Ubuntu
linux package

Remove btrfs module after a failed fallocate attempt will cause error on 4.4 i386

Bug #1822579 reported by Po-Hsu Lin
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Andrea Righi

Bug Description

SRU Justification:

[Impact]

 * If fallocate() is failing on a btrfs subvolume when its qgroup quota limit exceeded, a previously allocated extent map isn't correctly released, causing a memory leak from the pool btrfs_extent_map.

 * Fix by correctly deallocating the object in case of failure

[Test Case]

 * https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1822579/+attachment/5252459/+files/btrfs-fallocate-test.sh

[Fix]

 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be2d253cc98244765323a7c94cc1ac5cd5a17072

Fix the memory leak by adding the proper free_extent_map() call to the failure path.

[Regression Potential]

 * This is an upstream fix, tested on the affected platform. The patch is really small, backport changes are minimal. All the other Ubuntu releases are including this fix already.

[Original bug report]
If one issues a rmmod (or modprobe -r) command after a failed fallocate attempt, it will cause error with call trace:

 =============================================================================
 BUG btrfs_extent_map (Not tainted): Objects remaining in btrfs_extent_map on kmem_cache_close()
 -----------------------------------------------------------------------------

 Disabling lock debugging due to kernel taint
 INFO: Slab 0xf7526fb0 objects=34 used=1 fp=0xf43fef78 flags=0x2800080
 CPU: 1 PID: 1608 Comm: rmmod Tainted: G B 4.4.0-143-generic #169-Ubuntu
 Hardware name: Dell Inc. PowerEdge R310/05XKKK, BIOS 1.11.0 09/18/2012
  c1b0d967 35a7d73c 00000286 f4ed9ddc c13c034f f7526fb0 f4ed9dfc f4ed9e70
  c11ccc42 c1a164b0 f7526fb0 00000022 00000001 f43fef78 02800080 656a624f
  20737463 616d6572 6e696e69 6e692067 72746220 655f7366 6e657478 616d5f74
 Call Trace:
  [<c13c034f>] dump_stack+0x58/0x79
  [<c11ccc42>] slab_err+0x82/0xa0
  [<c11d090d>] ? __kmalloc+0x22d/0x240
  [<c11ce550>] ? __free_slab+0xa0/0x130
  [<c11d0ba9>] ? free_partial+0xa9/0x1b0
  [<c11d0ba9>] ? free_partial+0xa9/0x1b0
  [<c11d0bce>] free_partial+0xce/0x1b0
  [<c11cf350>] ? __flush_cpu_slab+0x40/0x40
  [<c11d24e2>] __kmem_cache_shutdown+0x42/0x80
  [<c119e5e2>] kmem_cache_destroy+0x162/0x1e0
  [<f8dc0ac6>] extent_map_exit+0x16/0x20 [btrfs]
  [<f8e2ee20>] exit_btrfs_fs+0x26/0x206 [btrfs]
  [<c10fd19f>] SyS_delete_module+0x1af/0x200
  [<c11edbad>] ? ____fput+0xd/0x10
  [<c109062f>] ? task_work_run+0x8f/0xa0
  [<c10031f6>] ? exit_to_usermode_loop+0xb6/0xe0
  [<c10038af>] do_fast_syscall_32+0x9f/0x160
  [<c17e63f0>] sysenter_past_esp+0x3d/0x61
 INFO: Object 0xf43fe078 @offset=120
 kmem_cache_destroy btrfs_extent_map: Slab cache still has objects
 CPU: 1 PID: 1608 Comm: rmmod Tainted: G B 4.4.0-143-generic #169-Ubuntu
 Hardware name: Dell Inc. PowerEdge R310/05XKKK, BIOS 1.11.0 09/18/2012
  c1b0d967 35a7d73c 00000286 f4ed9ed4 c13c034f ef34f600 ef34f674 f4ed9f0c
  c119e630 c1a14d18 f55f3220 f4ed9f04 000d96ab f4ed9eec f4ed9eec f4ed9ef4
  f4ed9ef4 35a7d73c 022ffd44 f8e46880 f4ed8000 f4ed9f14 f8dc0ac6 f4ed9f1c
 Call Trace:
  [<c13c034f>] dump_stack+0x58/0x79
  [<c119e630>] kmem_cache_destroy+0x1b0/0x1e0
  [<f8dc0ac6>] extent_map_exit+0x16/0x20 [btrfs]
  [<f8e2ee20>] exit_btrfs_fs+0x26/0x206 [btrfs]
  [<c10fd19f>] SyS_delete_module+0x1af/0x200
  [<c11edbad>] ? ____fput+0xd/0x10
  [<c109062f>] ? task_work_run+0x8f/0xa0
  [<c10031f6>] ? exit_to_usermode_loop+0xb6/0xe0
  [<c10038af>] do_fast_syscall_32+0x9f/0x160
  [<c17e63f0>] sysenter_past_esp+0x3d/0x61

Steps to reproduce this:

TMP=/tmp
MNT=/tmp/mnt
mkdir $MNT

TMPIMG0=$TMP/test0.img
DEV0=`losetup -f`

truncate --size 512M $TMPIMG0
losetup $DEV0 $TMPIMG0

mkfs.btrfs -f $DEV0 >& /dev/null
mount $DEV0 $MNT

btrfs quota enable $MNT
btrfs sub create $MNT/subv
btrfs qgroup limit 10M $MNT/subv

fallocate --length 20M $MNT/subv/data
rmmod btrfs

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-143-generic 4.4.0-143.169
ProcVersionSignature: User Name 4.4.0-143.169-generic 4.4.170
Uname: Linux 4.4.0-143-generic i686
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Apr 1 11:43 seq
 crw-rw---- 1 root audio 116, 33 Apr 1 11:43 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: i386
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Mon Apr 1 11:55:56 2019
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Dell Inc. PowerEdge R310
PciMultimedia:

ProcFB:

ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-143-generic root=UUID=6aaa11f6-d386-4c0c-b4b8-38e6c408980a ro
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-143-generic N/A
 linux-backports-modules-4.4.0-143-generic N/A
 linux-firmware 1.157.21
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 09/18/2012
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.11.0
dmi.board.name: 05XKKK
dmi.board.vendor: Dell Inc.
dmi.board.version: A05
dmi.chassis.type: 23
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvr1.11.0:bd09/18/2012:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA05:cvnDellInc.:ct23:cvr:
dmi.product.name: PowerEdge R310
dmi.sys.vendor: Dell Inc.

See original description
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Andrea Righi (arighi)
Changed in ubuntu-kernel-tests:
assignee: nobody → Andrea Righi (arighi)
assignee: Andrea Righi (arighi) → nobody
Changed in linux (Ubuntu Xenial):
assignee: nobody → Andrea Righi (arighi)
Revision history for this message
Andrea Righi (arighi) wrote :

Adding a test case script to reproduce the bug.

Revision history for this message
Andrea Righi (arighi) wrote :

This problem is fixed by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be2d253cc98244765323a7c94cc1ac5cd5a17072. Only Xenial seems to be affected. I'll post an SRU soon.

Andrea Righi (arighi)
description: updated
tags: added: patch
Khaled El Mously (kmously)
Changed in linux (Ubuntu Xenial):
status: Confirmed → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Andrea Righi (arighi)
tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.9 KiB)

This bug was fixed in the package linux - 4.4.0-148.174

---------------
linux (4.4.0-148.174) xenial; urgency=medium

  * CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
    - Documentation/l1tf: Fix small spelling typo
    - perf/x86/intel: Add model number for Skylake Server to perf
    - perf/x86: Add model numbers for Kabylake CPUs
    - perf/x86/intel: Use Intel family macros for core perf events
    - perf/x86/msr: Use Intel family macros for MSR events code
    - perf/x86/msr: Add missing Intel models
    - SAUCE: perf/x86/{cstate,rapl,uncore}: Use Intel Model name macros
    - perf/x86/msr: Add missing CPU IDs
    - x86/speculation: Simplify the CPU bug detection logic
    - x86/cpu: Sanitize FAM6_ATOM naming
    - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
    - bitops: avoid integer overflow in GENMASK(_ULL)
    - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a
      new <linux/bits.h> file
    - tools include: Adopt linux/bits.h
    - x86/msr-index: Cleanup bit defines
    - x86/speculation: Consolidate CPU whitelists
    - x86/speculation/mds: Add basic bug infrastructure for MDS
    - x86/speculation/mds: Add BUG_MSBDS_ONLY
    - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
    - x86/speculation/mds: Add mds_clear_cpu_buffers()
    - locking/static_keys: Provide DECLARE and well as DEFINE macros
    - x86/speculation/mds: Clear CPU buffers on exit to user
    - x86/kvm/vmx: Add MDS protection when L1D Flush is not active
    - x86/speculation/mds: Conditionally clear CPU buffers on idle entry
    - SAUCE: sched/smt: Introduce sched_smt_{active,present}
    - SAUCE: Rename the Ubuntu-only spec_ctrl_mutex mutex
    - SAUCE: x86/speculation: Introduce arch_smt_update()
    - x86/speculation: Rework SMT state change
    - x86/speculation: Reorder the spec_v2 code
    - x86/speculation: Unify conditional spectre v2 print functions
    - x86/speculation/mds: Add mitigation control for MDS
    - x86/speculation/mds: Add sysfs reporting for MDS
    - x86/speculation/mds: Add mitigation mode VMWERV
    - Documentation: Move L1TF to separate directory
    - Documentation: Add MDS vulnerability documentation
    - x86/speculation/mds: Add mds=full,nosmt cmdline option
    - x86/speculation: Move arch_smt_update() call to after mitigation decisions
    - x86/speculation/mds: Add SMT warning message
    - x86/speculation/mds: Fix comment
    - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
    - x86/speculation/mds: Add 'mitigations=' support for MDS

  * CVE-2017-5715 // CVE-2017-5753
    - s390/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
    - powerpc/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
    CVE-2018-3646
    - cpu/speculation: Add 'mitigations=' cmdline option
    - x86/speculation: Support 'mitigations=' cmdline option

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

linux (4.4.0-147.173) xenial; urgency=medium

  * linux: 4.4.0-147.173 -proposed tracker (LP: #1826036)

  * Packaging resync...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → Fix Released
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.