From: Yangtao Li frank.li@vivo.com
mainline inclusion from mainline-v6.4-rc1 commit f8107c996f5419a5b964b9796d736c7b81f099a0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7D7ZL?from=project-issue CVE: NA
--------------------------------
For v1_write_file_info function, when quota_write() returns 0, it should be considered an EIO error. And for v2_write_file_info(), fix to proper error return code instead of raw number.
Signed-off-by: Yangtao Li frank.li@vivo.com Signed-off-by: Jan Kara jack@suse.cz Message-Id: 20230227120216.31306-1-frank.li@vivo.com Signed-off-by: Ye Bin yebin10@huawei.com Reviewed-by: Yang Erkun yangerkun@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/quota/quota_v1.c | 2 +- fs/quota/quota_v2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/quota/quota_v1.c b/fs/quota/quota_v1.c index 7ac5298aba70..ebae72dc805a 100644 --- a/fs/quota/quota_v1.c +++ b/fs/quota/quota_v1.c @@ -205,7 +205,7 @@ static int v1_write_file_info(struct super_block *sb, int type) sizeof(struct v1_disk_dqblk), v1_dqoff(0)); if (ret == sizeof(struct v1_disk_dqblk)) ret = 0; - else if (ret > 0) + else if (ret >= 0) ret = -EIO; out: up_write(&dqopt->dqio_sem); diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c index 22367b851d6b..760b947d061e 100644 --- a/fs/quota/quota_v2.c +++ b/fs/quota/quota_v2.c @@ -213,7 +213,7 @@ static int v2_write_file_info(struct super_block *sb, int type) up_write(&dqopt->dqio_sem); if (size != sizeof(struct v2_disk_dqinfo)) { quota_error(sb, "Can't write info structure"); - return -1; + return size < 0 ? size : -EIO; } return 0; }
From: Ye Bin yebin10@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7D7ZL?from=project-issue
--------------------------------
This issue as follows When do IO fault injection test: Quota error (device dm-3): find_block_dqentry: Quota for id 101 referenced but not present Quota error (device dm-3): qtree_read_dquot: Can't read quota structure for id 101 Quota error (device dm-3): do_check_range: Getting block 2021161007 out of range 1-186 Quota error (device dm-3): qtree_read_dquot: Can't read quota structure for id 661
Now, ext4_write_dquot()/ext4_acquire_dquot()/ext4_release_dquot() may commit inconsistent quota data even if process failed. This may lead to filesystem corruption. To ensure filesystem consistent when errors=remount-ro there is need to call ext4_handle_error() to abort journal.
Signed-off-by: Ye Bin yebin10@huawei.com Reviewed-by: Yang Erkun yangerkun@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/ext4/super.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index cc2efe2e6ee2..66156dc504f6 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5978,6 +5978,10 @@ static int ext4_write_dquot(struct dquot *dquot) if (IS_ERR(handle)) return PTR_ERR(handle); ret = dquot_commit(dquot); + if (ret == -EIO) + ext4_error_err(dquot->dq_sb, EIO, + "Failed to commit dquot type %d", + dquot->dq_id.type); err = ext4_journal_stop(handle); if (!ret) ret = err; @@ -5994,6 +5998,10 @@ static int ext4_acquire_dquot(struct dquot *dquot) if (IS_ERR(handle)) return PTR_ERR(handle); ret = dquot_acquire(dquot); + if (ret == -EIO) + ext4_error_err(dquot->dq_sb, EIO, + "Failed to acquire dquot type %d", + dquot->dq_id.type); err = ext4_journal_stop(handle); if (!ret) ret = err; @@ -6013,6 +6021,10 @@ static int ext4_release_dquot(struct dquot *dquot) return PTR_ERR(handle); } ret = dquot_release(dquot); + if (ret == -EIO) + ext4_error_err(dquot->dq_sb, EIO, + "Failed to release dquot type %d", + dquot->dq_id.type); err = ext4_journal_stop(handle); if (!ret) ret = err;
From: Baokun Li libaokun1@huawei.com
mainline inclusion from mainline-v6.5 commit d13f99632748462c32fc95d729f5e754bab06064 category: bugfix bugzilla: 188906, https://gitee.com/openeuler/kernel/issues/I7E9M5 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak:
================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pid 746, jiffies 4294871231 (age 11.540s) hex dump (first 32 bytes): 00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... backtrace: [<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 [<00000000d4e621d7>] kmalloc_trace+0x39/0x140 [<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 [<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 [<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 [<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] [<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] [<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] [<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 [<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] [<00000000c7cb663d>] vfs_get_tree+0x31/0x160 [<00000000320e1bed>] do_new_mount+0x1d5/0x480 [<00000000c074654c>] path_mount+0x22e/0xbe0 [<0000000003e97a8e>] do_mount+0x95/0xc0 [<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 [<0000000027d2140c>] do_syscall_64+0x3f/0x90 ================================================================
To solve this problem, we add a "failed_mount10" tag, and call ext4_quota_off_umount() in this tag to release the enabled qoutas.
Fixes: 11215630aada ("ext4: don't BUG on inconsistent journal feature") Cc: stable@kernel.org Signed-off-by: Zhang Yi yi.zhang@huawei.com Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Jan Kara jack@suse.cz Link: https://lore.kernel.org/r/20230327141630.156875-2-libaokun1@huawei.com Signed-off-by: Theodore Ts'o tytso@mit.edu
Conflicts: fs/ext4/super.c
Signed-off-by: Baokun Li libaokun1@huawei.com Reviewed-by: Yang Erkun yangerkun@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/ext4/super.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 66156dc504f6..d11a300c31f5 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -4786,7 +4786,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) ext4_msg(sb, KERN_INFO, "recovery complete"); err = ext4_mark_recovery_complete(sb, es); if (err) - goto failed_mount8; + goto failed_mount10; } if (EXT4_SB(sb)->s_journal) { if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) @@ -4829,7 +4829,9 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) ext4_msg(sb, KERN_ERR, "VFS: Can't find ext4 filesystem"); goto failed_mount;
-failed_mount8: +failed_mount10: + ext4_quota_off_umount(sb); +failed_mount8: __maybe_unused ext4_unregister_sysfs(sb); kobject_put(&sbi->s_kobj); failed_mount7:
-
Yongqiang Liu