lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 May 2019 15:26:21 -0400 From: Sasha Levin <sashal@...nel.org> To: linux-kernel@...r.kernel.org, stable@...r.kernel.org Cc: Robbie Ko <robbieko@...ology.com>, Filipe Manana <fdmanana@...e.com>, David Sterba <dsterba@...e.com>, Sasha Levin <sashal@...nel.org>, linux-btrfs@...r.kernel.org Subject: [PATCH AUTOSEL 4.14 026/167] Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve From: Robbie Ko <robbieko@...ology.com> [ Upstream commit 39ad317315887c2cb9a4347a93a8859326ddf136 ] When doing fallocate, we first add the range to the reserve_list and then reserve the quota. If quota reservation fails, we'll release all reserved parts of reserve_list. However, cur_offset is not updated to indicate that this range is already been inserted into the list. Therefore, the same range is freed twice. Once at list_for_each_entry loop, and once at the end of the function. This will result in WARN_ON on bytes_may_use when we free the remaining space. At the end, under the 'out' label we have a call to: btrfs_free_reserved_data_space(inode, data_reserved, alloc_start, alloc_end - cur_offset); The start offset, third argument, should be cur_offset. Everything from alloc_start to cur_offset was freed by the list_for_each_entry_safe_loop. Fixes: 18513091af94 ("btrfs: update btrfs_space_info's bytes_may_use timely") Reviewed-by: Filipe Manana <fdmanana@...e.com> Signed-off-by: Robbie Ko <robbieko@...ology.com> Signed-off-by: David Sterba <dsterba@...e.com> Signed-off-by: Sasha Levin <sashal@...nel.org> --- fs/btrfs/file.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index 57e25e83b81a8..7d99f36af100e 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -2964,6 +2964,7 @@ static long btrfs_fallocate(struct file *file, int mode, ret = btrfs_qgroup_reserve_data(inode, &data_reserved, cur_offset, last_byte - cur_offset); if (ret < 0) { + cur_offset = last_byte; free_extent_map(em); break; } @@ -3034,7 +3035,7 @@ static long btrfs_fallocate(struct file *file, int mode, /* Let go of our reservation. */ if (ret != 0) btrfs_free_reserved_data_space(inode, data_reserved, - alloc_start, alloc_end - cur_offset); + cur_offset, alloc_end - cur_offset); extent_changeset_free(data_reserved); return ret; } -- 2.20.1
Powered by blists - more mailing lists