[PATCH OLK-5.10] btrfs: fix qgroup reserve leaks in cow_file_range - Kernel

24 Sep 2024

From: Boris Burkov boris@bur.io
mainline inclusion
from mainline-v6.11-rc3
commit 30479f31d44d47ed00ae0c7453d9b253537005b2
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV5C
CVE: CVE-2024-46733
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
In the buffered write path, the dirty page owns the qgroup reserve until
it creates an ordered_extent.
Therefore, any errors that occur before the ordered_extent is created
must free that reservation, or else the space is leaked. The fstest
generic/475 exercises various IO error paths, and is able to trigger
errors in cow_file_range where we fail to get to allocating the ordered
extent. Note that because we *do* clear delalloc, we are likely to
remove the inode from the delalloc list, so the inodes/pages to not have
invalidate/launder called on them in the commit abort path.
This results in failures at the unmount stage of the test that look like:
BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure
  BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure
  BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672
  ------------[ cut here ]------------
  WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
  Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq
  CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W          6.10.0-rc7-gab56fde445b8 #21
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
  RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
  RSP: 0018:ffffb4465283be00 EFLAGS: 00010202
  RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001
  RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8
  RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000
  R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c
  R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
  FS:  00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0
  Call Trace:
   <TASK>
   ? close_ctree+0x222/0x4d0 [btrfs]
   ? __warn.cold+0x8e/0xea
   ? close_ctree+0x222/0x4d0 [btrfs]
   ? report_bug+0xff/0x140
   ? handle_bug+0x3b/0x70
   ? exc_invalid_op+0x17/0x70
   ? asm_exc_invalid_op+0x1a/0x20
   ? close_ctree+0x222/0x4d0 [btrfs]
   generic_shutdown_super+0x70/0x160
   kill_anon_super+0x11/0x40
   btrfs_kill_super+0x11/0x20 [btrfs]
   deactivate_locked_super+0x2e/0xa0
   cleanup_mnt+0xb5/0x150
   task_work_run+0x57/0x80
   syscall_exit_to_user_mode+0x121/0x130
   do_syscall_64+0xab/0x1a0
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: 0033:0x7f916847a887
  ---[ end trace 0000000000000000 ]---
  BTRFS error (device dm-8 state EA): qgroup reserved space leaked
Cases 2 and 3 in the out_reserve path both pertain to this type of leak
and must free the reserved qgroup data. Because it is already an error
path, I opted not to handle the possible errors in
btrfs_free_qgroup_data.
Reviewed-by: Qu Wenruo wqu@suse.com
Signed-off-by: Boris Burkov boris@bur.io
Signed-off-by: David Sterba dsterba@suse.com
Conflicts:
    fs/btrfs/inode.c
[The cleanup logic is very old in 5.10, need to adapt the logic.]
Signed-off-by: Yifan Qiao qiaoyifan4@huawei.com
---
 fs/btrfs/inode.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index b1138ba9642d..9e8e5be6e97f 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1161,6 +1161,7 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
    				     locked_page,
    				     clear_bits,
    				     page_ops);
+		btrfs_qgroup_free_data(inode, NULL, start, cur_alloc_size);
    	start += cur_alloc_size;
    	if (start >= end)
    		goto out;
@@ -1168,6 +1169,7 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
    extent_clear_unlock_delalloc(inode, start, end, locked_page,
    			     clear_bits | EXTENT_CLEAR_DATA_RESV,
    			     page_ops);
+	btrfs_qgroup_free_data(inode, NULL, start, cur_alloc_size);
    goto out;
 }
@@ -1777,7 +1779,7 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
    if (nocow)
    	btrfs_dec_nocow_writers(fs_info, disk_bytenr);
-	if (ret && cur_offset < end)
+	if (ret && cur_offset < end) {
    	extent_clear_unlock_delalloc(inode, cur_offset, end,
    				     locked_page, EXTENT_LOCKED |
    				     EXTENT_DELALLOC | EXTENT_DEFRAG |
@@ -1785,6 +1787,8 @@ static noinline int run_delalloc_nocow(struct btrfs_inode *inode,
    				     PAGE_CLEAR_DIRTY |
    				     PAGE_SET_WRITEBACK |
    				     PAGE_END_WRITEBACK);
+		btrfs_qgroup_free_data(inode, NULL, cur_offset, end - cur_offset + 1);
+	}
    btrfs_free_path(path);
    return ret;
 }
-- 
2.39.2


    