Remove btrfs module after a failed fallocate attempt will cause error on 4.4 i386

Bug #1822579 reported by Po-Hsu Lin on 2019-04-01
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Unassigned
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Andrea Righi

Bug Description

SRU Justification:

[Impact]

 * If fallocate() is failing on a btrfs subvolume when its qgroup quota limit exceeded, a previously allocated extent map isn't correctly released, causing a memory leak from the pool btrfs_extent_map.

 * Fix by correctly deallocating the object in case of failure

[Test Case]

 * https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1822579/+attachment/5252459/+files/btrfs-fallocate-test.sh

[Fix]

 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be2d253cc98244765323a7c94cc1ac5cd5a17072

Fix the memory leak by adding the proper free_extent_map() call to the failure path.

[Regression Potential]

 * This is an upstream fix, tested on the affected platform. The patch is really small, backport changes are minimal. All the other Ubuntu releases are including this fix already.

[Original bug report]
If one issues a rmmod (or modprobe -r) command after a failed fallocate attempt, it will cause error with call trace:

 =============================================================================
 BUG btrfs_extent_map (Not tainted): Objects remaining in btrfs_extent_map on kmem_cache_close()
 -----------------------------------------------------------------------------

 Disabling lock debugging due to kernel taint
 INFO: Slab 0xf7526fb0 objects=34 used=1 fp=0xf43fef78 flags=0x2800080
 CPU: 1 PID: 1608 Comm: rmmod Tainted: G B 4.4.0-143-generic #169-Ubuntu
 Hardware name: Dell Inc. PowerEdge R310/05XKKK, BIOS 1.11.0 09/18/2012
  c1b0d967 35a7d73c 00000286 f4ed9ddc c13c034f f7526fb0 f4ed9dfc f4ed9e70
  c11ccc42 c1a164b0 f7526fb0 00000022 00000001 f43fef78 02800080 656a624f
  20737463 616d6572 6e696e69 6e692067 72746220 655f7366 6e657478 616d5f74
 Call Trace:
  [<c13c034f>] dump_stack+0x58/0x79
  [<c11ccc42>] slab_err+0x82/0xa0
  [<c11d090d>] ? __kmalloc+0x22d/0x240
  [<c11ce550>] ? __free_slab+0xa0/0x130
  [<c11d0ba9>] ? free_partial+0xa9/0x1b0
  [<c11d0ba9>] ? free_partial+0xa9/0x1b0
  [<c11d0bce>] free_partial+0xce/0x1b0
  [<c11cf350>] ? __flush_cpu_slab+0x40/0x40
  [<c11d24e2>] __kmem_cache_shutdown+0x42/0x80
  [<c119e5e2>] kmem_cache_destroy+0x162/0x1e0
  [<f8dc0ac6>] extent_map_exit+0x16/0x20 [btrfs]
  [<f8e2ee20>] exit_btrfs_fs+0x26/0x206 [btrfs]
  [<c10fd19f>] SyS_delete_module+0x1af/0x200
  [<c11edbad>] ? ____fput+0xd/0x10
  [<c109062f>] ? task_work_run+0x8f/0xa0
  [<c10031f6>] ? exit_to_usermode_loop+0xb6/0xe0
  [<c10038af>] do_fast_syscall_32+0x9f/0x160
  [<c17e63f0>] sysenter_past_esp+0x3d/0x61
 INFO: Object 0xf43fe078 @offset=120
 kmem_cache_destroy btrfs_extent_map: Slab cache still has objects
 CPU: 1 PID: 1608 Comm: rmmod Tainted: G B 4.4.0-143-generic #169-Ubuntu
 Hardware name: Dell Inc. PowerEdge R310/05XKKK, BIOS 1.11.0 09/18/2012
  c1b0d967 35a7d73c 00000286 f4ed9ed4 c13c034f ef34f600 ef34f674 f4ed9f0c
  c119e630 c1a14d18 f55f3220 f4ed9f04 000d96ab f4ed9eec f4ed9eec f4ed9ef4
  f4ed9ef4 35a7d73c 022ffd44 f8e46880 f4ed8000 f4ed9f14 f8dc0ac6 f4ed9f1c
 Call Trace:
  [<c13c034f>] dump_stack+0x58/0x79
  [<c119e630>] kmem_cache_destroy+0x1b0/0x1e0
  [<f8dc0ac6>] extent_map_exit+0x16/0x20 [btrfs]
  [<f8e2ee20>] exit_btrfs_fs+0x26/0x206 [btrfs]
  [<c10fd19f>] SyS_delete_module+0x1af/0x200
  [<c11edbad>] ? ____fput+0xd/0x10
  [<c109062f>] ? task_work_run+0x8f/0xa0
  [<c10031f6>] ? exit_to_usermode_loop+0xb6/0xe0
  [<c10038af>] do_fast_syscall_32+0x9f/0x160
  [<c17e63f0>] sysenter_past_esp+0x3d/0x61

Steps to reproduce this:

TMP=/tmp
MNT=/tmp/mnt
mkdir $MNT

TMPIMG0=$TMP/test0.img
DEV0=`losetup -f`

truncate --size 512M $TMPIMG0
losetup $DEV0 $TMPIMG0

mkfs.btrfs -f $DEV0 >& /dev/null
mount $DEV0 $MNT

btrfs quota enable $MNT
btrfs sub create $MNT/subv
btrfs qgroup limit 10M $MNT/subv

fallocate --length 20M $MNT/subv/data
rmmod btrfs

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-143-generic 4.4.0-143.169
ProcVersionSignature: User Name 4.4.0-143.169-generic 4.4.170
Uname: Linux 4.4.0-143-generic i686
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Apr 1 11:43 seq
 crw-rw---- 1 root audio 116, 33 Apr 1 11:43 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: i386
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Mon Apr 1 11:55:56 2019
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Dell Inc. PowerEdge R310
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-143-generic root=UUID=6aaa11f6-d386-4c0c-b4b8-38e6c408980a ro
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-143-generic N/A
 linux-backports-modules-4.4.0-143-generic N/A
 linux-firmware 1.157.21
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 09/18/2012
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.11.0
dmi.board.name: 05XKKK
dmi.board.vendor: Dell Inc.
dmi.board.version: A05
dmi.chassis.type: 23
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvr1.11.0:bd09/18/2012:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA05:cvnDellInc.:ct23:cvr:
dmi.product.name: PowerEdge R310
dmi.sys.vendor: Dell Inc.

Po-Hsu Lin (cypressyew) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Andrea Righi (arighi) on 2019-04-03
Changed in ubuntu-kernel-tests:
assignee: nobody → Andrea Righi (arighi)
assignee: Andrea Righi (arighi) → nobody
Changed in linux (Ubuntu Xenial):
assignee: nobody → Andrea Righi (arighi)
Andrea Righi (arighi) wrote :

Adding a test case script to reproduce the bug.

Andrea Righi (arighi) wrote :

This problem is fixed by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be2d253cc98244765323a7c94cc1ac5cd5a17072. Only Xenial seems to be affected. I'll post an SRU soon.

Andrea Righi (arighi) on 2019-04-03
description: updated
tags: added: patch
Changed in linux (Ubuntu Xenial):
status: Confirmed → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Andrea Righi (arighi) on 2019-04-29
tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (5.9 KiB)

This bug was fixed in the package linux - 4.4.0-148.174

---------------
linux (4.4.0-148.174) xenial; urgency=medium

  * CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
    - Documentation/l1tf: Fix small spelling typo
    - perf/x86/intel: Add model number for Skylake Server to perf
    - perf/x86: Add model numbers for Kabylake CPUs
    - perf/x86/intel: Use Intel family macros for core perf events
    - perf/x86/msr: Use Intel family macros for MSR events code
    - perf/x86/msr: Add missing Intel models
    - SAUCE: perf/x86/{cstate,rapl,uncore}: Use Intel Model name macros
    - perf/x86/msr: Add missing CPU IDs
    - x86/speculation: Simplify the CPU bug detection logic
    - x86/cpu: Sanitize FAM6_ATOM naming
    - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
    - bitops: avoid integer overflow in GENMASK(_ULL)
    - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a
      new <linux/bits.h> file
    - tools include: Adopt linux/bits.h
    - x86/msr-index: Cleanup bit defines
    - x86/speculation: Consolidate CPU whitelists
    - x86/speculation/mds: Add basic bug infrastructure for MDS
    - x86/speculation/mds: Add BUG_MSBDS_ONLY
    - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
    - x86/speculation/mds: Add mds_clear_cpu_buffers()
    - locking/static_keys: Provide DECLARE and well as DEFINE macros
    - x86/speculation/mds: Clear CPU buffers on exit to user
    - x86/kvm/vmx: Add MDS protection when L1D Flush is not active
    - x86/speculation/mds: Conditionally clear CPU buffers on idle entry
    - SAUCE: sched/smt: Introduce sched_smt_{active,present}
    - SAUCE: Rename the Ubuntu-only spec_ctrl_mutex mutex
    - SAUCE: x86/speculation: Introduce arch_smt_update()
    - x86/speculation: Rework SMT state change
    - x86/speculation: Reorder the spec_v2 code
    - x86/speculation: Unify conditional spectre v2 print functions
    - x86/speculation/mds: Add mitigation control for MDS
    - x86/speculation/mds: Add sysfs reporting for MDS
    - x86/speculation/mds: Add mitigation mode VMWERV
    - Documentation: Move L1TF to separate directory
    - Documentation: Add MDS vulnerability documentation
    - x86/speculation/mds: Add mds=full,nosmt cmdline option
    - x86/speculation: Move arch_smt_update() call to after mitigation decisions
    - x86/speculation/mds: Add SMT warning message
    - x86/speculation/mds: Fix comment
    - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
    - x86/speculation/mds: Add 'mitigations=' support for MDS

  * CVE-2017-5715 // CVE-2017-5753
    - s390/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
    - powerpc/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
    CVE-2018-3646
    - cpu/speculation: Add 'mitigations=' cmdline option
    - x86/speculation: Support 'mitigations=' cmdline option

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

linux (4.4.0-147.173) xenial; urgency=medium

  * linux: 4.4.0-147.173 -proposed tracker (LP: #1826036)

  * Packaging resync...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers