• Anand Jain's avatar
    btrfs: dev-replace: fail mount if we don't have replace item with target device · cf89af14
    Anand Jain authored
    If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace
    item, then it means the filesystem is inconsistent state. This is either
    corruption or a crafted image.  Fail the mount as this needs a closer
    look what is actually wrong.
    
    As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace
    item, in __btrfs_free_extra_devids() we determine that there is an
    extra device, and free those extra devices but continue to mount the
    device.
    However, we were wrong in keeping tack of the rw_devices so the syzbot
    testcase failed:
    
      WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x198/0x1fd lib/dump_stack.c:118
       panic+0x347/0x7c0 kernel/panic.c:231
       __warn.cold+0x20/0x46 kernel/panic.c:600
       report_bug+0x1bd/0x210 lib/bug.c:198
       handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234
       exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
       asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
      RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
      RSP: 0018:ffffc900091777e0 EFLAGS: 00010246
      RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000
      RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007
      RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f
      R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130
      R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050
       close_fs_devices fs/btrfs/volumes.c:1193 [inline]
       btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179
       open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434
       btrfs_fill_super fs/btrfs/super.c:1316 [inline]
       btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672
    
    The fix here is, when we determine that there isn't a replace item
    then fail the mount if there is a replace target device (devid 0).
    
    CC: stable@vger.kernel.org # 4.19+
    Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com
    Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
    Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    cf89af14
dev-replace.c 34.2 KB