From patchwork Fri Jun 2 08:20:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Omar Sandoval X-Patchwork-Id: 9761895 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B1B54602BF for ; Fri, 2 Jun 2017 08:21:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A206527F89 for ; Fri, 2 Jun 2017 08:21:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9650A28536; Fri, 2 Jun 2017 08:21:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1597F27F89 for ; Fri, 2 Jun 2017 08:21:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751270AbdFBIVk (ORCPT ); Fri, 2 Jun 2017 04:21:40 -0400 Received: from mail-it0-f42.google.com ([209.85.214.42]:37699 "EHLO mail-it0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751138AbdFBIVg (ORCPT ); Fri, 2 Jun 2017 04:21:36 -0400 Received: by mail-it0-f42.google.com with SMTP id m47so10042866iti.0 for ; Fri, 02 Jun 2017 01:21:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osandov-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=Dxj+Y/8/LUIukAVdTWUrIEI97VxAHlfvtBmAjJs/q1I=; b=TJUgYDe4PFDKPEvXVZRZUc1YjLbGu/RIBQc+oa545UXVGgQHiCxhhDIwyfbmY8ZlSN OtS9MuL+d86NAGQk/Mkg+QUESToN3KhbpjVqLOjdFQct08mpj1Rj35GMYSy1mRaH3/zy 6/k6pliQD13vVmm0ju+3tg89L6IVNjfsaHDjmAGVH19XUwnlEyUq9gtzwTPobMC9QfNA NXcfTu6Z9UxBTGiTpqaOmx5StxUFCSlEY4IeSgaOG/ZTx7uvtjddmhHomyOZ82PDwgQu ZjO+ZHRjfvM/3Z3aRXHzNeNSZq9jDY1VjS+qTvrPjvs8oFluS1zhVHpEnKlul5ovytqQ D4tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Dxj+Y/8/LUIukAVdTWUrIEI97VxAHlfvtBmAjJs/q1I=; b=pXuvcJ0evyMa3eCSKiAs8VttRvE1r2hA+YnRhOnj6OTDZQZ5zCgfX+Fbkrb8q1UGTP 2VONmvoY+aRqOl68Q/1VpHUJqNXh2xgGk4lOg2Yd8PnLd9C/TB76ClT8esEERl9WALKZ nTmcRWn7fD1SyCNgV3vSdX7Tb40krEOQZkYlvxwDQUcs0a3Uj/d4m+FIBx61JM+nELMo rcdMPDUu3gtXuPRBnEI/w6JRqfKyVpFVLM7sYU3yFuB6G3u77CwRtIudMyXS+gu2fAVb iBj1SXMNYFNgbJGP6wk5y0K+j+b5RRDVUmch3R8BF/OxKzH7nXmbGL8nDhi9/GDKTuV4 poMg== X-Gm-Message-State: AODbwcD7HTFIR9eZei0ZG7DDCongVbHb5nTIvhGpx9PnI9vvW4tUCSFf nBkQCgTkspPX5SjShLC+Vw== X-Received: by 10.101.83.195 with SMTP id z3mr5901640pgr.122.1496391617398; Fri, 02 Jun 2017 01:20:17 -0700 (PDT) Received: from localhost.localdomain ([2601:602:8801:8110:e6a7:a0ff:fe0b:c9a8]) by smtp.gmail.com with ESMTPSA id i71sm20291012pge.61.2017.06.02.01.20.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Jun 2017 01:20:16 -0700 (PDT) From: Omar Sandoval To: linux-btrfs@vger.kernel.org, Chris Mason , Josef Bacik Cc: kernel-team@fb.com, stable@vger.kernel.org Subject: [PATCH] Btrfs: fix delalloc accounting leak caused by u32 overflow Date: Fri, 2 Jun 2017 01:20:01 -0700 Message-Id: <4d268ba97ee6511e4a8c42d39c64316d20eed9d0.1496391402.git.osandov@fb.com> X-Mailer: git-send-email 2.13.0 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Omar Sandoval btrfs_calc_trans_metadata_size() does an unsigned 32-bit multiplication, which can overflow if num_items >= 4 GB / (nodesize * BTRFS_MAX_LEVEL * 2). For a nodesize of 16kB, this overflow happens at 16k items. Usually, num_items is a small constant passed to btrfs_start_transaction(), but we also use btrfs_calc_trans_metadata_size() for metadata reservations for extent items in btrfs_delalloc_{reserve,release}_metadata(). In drop_outstanding_extents(), num_items is calculated as inode->reserved_extents - inode->outstanding_extents. The difference between these two counters is usually small, but if many delalloc extents are reserved and then the outstanding extents are merged in btrfs_merge_extent_hook(), the difference can become large enough to overflow in btrfs_calc_trans_metadata_size(). The overflow manifests itself as a leak of a multiple of 4 GB in delalloc_block_rsv and the metadata bytes_may_use counter. This in turn can cause early ENOSPC errors. Additionally, these WARN_ONs in extent-tree.c will be hit when unmounting: WARN_ON(fs_info->delalloc_block_rsv.size > 0); WARN_ON(fs_info->delalloc_block_rsv.reserved > 0); WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_reserved > 0 || space_info->bytes_may_use > 0); Fix it by casting nodesize to a u64 so that btrfs_calc_trans_metadata_size() does a full 64-bit multiplication. While we're here, do the same in btrfs_calc_trunc_metadata_size(); this can't overflow with any existing uses, but it's better to be safe here than have another hard-to-debug problem later on. Cc: stable@vger.kernel.org Signed-off-by: Omar Sandoval Reviewed-by: David Sterba --- fs/btrfs/ctree.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index 643c70d2b2e6..4f8f75d9e839 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -2563,7 +2563,7 @@ u64 btrfs_csum_bytes_to_leaves(struct btrfs_fs_info *fs_info, u64 csum_bytes); static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info, unsigned num_items) { - return fs_info->nodesize * BTRFS_MAX_LEVEL * 2 * num_items; + return (u64)fs_info->nodesize * BTRFS_MAX_LEVEL * 2 * num_items; } /* @@ -2573,7 +2573,7 @@ static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info, static inline u64 btrfs_calc_trunc_metadata_size(struct btrfs_fs_info *fs_info, unsigned num_items) { - return fs_info->nodesize * BTRFS_MAX_LEVEL * num_items; + return (u64)fs_info->nodesize * BTRFS_MAX_LEVEL * num_items; } int btrfs_should_throttle_delayed_refs(struct btrfs_trans_handle *trans,