linux/fs/btrfs
Filipe Manana b7adbf9ada btrfs: fix race between quota rescan and disable leading to NULL pointer deref
If we have one task trying to start the quota rescan worker while another
one is trying to disable quotas, we can end up hitting a race that results
in the quota rescan worker doing a NULL pointer dereference. The steps for
this are the following:

1) Quotas are enabled;

2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
   It calls qgroup_rescan_init() which returns 0 (success) and then joins a
   transaction and commits it;

3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
   It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
   btrfs_qgroup_wait_for_completion(), which returns immediately since the
   rescan worker is not yet running.
   Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;

4) Task A queues the rescan worker, by calling btrfs_queue_work();

5) The rescan worker starts, and calls rescan_should_stop() at the start
   of its while loop, which results in 0 iterations of the loop, since
   the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
   task B at step 3);

6) Task B sets fs_info->quota_root to NULL;

7) The rescan worker tries to start a transaction and uses
   fs_info->quota_root as the root argument for btrfs_start_transaction().
   This results in a NULL pointer dereference down the call chain of
   btrfs_start_transaction(). The stack trace is something like the one
   reported in Link tag below:

   general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN
   KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
   CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
   Workqueue: btrfs-qgroup-rescan btrfs_work_helper
   RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564
   Code: 48 89 fb 48 (...)
   RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206
   RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80
   RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
   RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d
   R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000
   R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003
   FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402
    btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280
    process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
    worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
    kthread+0x266/0x300 kernel/kthread.c:376
    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
    </TASK>
   Modules linked in:

So fix this by having the rescan worker function not attempt to start a
transaction if it didn't do any rescan work.

Reported-by: syzbot+96977faa68092ad382c4@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/000000000000e5454b05f065a803@google.com/
Fixes: e804861bd4 ("btrfs: fix deadlock between quota disable and qgroup rescan worker")
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2023-01-16 19:46:54 +01:00
..
tests btrfs: drop private_data parameter from extent_io_tree_init 2022-12-05 18:00:54 +01:00
accessors.c btrfs: add eb to btrfs_node_key_ptr_offset 2022-12-05 18:00:58 +01:00
accessors.h btrfs: add stack helpers for a few btrfs items 2022-12-05 18:00:58 +01:00
acl.c btrfs: move acl prototypes into acl.h 2022-12-05 18:00:46 +01:00
acl.h btrfs: move acl prototypes into acl.h 2022-12-05 18:00:46 +01:00
async-thread.c btrfs: simplify WQ_HIGHPRI handling in struct btrfs_workqueue 2022-05-16 17:03:15 +02:00
async-thread.h btrfs: remove unused typedefs get_extent_t and btrfs_work_func_t 2022-07-25 17:45:36 +02:00
backref.c btrfs: fix resolving backrefs for inline extent followed by prealloc 2022-12-20 19:43:43 +01:00
backref.h btrfs: send: skip resolution of our own backref when finding clone source 2022-12-05 18:00:50 +01:00
bio.c btrfs: handle case when repair happens with dev-replace 2023-01-03 15:53:18 +01:00
bio.h btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
block-group.c btrfs: convert btrfs_block_group::needs_free_space to runtime flag 2022-12-05 18:00:51 +01:00
block-group.h btrfs: convert btrfs_block_group::seq_zone to runtime flag 2022-12-05 18:00:51 +01:00
block-rsv.c btrfs: simplify percent calculation helpers, rename div_factor 2022-12-05 18:00:48 +01:00
block-rsv.h btrfs: simplify percent calculation helpers, rename div_factor 2022-12-05 18:00:48 +01:00
btrfs_inode.h btrfs: pass btrfs_inode to btrfs_add_delayed_iput 2022-12-05 18:00:55 +01:00
check-integrity.c btrfs: use btrfs_dev_name() helper to handle missing devices better 2022-12-05 18:00:57 +01:00
check-integrity.h btrfs: check-integrity: split submit_bio from btrfsic checking 2022-05-16 17:03:12 +02:00
compression.c btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
compression.h btrfs: constify input buffer parameter in compression code 2022-12-05 18:00:55 +01:00
ctree.c btrfs: add might_sleep() annotations 2022-12-05 18:00:59 +01:00
ctree.h btrfs: move the csum helpers into ctree.h 2022-12-05 18:00:58 +01:00
defrag.c btrfs: fix an error handling path in btrfs_defrag_leaves() 2022-12-15 19:16:50 +01:00
defrag.h btrfs: move defrag related prototypes to their own header 2022-12-05 18:00:46 +01:00
delalloc-space.c btrfs: update function comments 2022-12-05 18:00:45 +01:00
delalloc-space.h btrfs: move delalloc space related prototypes to delalloc-space.h 2022-12-05 18:00:44 +01:00
delayed-inode.c btrfs: pass btrfs_inode to btrfs_inode_unlock 2022-12-05 18:00:53 +01:00
delayed-inode.h btrfs: extend btrfs_dir_item type to store encryption status 2022-12-05 18:00:43 +01:00
delayed-ref.c btrfs: update function comments 2022-12-05 18:00:45 +01:00
delayed-ref.h btrfs: remove btrfs_delayed_extent_op::is_data 2022-05-16 17:17:31 +02:00
dev-replace.c btrfs: use btrfs_dev_name() helper to handle missing devices better 2022-12-05 18:00:57 +01:00
dev-replace.h btrfs: move dev-replace prototypes into dev-replace.h 2022-12-05 18:00:47 +01:00
dir-item.c btrfs: move dir-item prototypes into dir-item.h 2022-12-05 18:00:46 +01:00
dir-item.h btrfs: move dir-item prototypes into dir-item.h 2022-12-05 18:00:46 +01:00
discard.c btrfs: update function comments 2022-12-05 18:00:45 +01:00
discard.h btrfs: cleanup btrfs_discard_update_discardable usage 2020-12-08 15:54:02 +01:00
disk-io.c btrfs: do not abort transaction on failure to write log tree when syncing log 2023-01-12 15:43:30 +01:00
disk-io.h btrfs: fix compat_ro checks against remount 2023-01-03 16:22:13 +01:00
export.c btrfs: move super_block specific helpers into super.h 2022-12-05 18:00:47 +01:00
export.h btrfs: simplify generation check in btrfs_get_dentry 2022-12-05 18:00:41 +01:00
extent_io.c btrfs: fix false alert on bad tree level check 2023-01-03 15:53:18 +01:00
extent_io.h btrfs: move eb offset helpers into extent_io.h 2022-12-05 18:00:58 +01:00
extent_map.c btrfs: remove no longer used btrfs_next_extent_map() 2022-12-05 18:00:56 +01:00
extent_map.h btrfs: remove no longer used btrfs_next_extent_map() 2022-12-05 18:00:56 +01:00
extent-io-tree.c btrfs: fix off-by-one in delalloc search during lseek 2023-01-03 15:53:18 +01:00
extent-io-tree.h btrfs: allow passing a cached state record to count_range_bits() 2022-12-05 18:00:56 +01:00
extent-tree.c btrfs: always report error in run_one_delayed_ref() 2023-01-03 16:22:10 +01:00
extent-tree.h btrfs: move the snapshot drop related prototypes to extent-tree.h 2022-12-05 18:00:46 +01:00
file-item.c btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
file-item.h btrfs: move file_extent_item helpers into file-item.h 2022-12-05 18:00:58 +01:00
file.c btrfs: fix invalid leaf access due to inline extent during lseek 2023-01-16 19:46:38 +01:00
file.h btrfs: use cached state when looking for delalloc ranges with fiemap 2022-12-05 18:00:56 +01:00
free-space-cache.c btrfs: pass btrfs_inode to btrfs_add_delayed_iput 2022-12-05 18:00:55 +01:00
free-space-cache.h btrfs: convert discard stat defs to enum 2022-12-05 18:00:45 +01:00
free-space-tree.c btrfs: convert btrfs_block_group::needs_free_space to runtime flag 2022-12-05 18:00:51 +01:00
free-space-tree.h btrfs: rename btrfs_block_group_cache 2019-11-18 17:51:51 +01:00
fs.c btrfs: move accessor helpers into accessors.h 2022-12-05 18:00:42 +01:00
fs.h btrfs: zoned: enable metadata over-commit for non-ZNS setup 2023-01-11 20:04:25 +01:00
inode-item.c btrfs: move file-item prototypes into their own header 2022-12-05 18:00:46 +01:00
inode-item.h btrfs: use struct fscrypt_str instead of struct qstr 2022-12-05 18:00:43 +01:00
inode.c btrfs: fix ASSERT em->len condition in btrfs_get_extent 2023-01-03 15:53:18 +01:00
ioctl.c btrfs: replace strncpy() with strscpy() 2022-12-05 18:00:59 +01:00
ioctl.h btrfs: move ioctl prototypes into ioctl.h 2022-12-05 18:00:46 +01:00
Kconfig btrfs: use generic Kconfig option for 256kB page size limit 2022-01-20 08:52:55 +02:00
locking.c btrfs: move accessor helpers into accessors.h 2022-12-05 18:00:42 +01:00
locking.h btrfs: move the lockdep helpers into locking.h 2022-12-05 18:00:44 +01:00
lzo.c btrfs: constify input buffer parameter in compression code 2022-12-05 18:00:55 +01:00
Makefile btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
messages.c btrfs: move super_block specific helpers into super.h 2022-12-05 18:00:47 +01:00
messages.h btrfs: print transaction aborted messages with an error level 2022-12-05 18:00:59 +01:00
misc.h btrfs: simplify percent calculation helpers, rename div_factor 2022-12-05 18:00:48 +01:00
ordered-data.c btrfs: pass btrfs_inode to btrfs_add_delayed_iput 2022-12-05 18:00:55 +01:00
ordered-data.h btrfs: use cached_state for btrfs_check_nocow_lock 2022-12-05 18:00:36 +01:00
orphan.c btrfs: move orphan prototypes into orphan.h 2022-12-05 18:00:47 +01:00
orphan.h btrfs: move orphan prototypes into orphan.h 2022-12-05 18:00:47 +01:00
print-tree.c btrfs: move struct btrfs_tree_parent_check out of disk-io.h 2022-12-05 18:00:57 +01:00
print-tree.h btrfs: print the actual offset in btrfs_root_name 2021-01-07 17:25:05 +01:00
props.c btrfs: move super_block specific helpers into super.h 2022-12-05 18:00:47 +01:00
props.h btrfs: make module init/exit match their sequence 2022-12-05 18:00:40 +01:00
qgroup.c btrfs: fix race between quota rescan and disable leading to NULL pointer deref 2023-01-16 19:46:54 +01:00
qgroup.h btrfs: sink gfp_t parameter to btrfs_qgroup_trace_extent 2022-12-05 18:00:43 +01:00
raid56.c btrfs: scrub: fix uninitialized return value in recover_scrub_rbio 2022-12-20 19:43:45 +01:00
raid56.h btrfs: raid56: prepare data checksums for later RMW verification 2022-12-05 18:00:57 +01:00
rcu-string.h btrfs: replace strncpy() with strscpy() 2022-12-05 18:00:59 +01:00
ref-verify.c btrfs: move accessor helpers into accessors.h 2022-12-05 18:00:42 +01:00
ref-verify.h btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod() 2019-04-29 19:02:49 +02:00
reflink.c btrfs: pass btrfs_inode to btrfs_inode_unlock 2022-12-05 18:00:53 +01:00
reflink.h Btrfs: move all reflink implementation code into its own file 2020-03-23 17:01:54 +01:00
relocation.c btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
relocation.h btrfs: move relocation prototypes into relocation.h 2022-12-05 18:00:47 +01:00
root-tree.c btrfs: move orphan prototypes into orphan.h 2022-12-05 18:00:47 +01:00
root-tree.h btrfs: move root tree prototypes to their own header 2022-12-05 18:00:44 +01:00
scrub.c btrfs: introduce a bitmap based csum range search function 2022-12-05 18:00:57 +01:00
scrub.h btrfs: move scrub prototypes into scrub.h 2022-12-05 18:00:47 +01:00
send.c btrfs: send: bump the extent reference count limit for backref walking 2022-12-05 18:00:51 +01:00
send.h btrfs: send add define for v2 buffer size 2022-12-05 18:00:41 +01:00
space-info.c btrfs: zoned: enable metadata over-commit for non-ZNS setup 2023-01-11 20:04:25 +01:00
space-info.h btrfs: move btrfs_account_ro_block_groups_free_space into space-info.c 2022-12-05 18:00:44 +01:00
subpage.c btrfs: move the printk helpers out of ctree.h 2022-12-05 18:00:41 +01:00
subpage.h btrfs: make nodesize >= PAGE_SIZE case to reuse the non-subpage routine 2022-05-16 17:03:11 +02:00
super.c btrfs: fix compat_ro checks against remount 2023-01-03 16:22:13 +01:00
super.h btrfs: move super_block specific helpers into super.h 2022-12-05 18:00:47 +01:00
sysfs.c btrfs: simplify percent calculation helpers, rename div_factor 2022-12-05 18:00:48 +01:00
sysfs.h btrfs: split and refactor btrfs_sysfs_remove_devices_dir 2020-10-07 12:12:21 +02:00
transaction.c btrfs: drop private_data parameter from extent_io_tree_init 2022-12-05 18:00:54 +01:00
transaction.h btrfs: remove fs_info::pending_changes and related code 2022-12-05 18:00:42 +01:00
tree-checker.c btrfs: pass the extent buffer for the btrfs_item_nr helpers 2022-12-05 18:00:58 +01:00
tree-checker.h btrfs: move struct btrfs_tree_parent_check out of disk-io.h 2022-12-05 18:00:57 +01:00
tree-log.c btrfs: do not abort transaction on failure to update log root 2023-01-12 15:43:31 +01:00
tree-log.h btrfs: use struct fscrypt_str instead of struct qstr 2022-12-05 18:00:43 +01:00
tree-mod-log.c btrfs: add eb to btrfs_node_key_ptr_offset 2022-12-05 18:00:58 +01:00
tree-mod-log.h btrfs: fix SPDX comment in tree-mod-log.h 2022-12-05 18:00:48 +01:00
ulist.c btrfs: constify ulist parameter of ulist_next() 2022-12-05 18:00:50 +01:00
ulist.h btrfs: constify ulist parameter of ulist_next() 2022-12-05 18:00:50 +01:00
uuid-tree.c btrfs: move uuid tree prototypes to uuid-tree.h 2022-12-05 18:00:46 +01:00
uuid-tree.h btrfs: move uuid tree prototypes to uuid-tree.h 2022-12-05 18:00:46 +01:00
verity.c btrfs: move orphan prototypes into orphan.h 2022-12-05 18:00:47 +01:00
verity.h btrfs: move verity prototypes into verity.h 2022-12-05 18:00:47 +01:00
volumes.c btrfs: stop using write_one_page in btrfs_scratch_superblock 2023-01-16 19:46:19 +01:00
volumes.h btrfs: split the bio submission path into a separate file 2022-12-05 18:00:57 +01:00
xattr.c btrfs: move dir-item prototypes into dir-item.h 2022-12-05 18:00:46 +01:00
xattr.h btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter 2019-04-29 19:02:44 +02:00
zlib.c btrfs: constify input buffer parameter in compression code 2022-12-05 18:00:55 +01:00
zoned.c btrfs: zoned: enable metadata over-commit for non-ZNS setup 2023-01-11 20:04:25 +01:00
zoned.h btrfs: move the printk helpers out of ctree.h 2022-12-05 18:00:41 +01:00
zstd.c btrfs: constify input buffer parameter in compression code 2022-12-05 18:00:55 +01:00