Bug 603620

Summary: mkfs.btrfs fails on 3 TB partition
Product: [openSUSE] openSUSE 11.3 Reporter: Arvin Schnell <aschnell>
Component: BasesystemAssignee: Dirk Mueller <dmueller>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: jeffm
Version: Milestone 6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: gdb backtrace
btrfsprogs: Fix use after free in close_ctree

Description Arvin Schnell 2010-05-07 08:34:41 UTC 
mkfs.btrfs fails on 3 TB partition with a seg. fault.
Comment 1 Arvin Schnell 2010-05-07 08:35:13 UTC 
Created attachment 360346 [details]
gdb backtrace
Comment 2 Dirk Mueller 2010-05-10 13:50:03 UTC 
it essentially crashes on all creation requests with this valgrind: 

==13042== Invalid read of size 8
==13042==    at 0x407781: close_ctree (disk-io.c:974)
==13042==    by 0x417E4E: main (mkfs.c:531)
==13042==  Address 0x5998b00 is 272 bytes inside a block of size 400 free'd
==13042==    at 0x4C25F7B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==13042==    by 0x406B66: btrfs_free_fs_root (disk-io.c:456)
==13042==    by 0x407719: close_ctree (disk-io.c:471)
==13042==    by 0x417E4E: main (mkfs.c:531)
==13042== 

which is introduced by 0003-btrfsck-check-root-back-forward-references.patch
Comment 3 Dirk Mueller 2010-05-10 14:03:17 UTC 
correction, the problem is not introduced by 0003-btrfsck-check-root-back-forward-references.patch
Comment 4 Jeff Mahoney 2010-05-24 13:58:50 UTC 
Created attachment 364153 [details]
btrfsprogs: Fix use after free in close_ctree

 After the roots are closed, root is freed. Yet close_ctree continues
 to use it. It works generally because no new memory is allocated in
 the interim, but with glibc malloc perturbing enabled, it crashes
 every time. This is because root->fs_info points to garbage.

 This patch uses the already-cached fs_info variable for the rest of
 the accesses and fixes the crash.


Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Comment 5 Dirk Mueller 2010-05-26 15:14:43 UTC 
added to the package, thanks a lot!

did you submit this already upstream?
Comment 6 Jeff Mahoney 2010-05-26 15:41:13 UTC 
Thanks for the reminder. Submitted just now.

http://thread.gmane.org/gmane.comp.file-systems.btrfs/5708
Comment 7 Dirk Mueller 2010-05-27 09:50:08 UTC 
thanks. closing as fixed.
Comment 8 Bernhard Wiedemann 2016-04-15 11:43:03 UTC 
This is an autogenerated message for OBS integration:
This bug (603620) was mentioned in
https://build.opensuse.org/request/show/41263 Factory / btrfsprogs