Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26b7c0ac authored by Filipe Manana's avatar Filipe Manana Committed by Greg Kroah-Hartman
Browse files

btrfs: fix race between quota enable and quota rescan ioctl 



commit 331cd9461412e103d07595a10289de90004ac890 upstream.

When enabling quotas, at btrfs_quota_enable(), after committing the
transaction, we change fs_info->quota_root to point to the quota root we
created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try
to start the qgroup rescan worker, first by initializing it with a call
to qgroup_rescan_init() - however if that fails we end up freeing the
quota root but we leave fs_info->quota_root still pointing to it, this
can later result in a use-after-free somewhere else.

We have previously set the flags BTRFS_FS_QUOTA_ENABLED and
BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at
btrfs_quota_enable(), which is possible if someone already called the
quota rescan ioctl, and therefore started the rescan worker.

So fix this by ignoring an -EINPROGRESS and asserting we can't get any
other error.

Reported-by: default avatarYe Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/linux-btrfs/20220823015931.421355-1-yebin10@huawei.com/


CC: stable@vger.kernel.org # 4.19+
Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3742e9fd

fs/btrfs/qgroup.c

+15 −0
Original line number Diff line number Diff line
@@ -1075,6 +1075,21 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) 
		fs_info->qgroup_rescan_running = true;

	        btrfs_queue_work(fs_info->qgroup_rescan_workers,

	                         &fs_info->qgroup_rescan_work);

	} else {

		/*

		 * We have set both BTRFS_FS_QUOTA_ENABLED and

		 * BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with

		 * -EINPROGRESS. That can happen because someone started the

		 * rescan worker by calling quota rescan ioctl before we

		 * attempted to initialize the rescan worker. Failure due to

		 * quotas disabled in the meanwhile is not possible, because

		 * we are holding a write lock on fs_info->subvol_sem, which

		 * is also acquired when disabling quotas.

		 * Ignore such error, and any other error would need to undo

		 * everything we did in the transaction we just committed.

		 */

		ASSERT(ret == -EINPROGRESS);

		ret = 0;

	}



out_free_path: