May 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/3] cvm:improve security for cvm host feature
by Ju Fu 29 May '24

29 May '24

improve security for cvm host feature: cvm: enable secure memory alloc on multiple numa nodes cvm: add secure memory query method cvm: improve security for cvm host feature Signed-off-by: Ju Fu <fuju1(a)huawei.com> arch/arm64/include/asm/kvm_tmi.h | 97 +++-- arch/arm64/include/asm/kvm_tmm.h | 9 +- arch/arm64/include/uapi/asm/kvm.h | 4 + arch/arm64/kvm/arm.c | 33 +- arch/arm64/kvm/cvm.c | 598 +++++++++++++++--------------- arch/arm64/kvm/reset.c | 6 + arch/arm64/kvm/tmi.c | 41 +- include/uapi/linux/kvm.h | 6 +- 8 files changed, 388 insertions(+), 406 deletions(-) -- 2.25.1.windows.1

2 4

[PATCH OLK-5.10] tty: fix hang on tty device with no_room set
by Yi Yang 29 May '24

29 May '24

From: Hui Li <caelli(a)tencent.com> mainline inclusion from mainline-v6.5-rc1 commit 4903fde8047a28299d1fc79c1a0dcc255e928f12 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9T85S CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- It is possible to hang pty devices in this case, the reader was blocking at epoll on master side, the writer was sleeping at wait_woken inside n_tty_write on slave side, and the write buffer on tty_port was full, we found that the reader and writer would never be woken again and blocked forever. The problem was caused by a race between reader and kworker: n_tty_read(reader): n_tty_receive_buf_common(kworker): copy_from_read_buf()| |room = N_TTY_BUF_SIZE - (ldata->read_head - tail) |room <= 0 n_tty_kick_worker() | |ldata->no_room = true After writing to slave device, writer wakes up kworker to flush data on tty_port to reader, and the kworker finds that reader has no room to store data so room <= 0 is met. At this moment, reader consumes all the data on reader buffer and calls n_tty_kick_worker to check ldata->no_room which is false and reader quits reading. Then kworker sets ldata->no_room=true and quits too. If write buffer is not full, writer will wake kworker to flush data again after following writes, but if write buffer is full and writer goes to sleep, kworker will never be woken again and tty device is blocked. This problem can be solved with a check for read buffer size inside n_tty_receive_buf_common, if read buffer is empty and ldata->no_room is true, a call to n_tty_kick_worker is necessary to keep flushing data to reader. Cc: <stable(a)vger.kernel.org> Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader") Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Hui Li <caelli(a)tencent.com> Message-ID: <1680749090-14106-1-git-send-email-caelli(a)tencent.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/tty/n_tty.c [commit 947d66b68f3c ("n_tty: Rename tail to old_tail in n_tty_read()") was not merge] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_tty.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index 8e7931d93543..fb39271e08fa 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -202,8 +202,8 @@ static void n_tty_kick_worker(struct tty_struct *tty) struct n_tty_data *ldata = tty->disc_data; /* Did the input worker stop? Restart it */ - if (unlikely(ldata->no_room)) { - ldata->no_room = 0; + if (unlikely(READ_ONCE(ldata->no_room))) { + WRITE_ONCE(ldata->no_room, 0); WARN_RATELIMIT(tty->port->itty == NULL, "scheduling with invalid itty\n"); @@ -1725,7 +1725,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp, if (overflow && room < 0) ldata->read_head--; room = overflow; - ldata->no_room = flow && !room; + WRITE_ONCE(ldata->no_room, flow && !room); } else overflow = 0; @@ -1756,6 +1756,17 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp, } else n_tty_check_throttle(tty); + if (unlikely(ldata->no_room)) { + /* + * Barrier here is to ensure to read the latest read_tail in + * chars_in_buffer() and to make sure that read_tail is not loaded + * before ldata->no_room is set. + */ + smp_mb(); + if (!chars_in_buffer(tty)) + n_tty_kick_worker(tty); + } + up_read(&tty->termios_rwsem); return rcvd; @@ -2314,8 +2325,14 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, if (time) timeout = time; } - if (tail != ldata->read_tail) + if (tail != ldata->read_tail) { + /* + * Make sure no_room is not read in n_tty_kick_worker() + * before setting ldata->read_tail in copy_from_read_buf(). + */ + smp_mb(); n_tty_kick_worker(tty); + } up_read(&tty->termios_rwsem); remove_wait_queue(&tty->read_wait, &wait); -- 2.25.1

2 1

[PATCH OLK-5.10 0/3] improve security for cvm host feature
by Ju Fu 29 May '24

29 May '24

improve security for cvm host feature: cvm: enable secure memory alloc on multiple numa nodes cvm: add secure memory query method cvm: improve security for cvm host feature arch/arm64/include/asm/kvm_pgtable.h | 3 + arch/arm64/include/asm/kvm_tmi.h | 92 +++-- arch/arm64/include/asm/kvm_tmm.h | 9 +- arch/arm64/include/uapi/asm/kvm.h | 4 + arch/arm64/kvm/arm.c | 68 +++- arch/arm64/kvm/cvm.c | 563 ++++++++++++--------------- arch/arm64/kvm/reset.c | 6 + arch/arm64/kvm/tmi.c | 41 +- include/uapi/linux/kvm.h | 6 +- 9 files changed, 386 insertions(+), 406 deletions(-) -- 2.25.1.windows.1

2 4

[PATCH openEuler-22.03-LTS-SP1 v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 2b38a99884f2..9e0a63374744 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -462,7 +462,11 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return -EINVAL; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH OLK-5.10 v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index b5e79d63d59b..535bf277ba90 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -462,7 +462,11 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return -EINVAL; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS v5] can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds
by Yipeng Zou 29 May '24

29 May '24

From: Marc Kleine-Budde <mkl(a)pengutronix.de> mainline inclusion from mainline-v6.7-rc1 commit 6411959c10fe917288cbb1038886999148560057 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9REA2 CVE: CVE-2023-52878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- If the "struct can_priv::echoo_skb" is accessed out of bounds, this would cause a kernel crash. Instead, issue a meaningful warning message and return with an error. Fixes: a6e4bc530403 ("can: make the number of echo skb's configurable") Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-5-91b5c1fd9… Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: drivers/net/can/dev/skb.c drivers/net/can/dev/dev.c [Since 18f2dbfd2232 ("can: dev: move skb related into seperate file") can_put_echo_skb has been moved to skb.c without any functional change. So we can fix this cve directly in dev.c.] Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/net/can/dev/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 40e2e1bbb8a6..5667f1ebd8e7 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -447,7 +447,11 @@ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, { struct can_priv *priv = netdev_priv(dev); - BUG_ON(idx >= priv->echo_skb_max); + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", + __func__, idx, priv->echo_skb_max); + return; + } /* check flag whether this packet has to be looped back */ if (!(dev->flags & IFF_ECHO) || skb->pkt_type != PACKET_LOOPBACK || -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] powerpc/mm: Fix lockup on kernel exec fault
by Liu Shixin 29 May '24

29 May '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> stable inclusion from stable-v5.4.133 commit a82471a14aad90f79d1608d2bcbb019f0ffb53f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CI CVE: CVE-2021-47350 -------------------------------- commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable(a)vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Acked-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.16251382… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/powerpc/mm/fault.c [ Context conflicts due to lack of commit de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection"). ] Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- arch/powerpc/mm/fault.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 5b04d029f824..41f1de87edb6 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -221,9 +221,7 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, static bool bad_kernel_fault(bool is_exec, unsigned long error_code, unsigned long address) { - /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */ - if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT | - DSISR_PROTFAULT))) { + if (is_exec) { printk_ratelimited(KERN_CRIT "kernel tried to execute" " exec-protected page (%lx) -" "exploit attempt? (uid: %d)\n", -- 2.25.1

2 1

[PATCH OLK-5.10] IMA: Introduce a config for fix on IMA with Overlayfs issue
by Xiang Yang 29 May '24

29 May '24

From: GUO Zihua <guozihua(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to turn the i_version detection on and off. Signed-off-by: GUO Zihua <guozihua(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 213dc7079f84..9e254c5cb117 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH default "/usr/bin/upload_digest_lists" help This option defines the path of the parser binary. + +config IMA_FIX_OVERLAYFS_DETECTION + bool + default y + help + This option enables the fix for overlayfs backing inode change + detection. With this config enabled, IMA would be detecting + backing inode changes through i_version of the backing inode. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 389d6e957357..0a202a4f07c1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifdef IMA_FIX_OVERLAYFS_DETECTION struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } +#ifdef IMA_FIX_OVERLAYFS_DETECTION /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif /* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, -- 2.34.1

2 1

[PATCH OLK-5.10] sysv: don't call sb_bread() with pointers_lock held
by Yifan Qiao 29 May '24

29 May '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v6.6.27 commit 89e8524135a3902e7563a5a59b7b5ec1bf4904ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIO CVE: CVE-2023-52699 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot <syzbot+69b40dc5fd40f32c199f(a)syzkaller.appspotmail.com> Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKUR… Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index e3d1673b8ec9..ef9bcfeec21a 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -82,9 +82,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -104,15 +101,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -218,9 +218,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -290,9 +288,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP2 v2 0/2] CVE-2024-35956
by iceleaf 29 May '24

29 May '24

Boris Burkov (1): btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Omar Sandoval (1): btrfs: fix anon_dev leak in create_subvol() fs/btrfs/ctree.h | 2 -- fs/btrfs/inode.c | 13 ++++++- fs/btrfs/ioctl.c | 81 +++++++++++++++++++++++++++----------------- fs/btrfs/root-tree.c | 10 ------ 4 files changed, 61 insertions(+), 45 deletions(-) -- 2.31.1

2 3