Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp248599ybi; Wed, 29 May 2019 20:36:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqyQyyBgHmHqOrY3Hvt8J96LxDWKeM9WwNTeZgn6lc0awvOYzkLAyXGB7WqzZmu8yWpdPmuY X-Received: by 2002:a63:470e:: with SMTP id u14mr1676837pga.135.1559187410095; Wed, 29 May 2019 20:36:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559187410; cv=none; d=google.com; s=arc-20160816; b=vPYEgUzTU3cRgAggo7uxtIBE3ur+iq+U+XIfcBJY81nfMjrgJCKbu+B+mCF5yOpB62 MJdlommJWHPEeQIVDnUOuOkyjSYPtRT3oXCpWcg79CyLnYtK66O+FG1+w2XOLYYZXH86 QoebVeMRFRXQZRmDgsmCOXulq/Ch/kPg7TTzkycSF9xP/QLfwpfPFy4plE8Qzdpd6oEE 4HgIDI49pwnfcLDK5u+yOZopn1m78KCUnKK9kIzTB9Pvzm5qt+JX7W2mMFz3ojJH5G4T aEipudoCDQH7AeNSWHbb3DUZNrRIQ8xxlEpG0f+MQcJ5Ezup+j6Pda/3tLe8gjCAeAeN fVDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CpBMqGskAkuxeDMWSqXRkZSMV1ZCJHn/g+oQ26cNI3g=; b=jSzkcA2zRw5ZBhUtz8Uo8SbEmJIx6397UylMSJ0uFxN92i+uFJYUkkuudanIpi1QJn Wdw/sjkE6m2+LcyN6CRcaYljHx2j7mQg8GtXnm/CozMicYPSkg/jqYZoOXHOgECLArDQ YWtYfH5tbJAGOIru/OBNKYGo24EQACrJCKiVOksAwqaJAcqUzdrxHCgNKGRPpv6aumLF DdqFtoKBrW2BKgQBg2+LXg6inZRkD83HDg2g5uOrSZ2u/52TJ0dMG1Z7vxj5ABkvWmQR 3YN4m8w9ru4oLmH3ijwCoVmGhdCXw4PmR9U9sfH3icbUJBe1Bn7YEGHBGaO8lp3XO/8Q efkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L7yN6uWn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3si1858516pgm.568.2019.05.29.20.36.33; Wed, 29 May 2019 20:36:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L7yN6uWn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733266AbfE3D0d (ORCPT + 99 others); Wed, 29 May 2019 23:26:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:53140 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731754AbfE3DS5 (ORCPT ); Wed, 29 May 2019 23:18:57 -0400 Received: from localhost (ip67-88-213-2.z213-88-67.customer.algx.net [67.88.213.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BB57724814; Thu, 30 May 2019 03:18:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559186336; bh=h5PVYRuniRZJ0/n0iOpYilvo2GmxHdFIE+EpkaXm9YM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L7yN6uWnvcTiAHtrQb7YQ93IrKhQgDatXsAbARkId5YvyFk08tHMk69pGw76dexds 98+SiXZmfX0vSPm0mF5MIHJVzvRu5O5sTKgKbdXYTz6YbwxEa1md8aWzebsGhy2KKf q7AHvtt3RGr1DlxiyDTeHL+gQrblZUo+N56U8WjM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Filipe Manana , Robbie Ko , David Sterba , Sasha Levin Subject: [PATCH 4.14 059/193] Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve Date: Wed, 29 May 2019 20:05:13 -0700 Message-Id: <20190530030457.743362179@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190530030446.953835040@linuxfoundation.org> References: <20190530030446.953835040@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 39ad317315887c2cb9a4347a93a8859326ddf136 ] When doing fallocate, we first add the range to the reserve_list and then reserve the quota. If quota reservation fails, we'll release all reserved parts of reserve_list. However, cur_offset is not updated to indicate that this range is already been inserted into the list. Therefore, the same range is freed twice. Once at list_for_each_entry loop, and once at the end of the function. This will result in WARN_ON on bytes_may_use when we free the remaining space. At the end, under the 'out' label we have a call to: btrfs_free_reserved_data_space(inode, data_reserved, alloc_start, alloc_end - cur_offset); The start offset, third argument, should be cur_offset. Everything from alloc_start to cur_offset was freed by the list_for_each_entry_safe_loop. Fixes: 18513091af94 ("btrfs: update btrfs_space_info's bytes_may_use timely") Reviewed-by: Filipe Manana Signed-off-by: Robbie Ko Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/file.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index 821001138c296..97958ecaeed9d 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -2976,6 +2976,7 @@ static long btrfs_fallocate(struct file *file, int mode, ret = btrfs_qgroup_reserve_data(inode, &data_reserved, cur_offset, last_byte - cur_offset); if (ret < 0) { + cur_offset = last_byte; free_extent_map(em); break; } @@ -3046,7 +3047,7 @@ static long btrfs_fallocate(struct file *file, int mode, /* Let go of our reservation. */ if (ret != 0) btrfs_free_reserved_data_space(inode, data_reserved, - alloc_start, alloc_end - cur_offset); + cur_offset, alloc_end - cur_offset); extent_changeset_free(data_reserved); return ret; } -- 2.20.1