On Fri, Jun 02, 2017 at 01:20:01AM -0700, Omar Sandoval wrote:
> From: Omar Sandoval <osandov@xxxxxx>
>
> btrfs_calc_trans_metadata_size() does an unsigned 32-bit multiplication,
> which can overflow if num_items >= 4 GB / (nodesize * BTRFS_MAX_LEVEL * 2).
> For a nodesize of 16kB, this overflow happens at 16k items. Usually,
> num_items is a small constant passed to btrfs_start_transaction(), but
> we also use btrfs_calc_trans_metadata_size() for metadata reservations
> for extent items in btrfs_delalloc_{reserve,release}_metadata().
>
> In drop_outstanding_extents(), num_items is calculated as
> inode->reserved_extents - inode->outstanding_extents. The difference
> between these two counters is usually small, but if many delalloc
> extents are reserved and then the outstanding extents are merged in
> btrfs_merge_extent_hook(), the difference can become large enough to
> overflow in btrfs_calc_trans_metadata_size().
>
> The overflow manifests itself as a leak of a multiple of 4 GB in
> delalloc_block_rsv and the metadata bytes_may_use counter. This in turn
> can cause early ENOSPC errors. Additionally, these WARN_ONs in
> extent-tree.c will be hit when unmounting:
>
> WARN_ON(fs_info->delalloc_block_rsv.size > 0);
> WARN_ON(fs_info->delalloc_block_rsv.reserved > 0);
> WARN_ON(space_info->bytes_pinned > 0 ||
> space_info->bytes_reserved > 0 ||
> space_info->bytes_may_use > 0);
>
> Fix it by casting nodesize to a u64 so that
> btrfs_calc_trans_metadata_size() does a full 64-bit multiplication.
> While we're here, do the same in btrfs_calc_trunc_metadata_size(); this
> can't overflow with any existing uses, but it's better to be safe here
> than have another hard-to-debug problem later on.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Omar Sandoval <osandov@xxxxxx>
Reviewed-by: David Sterba <dsterba@xxxxxxxx>