| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Nov 2022 17:36:20 +0800
From: ChenXiaoSong <chenxiaosong2@...wei.com>
To: Qu Wenruo <quwenruo.btrfs@....com>, <clm@...com>,
<josef@...icpanda.com>, <dsterba@...e.com>
CC: <linux-btrfs@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<zhangxiaoxu5@...wei.com>
Subject: Re: [PATCH v2] btrfs: qgroup: fix sleep from invalid context bug in
update_qgroup_limit_item()
Thanks for your suggestions, I will try to send a new version patch.
在 2022/11/11 17:09, Qu Wenruo 写道:
>
>
> On 2022/11/11 17:02, ChenXiaoSong wrote:
>> Syzkaller reported BUG as follows:
>>
>> BUG: sleeping function called from invalid context at
>> include/linux/sched/mm.h:274
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0xcd/0x134
>> __might_resched.cold+0x222/0x26b
>> kmem_cache_alloc+0x2e7/0x3c0
>> update_qgroup_limit_item+0xe1/0x390
>> btrfs_qgroup_inherit+0x147b/0x1ee0
>> create_subvol+0x4eb/0x1710
>> btrfs_mksubvol+0xfe5/0x13f0
>> __btrfs_ioctl_snap_create+0x2b0/0x430
>> btrfs_ioctl_snap_create_v2+0x25a/0x520
>> btrfs_ioctl+0x2a1c/0x5ce0
>> __x64_sys_ioctl+0x193/0x200
>> do_syscall_64+0x35/0x80
>>
>> Fix this by delaying the limit item updates until unlock the spin lock.
>
> The overall idea is way better now.
>
> But sorry that I didn't immediately find out the best solution at the
> first glance.
>
> In fact, your v2 path just lets me remember what is the correct way to
> handle such situation.
>
>>
>> Signed-off-by: ChenXiaoSong <chenxiaosong2@...wei.com>
>> ---
>> fs/btrfs/qgroup.c | 18 +++++++++---------
>> 1 file changed, 9 insertions(+), 9 deletions(-)
>>
>> diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
>> index 9334c3157c22..2792d63c0da4 100644
>> --- a/fs/btrfs/qgroup.c
>> +++ b/fs/btrfs/qgroup.c
> [...]
>> @@ -2985,6 +2978,7 @@ int btrfs_qgroup_inherit(struct
>> btrfs_trans_handle *trans, u64 srcid,
>> dstgroup->max_excl = srcgroup->max_excl;
>> dstgroup->rsv_rfer = srcgroup->rsv_rfer;
>> dstgroup->rsv_excl = srcgroup->rsv_excl;
>> + update_limit = true;
>> qgroup_dirty(fs_info, dstgroup);
>> qgroup_dirty(fs_info, srcgroup);
>
> You caught the "if (srcid)" branch, which also changed the
> limit/rfer/excl numbers of the destination qgroup, but didn't call
> update_qgroup_limit_item().
>
>
> But if you check the function qgroup_dirty() a little deeper, you can
> find out that, qgroup_dirty() will move the target qgroup into
> fs_info->dirty_qgroups list.
>
> And later at btrfs_run_qgroups() (which is called during
> btrfs_commit_transaction(), and also after create_pending_snapshots()),
> we will update the quota tree to reflect the result.
>
> So this means, all you need is just call qgroup_dirty() on @dstqgroup,
> and call it a day.
> Everything else will be properly handled.
>
> Sorry I didn't notice this earlier...
>
> Thanks,
> Qu
>
>> @@ -3053,6 +3047,12 @@ int btrfs_qgroup_inherit(struct
>> btrfs_trans_handle *trans, u64 srcid,
>> unlock:
>> spin_unlock(&fs_info->qgroup_lock);
>> + if (update_limit && update_qgroup_limit_item(trans, dstgroup)) {
>> + qgroup_mark_inconsistent(fs_info);
>> + btrfs_info(fs_info,
>> + "unable to update quota limit for %llu",
>> + dstgroup->qgroupid);
>> + }
>> if (!ret)
>> ret = btrfs_sysfs_add_one_qgroup(fs_info, dstgroup);
>> out:
>
> .
Powered by blists - more mailing lists