tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

btrfs: fix race between quota enable and quota rescan ioctl

When enabling quotas, at btrfs_quota_enable(), after committing the
transaction, we change fs_info->quota_root to point to the quota root we
created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try
to start the qgroup rescan worker, first by initializing it with a call
to qgroup_rescan_init() - however if that fails we end up freeing the
quota root but we leave fs_info->quota_root still pointing to it, this
can later result in a use-after-free somewhere else.

We have previously set the flags BTRFS_FS_QUOTA_ENABLED and
BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at
btrfs_quota_enable(), which is possible if someone already called the
quota rescan ioctl, and therefore started the rescan worker.

So fix this by ignoring an -EINPROGRESS and asserting we can't get any
other error.

Reported-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/linux-btrfs/20220823015931.421355-1-yebin10@huawei.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

authored by

Filipe Manana and committed by
David Sterba 331cd946 dbecac26

+15
+15
fs/btrfs/qgroup.c
··· 1174 1174 fs_info->qgroup_rescan_running = true; 1175 1175 btrfs_queue_work(fs_info->qgroup_rescan_workers, 1176 1176 &fs_info->qgroup_rescan_work); 1177 + } else { 1178 + /* 1179 + * We have set both BTRFS_FS_QUOTA_ENABLED and 1180 + * BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with 1181 + * -EINPROGRESS. That can happen because someone started the 1182 + * rescan worker by calling quota rescan ioctl before we 1183 + * attempted to initialize the rescan worker. Failure due to 1184 + * quotas disabled in the meanwhile is not possible, because 1185 + * we are holding a write lock on fs_info->subvol_sem, which 1186 + * is also acquired when disabling quotas. 1187 + * Ignore such error, and any other error would need to undo 1188 + * everything we did in the transaction we just committed. 1189 + */ 1190 + ASSERT(ret == -EINPROGRESS); 1191 + ret = 0; 1177 1192 } 1178 1193 1179 1194 out_free_path: