4d0F4I8Wy0Qoprj7WQ3tDcOwCOBhkWv4BFH8xmL4Xt/LaUt4GLFT
DlZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=feAmthakErj4UOFOkEZXH1ohZ3TPcXzAn7ar+R3ELWU=;
fh=w0+cNTvQd0C/p2AqjrgMwITr3vDOZ0LOcEQkJS5MjG4=;
b=ERxgBWNkeOKAfEJUkNuvGK0TEyM06uABQecTfFwNIFEcqrBc7rt4tIwtkN6b8uaoDJ
5Yd59JNqhcqwYsf/GyJ6HwRo0KcMI0MD9dagbxv3qKncFdMzVpojl9/tBUF70hipjDfr
uiOapmhqu+JM5vZD5NtM7JgeC1ZaH/XF/kYahyonSl56OCTxw49MEwN/5ndcikb/X+Ae
D6mzgrf4OZwl4NMgMzhWJEet2hgTn4hRsyz0++nPsd8SOORZrxa83l/WQjkIxYmOgjOr
QhWU6TyaaeTwrtTh+42Z33NHKUfzqhM4a8nJO+idHlhqbyEcxOzONTix83SX2TGrOGKC
UeMg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@windriver.com header.s=PPS06212021
header.b=kGKyo7YU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com
Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5])
by mx.google.com with ESMTPS id
f6-20020a056a00238600b00690b80126b9si19465579pfc.142.2023.11.10.10.08.51
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 10 Nov 2023 10:08:52 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
client-ip=2620:137:e000::3:5;
Authentication-Results: mx.google.com;
dkim=pass header.i=@windriver.com header.s=PPS06212021
header.b=kGKyo7YU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:5 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 952C88295769;
Fri, 10 Nov 2023 10:08:24 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235573AbjKJSDf (ORCPT <rfc822;lhua1029@gmail.com> + 30 others);
Fri, 10 Nov 2023 13:03:35 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51450 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S235762AbjKJSCo (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 10 Nov 2023 13:02:44 -0500
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
[205.220.166.238])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C1B631E4A;
Fri, 10 Nov 2023 03:48:20 -0800 (PST)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id
3AABUXtK023201;
Fri, 10 Nov 2023 03:48:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
h=from:to:cc:subject:date:message-id:in-reply-to:references
:mime-version:content-transfer-encoding:content-type; s=
PPS06212021; bh=feAmthakErj4UOFOkEZXH1ohZ3TPcXzAn7ar+R3ELWU=; b=
kGKyo7YU7EZn2nuPeqV3P3nwUMu5wXpjYhLql8WGZJ43KtH0G5Rit85LJd5f0Y5J
FSJvXYhicOHqj4ZOFiMNcpypLB3aMtTQ9OmjJQTO+0FuTPp0oF3WQVFa47pSJeDD
zdGaXGsAzddRDu+zGlwEupBb6kwtUhSfYq3gq8cIBxCqyEHBE3XqjgvQBeyx3v6T
GquonGizdD3AF670VazJ3MCbsYllGrEaQO+ShlQQMxB68UOOWocHRIOVd7KTMPwl
RMKW7SysJuDbgrRLXXLvsoaaqJq7c2L5rUKe3tnfq9FpMQzOZKJTM+a1yBSDFgrF
47jZOL7v5h+LyO4LHwygEQ==
Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com
[147.11.82.254])
by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3u7w2t30k5-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128
verify=NOT);
Fri, 10 Nov 2023 03:48:10 -0800 (PST)
Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by
ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.34; Fri, 10 Nov 2023 03:48:13 -0800
Received: from pek-lpd-ccm6.wrs.com (147.11.136.210) by
ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id
15.1.2507.34 via Frontend Transport; Fri, 10 Nov 2023 03:48:10 -0800
From: Lizhi Xu <lizhi.xu@windriver.com>
To: <syzbot+4d81015bc10889fd12ea@syzkaller.appspotmail.com>
CC: <boris@bur.io>, <clm@fb.com>, <dsterba@suse.com>,
<josef@toxicpanda.com>, <linux-btrfs@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<syzkaller-bugs@googlegroups.com>
Subject: [PATCH] btrfs: fix warning in create_pending_snapshot
Date: Fri, 10 Nov 2023 19:48:06 +0800
Message-ID: <20231110114806.3366681-1-lizhi.xu@windriver.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <0000000000001959d30609bb5d94@google.com>
References: <0000000000001959d30609bb5d94@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-GUID: tjoSHBo47CL5QMVxWy5JUXO5hy0Yt9Yo
X-Proofpoint-ORIG-GUID: tjoSHBo47CL5QMVxWy5JUXO5hy0Yt9Yo
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2023-11-10_08,2023-11-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
lowpriorityscore=0
suspectscore=0 malwarescore=0 priorityscore=1501 adultscore=0
mlxlogscore=897 impostorscore=0 clxscore=1011 phishscore=0 bulkscore=0
mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.19.0-2311060001 definitions=main-2311100096
X-Spam-Status: No, score=1.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Fri, 10 Nov 2023 10:08:24 -0800 (PST)
X-Spam-Level: *
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1782201432007851227
X-GMAIL-MSGID: 1782201432007851227
|
| Series |
btrfs: fix warning in create_pending_snapshot
|
|
Commit Message
Lizhi Xu
Nov. 10, 2023, 11:48 a.m. UTC
r0 = open(&(0x7f0000000080)='./file0\x00', 0x0, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(r0, 0xc0109428, &(0x7f0000000000)={0x1})
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='blkio.bfq.time_recursive\x00', 0x275a, 0x0)
ioctl$BTRFS_IOC_QGROUP_CREATE(r1, 0x4010942a, &(0x7f0000000640)={0x1, 0x100})
r2 = openat(0xffffffffffffff9c, &(0x7f0000000500)='.\x00', 0x0, 0x0)
ioctl$BTRFS_IOC_SNAP_CREATE(r0, 0x50009401, &(0x7f0000000a80)={{r2},
From the logs, it can be seen that syz can execute to btrfs_ioctl_qgroup_create()
through two paths.
Syz enters btrfs_ioctl_qgroup_create() by calling ioctl$BTRFS_IOC_QGROUP_CREATE(
r1, 0x4010942a,&(0x7f000000 640)={0x1, 0x100}) or ioctl$BTRFS_IOC_SNAP_CREATE(r0,
0x50009401,&(0x7f000000 a80)={r2}," respectively;
The most crucial thing is that when calling ioctl$BTRFS_IOC_QGROUP_CREATE,
the passed parameter qgroupid value is 256, while BTRFS_FIRST_FREE_OBJECTID
is also equal to 256, indicating that the passed parameter qgroupid is
obviously incorrect.
Reported-and-tested-by: syzbot+4d81015bc10889fd12ea@syzkaller.appspotmail.com
Fixes: 6ed05643ddb1 ("btrfs: create qgroup earlier in snapshot creation")
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
fs/btrfs/ioctl.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
On 2023/11/10 22:18, Lizhi Xu wrote: > r0 = open(&(0x7f0000000080)='./file0\x00', 0x0, 0x0) > ioctl$BTRFS_IOC_QUOTA_CTL(r0, 0xc0109428, &(0x7f0000000000)={0x1}) > r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='blkio.bfq.time_recursive\x00', 0x275a, 0x0) > ioctl$BTRFS_IOC_QGROUP_CREATE(r1, 0x4010942a, &(0x7f0000000640)={0x1, 0x100}) > r2 = openat(0xffffffffffffff9c, &(0x7f0000000500)='.\x00', 0x0, 0x0) > ioctl$BTRFS_IOC_SNAP_CREATE(r0, 0x50009401, &(0x7f0000000a80)={{r2}, > > From the logs, it can be seen that syz can execute to btrfs_ioctl_qgroup_create() > through two paths. > Syz enters btrfs_ioctl_qgroup_create() by calling ioctl$BTRFS_IOC_QGROUP_CREATE( > r1, 0x4010942a,&(0x7f000000 640)={0x1, 0x100}) or ioctl$BTRFS_IOC_SNAP_CREATE(r0, > 0x50009401,&(0x7f000000 a80)={r2}," respectively; > > The most crucial thing is that when calling ioctl$BTRFS_IOC_QGROUP_CREATE, > the passed parameter qgroupid value is 256, while BTRFS_FIRST_FREE_OBJECTID > is also equal to 256, indicating that the passed parameter qgroupid is > obviously incorrect. This conclusion looks incorrect to me. Subvolumes are allowed to have any id in the range [BTRFS_FIRST_TREE_OBJECTID, BTRFS_LAST_TREE_OBJECTID]. In fact, you can easily create a subvolume with 256 as its subvolumeid. Just create an empty fs, and create a new subvolume in it, then you got; item 11 key (256 ROOT_ITEM 0) itemoff 12961 itemsize 439 generation 7 root_dirid 256 bytenr 30441472 byte_limit 0 bytes_used 16384 ... So it's completely valid. The root cause is just snapshot creation conflicts with an existing qgroup. Thanks, Qu > > Reported-and-tested-by: syzbot+4d81015bc10889fd12ea@syzkaller.appspotmail.com > Fixes: 6ed05643ddb1 ("btrfs: create qgroup earlier in snapshot creation") > Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> > --- > fs/btrfs/ioctl.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > index 752acff2c734..21cf7a7f18ab 100644 > --- a/fs/btrfs/ioctl.c > +++ b/fs/btrfs/ioctl.c > @@ -3799,6 +3799,11 @@ static long btrfs_ioctl_qgroup_create(struct file *file, void __user *arg) > goto out; > } > > + if (sa->create && sa->qgroupid == BTRFS_FIRST_FREE_OBJECTID) { > + ret = -EINVAL; > + goto out; > + } > + > trans = btrfs_join_transaction(root); > if (IS_ERR(trans)) { > ret = PTR_ERR(trans);
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 752acff2c734..21cf7a7f18ab 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3799,6 +3799,11 @@ static long btrfs_ioctl_qgroup_create(struct file *file, void __user *arg) goto out; } + if (sa->create && sa->qgroupid == BTRFS_FIRST_FREE_OBJECTID) { + ret = -EINVAL; + goto out; + } + trans = btrfs_join_transaction(root); if (IS_ERR(trans)) { ret = PTR_ERR(trans);