From patchwork Wed May 3 01:50:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Su Yue X-Patchwork-Id: 9708721 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 380C460351 for ; Wed, 3 May 2017 01:49:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F5BD285F2 for ; Wed, 3 May 2017 01:49:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 12A04285F8; Wed, 3 May 2017 01:49:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 171C7285F2 for ; Wed, 3 May 2017 01:49:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751604AbdECBsk (ORCPT ); Tue, 2 May 2017 21:48:40 -0400 Received: from cn.fujitsu.com ([59.151.112.132]:18074 "EHLO heian.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1751562AbdECBsj (ORCPT ); Tue, 2 May 2017 21:48:39 -0400 X-IronPort-AV: E=Sophos;i="5.22,518,1449504000"; d="scan'208";a="18398449" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 03 May 2017 09:48:36 +0800 Received: from G08CNEXCHPEKD01.g08.fujitsu.local (unknown [10.167.33.80]) by cn.fujitsu.com (Postfix) with ESMTP id C4F4447E6349 for ; Wed, 3 May 2017 09:48:33 +0800 (CST) Received: from localhost.localdomain (10.167.226.129) by G08CNEXCHPEKD01.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 3 May 2017 09:48:31 +0800 From: Su Yue To: Subject: [PATCH] btrfs-progs: check: Fix heap use after free. Date: Wed, 3 May 2017 09:50:14 +0800 Message-ID: <20170503015014.2221-1-suy.fnst@cn.fujitsu.com> X-Mailer: git-send-email 2.12.2 MIME-Version: 1.0 X-Originating-IP: [10.167.226.129] X-yoursite-MailScanner-ID: C4F4447E6349.AAD8F X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: suy.fnst@cn.fujitsu.com Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP fsck/004-no-dir-index makes valgrinds complaining about Invalid read. ==31890== Invalid read of size 1 ==31890== at 0x453D09: repair_inode_backrefs (cmds-check.c:2690) ==31890== by 0x453D09: check_inode_recs (cmds-check.c:3330) ==31890== by 0x453D09: check_fs_root (cmds-check.c:4012) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== Address 0x5cb7b90 is 16 bytes inside a block of size 50 free'd ==31890== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31890== by 0x453D08: repair_inode_backrefs (cmds-check.c:2684) ==31890== by 0x453D08: check_inode_recs (cmds-check.c:3330) ==31890== by 0x453D08: check_fs_root (cmds-check.c:4012) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== Block was alloc'd at ==31890== at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31890== by 0x45055C: get_inode_backref (cmds-check.c:1075) ==31890== by 0x45055C: add_inode_backref (cmds-check.c:1097) ==31890== by 0x45180C: process_dir_item (cmds-check.c:1525) ==31890== by 0x45180C: process_one_leaf (cmds-check.c:1838) ==31890== by 0x45180C: walk_down_tree (cmds-check.c:2134) ==31890== by 0x45180C: check_fs_root (cmds-check.c:3957) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== ==31890== Invalid read of size 8 ==31890== at 0x452D66: repair_inode_backrefs (cmds-check.c:2731) ==31890== by 0x452D66: check_inode_recs (cmds-check.c:3330) ==31890== by 0x452D66: check_fs_root (cmds-check.c:4012) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== Address 0x5cb7b90 is 16 bytes inside a block of size 50 free'd ==31890== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31890== by 0x453D08: repair_inode_backrefs (cmds-check.c:2684) ==31890== by 0x453D08: check_inode_recs (cmds-check.c:3330) ==31890== by 0x453D08: check_fs_root (cmds-check.c:4012) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== Block was alloc'd at ==31890== at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31890== by 0x45055C: get_inode_backref (cmds-check.c:1075) ==31890== by 0x45055C: add_inode_backref (cmds-check.c:1097) ==31890== by 0x45180C: process_dir_item (cmds-check.c:1525) ==31890== by 0x45180C: process_one_leaf (cmds-check.c:1838) ==31890== by 0x45180C: walk_down_tree (cmds-check.c:2134) ==31890== by 0x45180C: check_fs_root (cmds-check.c:3957) ==31890== by 0x45E788: check_fs_roots (cmds-check.c:4098) ==31890== by 0x45E788: cmd_check (cmds-check.c:13031) ==31890== by 0x40A88A: main (btrfs.c:246) ==31890== While iterating over backrefs in repair_inode_backrefs, there are several situations to repair one backref according backref->found_dir_item and backref->found_dir_index. Two of these branches may free the backref, but next judgments will still access the freed memory. Because these branches are independent, let repair_inode_backrefs skip to handle next backref after free can fix it. Signed-off-by: Su Yue --- cmds-check.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmds-check.c b/cmds-check.c index 897b1587..e52fbb84 100644 --- a/cmds-check.c +++ b/cmds-check.c @@ -2666,6 +2666,7 @@ static int repair_inode_backrefs(struct btrfs_root *root, repaired++; list_del(&backref->list); free(backref); + continue; } if (!delete && !backref->found_dir_index && @@ -2676,12 +2677,12 @@ static int repair_inode_backrefs(struct btrfs_root *root, break; repaired++; if (backref->found_dir_item && - backref->found_dir_index && backref->found_dir_index) { if (!backref->errors && backref->found_inode_ref) { list_del(&backref->list); free(backref); + continue; } } }