* [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c
@ 2023-07-28 7:39 Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 1/3] btrfs: qgroup: remove one-time use variables for quota_root checks Harshvardhan Jha
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Harshvardhan Jha @ 2023-07-28 7:39 UTC (permalink / raw)
To: stable; +Cc: harshvardhan.j.jha, josef, dsterba, clm
The following series is a backport the fix of CVE-2023-1611
on stable 5.4. All pics were clean and no conflict resolution was
needed.
Commits "btrfs: qgroup: remove one-time use variables for quota_root
checks" and "btrfs: qgroup: return ENOTCONN instead of EINVAL when
quotas are not enabled" were added to get a clean pick for the fix
"btrfs: fix race between quota disable and quota assign ioctls"
These changes have been tested using the xfstests test-suite and no regressions
were observed when compared to stable 5.4.
Filipe Manana (1):
btrfs: fix race between quota disable and quota assign ioctls
Marcos Paulo de Souza (2):
btrfs: qgroup: remove one-time use variables for quota_root checks
btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not
enabled
fs/btrfs/ioctl.c | 2 ++
fs/btrfs/qgroup.c | 55 +++++++++++++++++++++--------------------------
2 files changed, 27 insertions(+), 30 deletions(-)
--
2.40.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 5.4 1/3] btrfs: qgroup: remove one-time use variables for quota_root checks
2023-07-28 7:39 [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Harshvardhan Jha
@ 2023-07-28 7:39 ` Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 2/3] btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled Harshvardhan Jha
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Harshvardhan Jha @ 2023-07-28 7:39 UTC (permalink / raw)
To: stable; +Cc: harshvardhan.j.jha, josef, dsterba, clm
From: Marcos Paulo de Souza <mpdesouza@suse.com>
[Upstream commit e3b0edd29737d44137fc7583a9c185abda6e23b8]
Remove some variables that are set only to be checked later, and never
used.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
---
fs/btrfs/qgroup.c | 34 ++++++++++------------------------
1 file changed, 10 insertions(+), 24 deletions(-)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 353e89efdebf..588abadcd784 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1338,7 +1338,6 @@ int btrfs_add_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
u64 dst)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
- struct btrfs_root *quota_root;
struct btrfs_qgroup *parent;
struct btrfs_qgroup *member;
struct btrfs_qgroup_list *list;
@@ -1354,8 +1353,7 @@ int btrfs_add_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
return -ENOMEM;
mutex_lock(&fs_info->qgroup_ioctl_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root) {
+ if (!fs_info->quota_root) {
ret = -EINVAL;
goto out;
}
@@ -1402,7 +1400,6 @@ static int __del_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
u64 dst)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
- struct btrfs_root *quota_root;
struct btrfs_qgroup *parent;
struct btrfs_qgroup *member;
struct btrfs_qgroup_list *list;
@@ -1415,8 +1412,7 @@ static int __del_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
if (!tmp)
return -ENOMEM;
- quota_root = fs_info->quota_root;
- if (!quota_root) {
+ if (!fs_info->quota_root) {
ret = -EINVAL;
goto out;
}
@@ -1482,11 +1478,11 @@ int btrfs_create_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
int ret = 0;
mutex_lock(&fs_info->qgroup_ioctl_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root) {
+ if (!fs_info->quota_root) {
ret = -EINVAL;
goto out;
}
+ quota_root = fs_info->quota_root;
qgroup = find_qgroup_rb(fs_info, qgroupid);
if (qgroup) {
ret = -EEXIST;
@@ -1511,14 +1507,12 @@ int btrfs_create_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
int btrfs_remove_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
- struct btrfs_root *quota_root;
struct btrfs_qgroup *qgroup;
struct btrfs_qgroup_list *list;
int ret = 0;
mutex_lock(&fs_info->qgroup_ioctl_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root) {
+ if (!fs_info->quota_root) {
ret = -EINVAL;
goto out;
}
@@ -1560,7 +1554,6 @@ int btrfs_limit_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid,
struct btrfs_qgroup_limit *limit)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
- struct btrfs_root *quota_root;
struct btrfs_qgroup *qgroup;
int ret = 0;
/* Sometimes we would want to clear the limit on this qgroup.
@@ -1570,8 +1563,7 @@ int btrfs_limit_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid,
const u64 CLEAR_VALUE = -1;
mutex_lock(&fs_info->qgroup_ioctl_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root) {
+ if (!fs_info->quota_root) {
ret = -EINVAL;
goto out;
}
@@ -2677,10 +2669,9 @@ int btrfs_qgroup_account_extents(struct btrfs_trans_handle *trans)
int btrfs_run_qgroups(struct btrfs_trans_handle *trans)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
- struct btrfs_root *quota_root = fs_info->quota_root;
int ret = 0;
- if (!quota_root)
+ if (!fs_info->quota_root)
return ret;
spin_lock(&fs_info->qgroup_lock);
@@ -2943,7 +2934,6 @@ static bool qgroup_check_limits(const struct btrfs_qgroup *qg, u64 num_bytes)
static int qgroup_reserve(struct btrfs_root *root, u64 num_bytes, bool enforce,
enum btrfs_qgroup_rsv_type type)
{
- struct btrfs_root *quota_root;
struct btrfs_qgroup *qgroup;
struct btrfs_fs_info *fs_info = root->fs_info;
u64 ref_root = root->root_key.objectid;
@@ -2962,8 +2952,7 @@ static int qgroup_reserve(struct btrfs_root *root, u64 num_bytes, bool enforce,
enforce = false;
spin_lock(&fs_info->qgroup_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root)
+ if (!fs_info->quota_root)
goto out;
qgroup = find_qgroup_rb(fs_info, ref_root);
@@ -3030,7 +3019,6 @@ void btrfs_qgroup_free_refroot(struct btrfs_fs_info *fs_info,
u64 ref_root, u64 num_bytes,
enum btrfs_qgroup_rsv_type type)
{
- struct btrfs_root *quota_root;
struct btrfs_qgroup *qgroup;
struct ulist_node *unode;
struct ulist_iterator uiter;
@@ -3048,8 +3036,7 @@ void btrfs_qgroup_free_refroot(struct btrfs_fs_info *fs_info,
}
spin_lock(&fs_info->qgroup_lock);
- quota_root = fs_info->quota_root;
- if (!quota_root)
+ if (!fs_info->quota_root)
goto out;
qgroup = find_qgroup_rb(fs_info, ref_root);
@@ -3940,7 +3927,6 @@ void __btrfs_qgroup_free_meta(struct btrfs_root *root, int num_bytes,
static void qgroup_convert_meta(struct btrfs_fs_info *fs_info, u64 ref_root,
int num_bytes)
{
- struct btrfs_root *quota_root = fs_info->quota_root;
struct btrfs_qgroup *qgroup;
struct ulist_node *unode;
struct ulist_iterator uiter;
@@ -3948,7 +3934,7 @@ static void qgroup_convert_meta(struct btrfs_fs_info *fs_info, u64 ref_root,
if (num_bytes == 0)
return;
- if (!quota_root)
+ if (!fs_info->quota_root)
return;
spin_lock(&fs_info->qgroup_lock);
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 5.4 2/3] btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled
2023-07-28 7:39 [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 1/3] btrfs: qgroup: remove one-time use variables for quota_root checks Harshvardhan Jha
@ 2023-07-28 7:39 ` Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 3/3] btrfs: fix race between quota disable and quota assign ioctls Harshvardhan Jha
2023-08-01 7:52 ` [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Harshvardhan Jha @ 2023-07-28 7:39 UTC (permalink / raw)
To: stable; +Cc: harshvardhan.j.jha, josef, dsterba, clm
From: Marcos Paulo de Souza <mpdesouza@suse.com>
[Upstream commit 8a36e408d40606e21cd4e2dd9601004a67b14868]
[PROBLEM]
qgroup create/remove code is currently returning EINVAL when the user
tries to create a qgroup on a subvolume without quota enabled. EINVAL is
already being used for too many error scenarios so that is hard to
depict what is the problem.
[FIX]
Currently scrub and balance code return -ENOTCONN when the user tries to
cancel/pause and no scrub or balance is currently running for the
desired subvolume. Do the same here by returning -ENOTCONN when a user
tries to create/delete/assing/list a qgroup on a subvolume without quota
enabled.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
---
fs/btrfs/qgroup.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 588abadcd784..7327636c9f26 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1354,7 +1354,7 @@ int btrfs_add_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
mutex_lock(&fs_info->qgroup_ioctl_lock);
if (!fs_info->quota_root) {
- ret = -EINVAL;
+ ret = -ENOTCONN;
goto out;
}
member = find_qgroup_rb(fs_info, src);
@@ -1413,7 +1413,7 @@ static int __del_qgroup_relation(struct btrfs_trans_handle *trans, u64 src,
return -ENOMEM;
if (!fs_info->quota_root) {
- ret = -EINVAL;
+ ret = -ENOTCONN;
goto out;
}
@@ -1479,7 +1479,7 @@ int btrfs_create_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
mutex_lock(&fs_info->qgroup_ioctl_lock);
if (!fs_info->quota_root) {
- ret = -EINVAL;
+ ret = -ENOTCONN;
goto out;
}
quota_root = fs_info->quota_root;
@@ -1513,7 +1513,7 @@ int btrfs_remove_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
mutex_lock(&fs_info->qgroup_ioctl_lock);
if (!fs_info->quota_root) {
- ret = -EINVAL;
+ ret = -ENOTCONN;
goto out;
}
@@ -1564,7 +1564,7 @@ int btrfs_limit_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid,
mutex_lock(&fs_info->qgroup_ioctl_lock);
if (!fs_info->quota_root) {
- ret = -EINVAL;
+ ret = -ENOTCONN;
goto out;
}
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 5.4 3/3] btrfs: fix race between quota disable and quota assign ioctls
2023-07-28 7:39 [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 1/3] btrfs: qgroup: remove one-time use variables for quota_root checks Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 2/3] btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled Harshvardhan Jha
@ 2023-07-28 7:39 ` Harshvardhan Jha
2023-08-01 7:52 ` [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Harshvardhan Jha @ 2023-07-28 7:39 UTC (permalink / raw)
To: stable; +Cc: harshvardhan.j.jha, josef, dsterba, clm
From: Filipe Manana <fdmanana@suse.com>
[Upstream commit 2f1a6be12ab6c8470d5776e68644726c94257c54]
The quota assign ioctl can currently run in parallel with a quota disable
ioctl call. The assign ioctl uses the quota root, while the disable ioctl
frees that root, and therefore we can have a use-after-free triggered in
the assign ioctl, leading to a trace like the following when KASAN is
enabled:
[672.723][T736] BUG: KASAN: slab-use-after-free in btrfs_search_slot+0x2962/0x2db0
[672.723][T736] Read of size 8 at addr ffff888022ec0208 by task btrfs_search_sl/27736
[672.724][T736]
[672.725][T736] CPU: 1 PID: 27736 Comm: btrfs_search_sl Not tainted 6.3.0-rc3 #37
[672.723][T736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[672.727][T736] Call Trace:
[672.728][T736] <TASK>
[672.728][T736] dump_stack_lvl+0xd9/0x150
[672.725][T736] print_report+0xc1/0x5e0
[672.720][T736] ? __virt_addr_valid+0x61/0x2e0
[672.727][T736] ? __phys_addr+0xc9/0x150
[672.725][T736] ? btrfs_search_slot+0x2962/0x2db0
[672.722][T736] kasan_report+0xc0/0xf0
[672.729][T736] ? btrfs_search_slot+0x2962/0x2db0
[672.724][T736] btrfs_search_slot+0x2962/0x2db0
[672.723][T736] ? fs_reclaim_acquire+0xba/0x160
[672.722][T736] ? split_leaf+0x13d0/0x13d0
[672.726][T736] ? rcu_is_watching+0x12/0xb0
[672.723][T736] ? kmem_cache_alloc+0x338/0x3c0
[672.722][T736] update_qgroup_status_item+0xf7/0x320
[672.724][T736] ? add_qgroup_rb+0x3d0/0x3d0
[672.739][T736] ? do_raw_spin_lock+0x12d/0x2b0
[672.730][T736] ? spin_bug+0x1d0/0x1d0
[672.737][T736] btrfs_run_qgroups+0x5de/0x840
[672.730][T736] ? btrfs_qgroup_rescan_worker+0xa70/0xa70
[672.738][T736] ? __del_qgroup_relation+0x4ba/0xe00
[672.738][T736] btrfs_ioctl+0x3d58/0x5d80
[672.735][T736] ? tomoyo_path_number_perm+0x16a/0x550
[672.737][T736] ? tomoyo_execute_permission+0x4a0/0x4a0
[672.731][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50
[672.737][T736] ? __sanitizer_cov_trace_switch+0x54/0x90
[672.734][T736] ? do_vfs_ioctl+0x132/0x1660
[672.730][T736] ? vfs_fileattr_set+0xc40/0xc40
[672.730][T736] ? _raw_spin_unlock_irq+0x2e/0x50
[672.732][T736] ? sigprocmask+0xf2/0x340
[672.737][T736] ? __fget_files+0x26a/0x480
[672.732][T736] ? bpf_lsm_file_ioctl+0x9/0x10
[672.738][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50
[672.736][T736] __x64_sys_ioctl+0x198/0x210
[672.736][T736] do_syscall_64+0x39/0xb0
[672.731][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[672.739][T736] RIP: 0033:0x4556ad
[672.742][T736] </TASK>
[672.743][T736]
[672.748][T736] Allocated by task 27677:
[672.743][T736] kasan_save_stack+0x22/0x40
[672.741][T736] kasan_set_track+0x25/0x30
[672.741][T736] __kasan_kmalloc+0xa4/0xb0
[672.749][T736] btrfs_alloc_root+0x48/0x90
[672.746][T736] btrfs_create_tree+0x146/0xa20
[672.744][T736] btrfs_quota_enable+0x461/0x1d20
[672.743][T736] btrfs_ioctl+0x4a1c/0x5d80
[672.747][T736] __x64_sys_ioctl+0x198/0x210
[672.749][T736] do_syscall_64+0x39/0xb0
[672.744][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[672.756][T736]
[672.757][T736] Freed by task 27677:
[672.759][T736] kasan_save_stack+0x22/0x40
[672.759][T736] kasan_set_track+0x25/0x30
[672.756][T736] kasan_save_free_info+0x2e/0x50
[672.751][T736] ____kasan_slab_free+0x162/0x1c0
[672.758][T736] slab_free_freelist_hook+0x89/0x1c0
[672.752][T736] __kmem_cache_free+0xaf/0x2e0
[672.752][T736] btrfs_put_root+0x1ff/0x2b0
[672.759][T736] btrfs_quota_disable+0x80a/0xbc0
[672.752][T736] btrfs_ioctl+0x3e5f/0x5d80
[672.756][T736] __x64_sys_ioctl+0x198/0x210
[672.753][T736] do_syscall_64+0x39/0xb0
[672.765][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[672.769][T736]
[672.768][T736] The buggy address belongs to the object at ffff888022ec0000
[672.768][T736] which belongs to the cache kmalloc-4k of size 4096
[672.769][T736] The buggy address is located 520 bytes inside of
[672.769][T736] freed 4096-byte region [ffff888022ec0000, ffff888022ec1000)
[672.760][T736]
[672.764][T736] The buggy address belongs to the physical page:
[672.761][T736] page:ffffea00008bb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22ec0
[672.766][T736] head:ffffea00008bb000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[672.779][T736] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[672.770][T736] raw: 00fff00000010200 ffff888012842140 ffffea000054ba00 dead000000000002
[672.770][T736] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[672.771][T736] page dumped because: kasan: bad access detected
[672.778][T736] page_owner tracks the page as allocated
[672.777][T736] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 88
[672.779][T736] get_page_from_freelist+0x119c/0x2d50
[672.779][T736] __alloc_pages+0x1cb/0x4a0
[672.776][T736] alloc_pages+0x1aa/0x270
[672.773][T736] allocate_slab+0x260/0x390
[672.771][T736] ___slab_alloc+0xa9a/0x13e0
[672.778][T736] __slab_alloc.constprop.0+0x56/0xb0
[672.771][T736] __kmem_cache_alloc_node+0x136/0x320
[672.789][T736] __kmalloc+0x4e/0x1a0
[672.783][T736] tomoyo_realpath_from_path+0xc3/0x600
[672.781][T736] tomoyo_path_perm+0x22f/0x420
[672.782][T736] tomoyo_path_unlink+0x92/0xd0
[672.780][T736] security_path_unlink+0xdb/0x150
[672.788][T736] do_unlinkat+0x377/0x680
[672.788][T736] __x64_sys_unlink+0xca/0x110
[672.789][T736] do_syscall_64+0x39/0xb0
[672.783][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[672.784][T736] page last free stack trace:
[672.787][T736] free_pcp_prepare+0x4e5/0x920
[672.787][T736] free_unref_page+0x1d/0x4e0
[672.784][T736] __unfreeze_partials+0x17c/0x1a0
[672.797][T736] qlist_free_all+0x6a/0x180
[672.796][T736] kasan_quarantine_reduce+0x189/0x1d0
[672.797][T736] __kasan_slab_alloc+0x64/0x90
[672.793][T736] kmem_cache_alloc+0x17c/0x3c0
[672.799][T736] getname_flags.part.0+0x50/0x4e0
[672.799][T736] getname_flags+0x9e/0xe0
[672.792][T736] vfs_fstatat+0x77/0xb0
[672.791][T736] __do_sys_newlstat+0x84/0x100
[672.798][T736] do_syscall_64+0x39/0xb0
[672.796][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[672.790][T736]
[672.791][T736] Memory state around the buggy address:
[672.799][T736] ffff888022ec0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[672.805][T736] ffff888022ec0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[672.802][T736] >ffff888022ec0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[672.809][T736] ^
[672.809][T736] ffff888022ec0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[672.809][T736] ffff888022ec0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fix this by having the qgroup assign ioctl take the qgroup ioctl mutex
before calling btrfs_run_qgroups(), which is what all qgroup ioctls should
call.
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAFcO6XN3VD8ogmHwqRk4kbiwtpUSNySu2VAxN8waEPciCHJvMA@mail.gmail.com/
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
---
fs/btrfs/ioctl.c | 2 ++
fs/btrfs/qgroup.c | 11 ++++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 64b443aa61ca..7a07e29c8ae7 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4912,7 +4912,9 @@ static long btrfs_ioctl_qgroup_assign(struct file *file, void __user *arg)
}
/* update qgroup status and info */
+ mutex_lock(&fs_info->qgroup_ioctl_lock);
err = btrfs_run_qgroups(trans);
+ mutex_unlock(&fs_info->qgroup_ioctl_lock);
if (err < 0)
btrfs_handle_fs_error(fs_info, err,
"failed to update qgroup status and info");
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 7327636c9f26..8a229a65866b 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2664,13 +2664,22 @@ int btrfs_qgroup_account_extents(struct btrfs_trans_handle *trans)
}
/*
- * called from commit_transaction. Writes all changed qgroups to disk.
+ * Writes all changed qgroups to disk.
+ * Called by the transaction commit path and the qgroup assign ioctl.
*/
int btrfs_run_qgroups(struct btrfs_trans_handle *trans)
{
struct btrfs_fs_info *fs_info = trans->fs_info;
int ret = 0;
+ /*
+ * In case we are called from the qgroup assign ioctl, assert that we
+ * are holding the qgroup_ioctl_lock, otherwise we can race with a quota
+ * disable operation (ioctl) and access a freed quota root.
+ */
+ if (trans->transaction->state != TRANS_STATE_COMMIT_DOING)
+ lockdep_assert_held(&fs_info->qgroup_ioctl_lock);
+
if (!fs_info->quota_root)
return ret;
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c
2023-07-28 7:39 [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Harshvardhan Jha
` (2 preceding siblings ...)
2023-07-28 7:39 ` [PATCH 5.4 3/3] btrfs: fix race between quota disable and quota assign ioctls Harshvardhan Jha
@ 2023-08-01 7:52 ` Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2023-08-01 7:52 UTC (permalink / raw)
To: Harshvardhan Jha; +Cc: stable, josef, dsterba, clm
On Fri, Jul 28, 2023 at 12:39:11AM -0700, Harshvardhan Jha wrote:
> The following series is a backport the fix of CVE-2023-1611
> on stable 5.4. All pics were clean and no conflict resolution was
> needed.
>
> Commits "btrfs: qgroup: remove one-time use variables for quota_root
> checks" and "btrfs: qgroup: return ENOTCONN instead of EINVAL when
> quotas are not enabled" were added to get a clean pick for the fix
> "btrfs: fix race between quota disable and quota assign ioctls"
>
> These changes have been tested using the xfstests test-suite and no regressions
> were observed when compared to stable 5.4.
>
> Filipe Manana (1):
> btrfs: fix race between quota disable and quota assign ioctls
>
> Marcos Paulo de Souza (2):
> btrfs: qgroup: remove one-time use variables for quota_root checks
> btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not
> enabled
>
> fs/btrfs/ioctl.c | 2 ++
> fs/btrfs/qgroup.c | 55 +++++++++++++++++++++--------------------------
> 2 files changed, 27 insertions(+), 30 deletions(-)
>
> --
> 2.40.0
>
All now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-01 7:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-28 7:39 [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 1/3] btrfs: qgroup: remove one-time use variables for quota_root checks Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 2/3] btrfs: qgroup: return ENOTCONN instead of EINVAL when quotas are not enabled Harshvardhan Jha
2023-07-28 7:39 ` [PATCH 5.4 3/3] btrfs: fix race between quota disable and quota assign ioctls Harshvardhan Jha
2023-08-01 7:52 ` [PATCH 5.4 0/3] CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.