Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp855127pxk; Thu, 17 Sep 2020 19:12:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6SBlZXyPz/xs54+1q8FF6A1D7AOo4N8CTgj5rP/vBgNLBPn6+V37D/5Jc4df46Mmdr7Xt X-Received: by 2002:a50:9fe6:: with SMTP id c93mr35995970edf.151.1600395146879; Thu, 17 Sep 2020 19:12:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600395146; cv=none; d=google.com; s=arc-20160816; b=sejDvYWiYNFxWavAGf4J7kVY1t3T5Y039Uel1m4RibzAu3QC5EQ7I/i/Dm1bKeBFm8 kR6hyBMmMEn4GzymVFSXcXxlX88jHOgRA98BCzKqWzc3rQY83abmI/d3oKhtzOgyLB4I Ll3QluvPxSLtk3r/Tu3/iisuryjJWPayKcIt2hsuYSDkZDtzaaavdpfaIJ9K1djMQXXk BXNdS1NZYVY3aeSc06kXpgqxiWvPqqC3REjdnXfW2A/CVJ3ZMpy6YAaPVv70xgVNEM40 QGglunCMa/QjuvvzM3G8fBnWE3i9kX1XubCCQ5huBMyZPNYRLDIlTIM+DrNgysx97ekE /XpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Ysvw2L3DbY/9T3mNJ9VHLnUl5k2/S4FaIwKJ/lT552Q=; b=hMI6tSR74Wt0/9b6mQ44TEt3UGuz+VjFsWoM82kTNQRCVHON8vevVjhhyToNQa9pl1 HKeiflK5kmzcNl4PYOjABCUCEGqPdVr6yvUb/NDpRWm8Rv/5FA91bskk6gPvysmCq6L3 nsLcLsX2l8WDlOMSV4IXsKlftRrIPpbEKgRQLauApPUwjb+WHjCYiCfETdAx2oDD1vi1 UC5mu2AgaHghA42mRHClCH6upU0HUnydyu9IpGcGn1+Z7kYJTcF5t2JIVdDawZsMSaZy oE3e8C+7QFfvzGW7Hihm27DEDXcdmHZYkEwzlh1FzOkvhF4/NRKmV4F7kVkJwS0iSXQt xclw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WBdqbFc1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jp7si1153773ejb.742.2020.09.17.19.12.03; Thu, 17 Sep 2020 19:12:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WBdqbFc1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728033AbgIRCIC (ORCPT + 99 others); Thu, 17 Sep 2020 22:08:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:58444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727994AbgIRCHs (ORCPT ); Thu, 17 Sep 2020 22:07:48 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 35B3B23770; Fri, 18 Sep 2020 02:07:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394868; bh=Ys4BXVQKu1BJf2pHka02imQW3nBiwA2HiB/Nyx5Sucg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WBdqbFc1Ru9cGu1dijvY+bbvSiavp8g4isAcft4O0qViO5BilFkrVwIaOadQSfcpq fde6Ri6cFjBiFBtdg/xkw9TR9NXCh9AlNPPL36onpeb0qCDGDvMurzbf35DGkJ29To KiX2E0WUbC9+rSkprP8ELGq3oiCyuKWVOA5HjBaE= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Qu Wenruo , Josef Bacik , David Sterba , Sasha Levin , linux-btrfs@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 320/330] btrfs: qgroup: fix data leak caused by race between writeback and truncate Date: Thu, 17 Sep 2020 22:01:00 -0400 Message-Id: <20200918020110.2063155-320-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qu Wenruo [ Upstream commit fa91e4aa1716004ea8096d5185ec0451e206aea0 ] [BUG] When running tests like generic/013 on test device with btrfs quota enabled, it can normally lead to data leak, detected at unmount time: BTRFS warning (device dm-3): qgroup 0/5 has unreleased space, type 0 rsv 4096 ------------[ cut here ]------------ WARNING: CPU: 11 PID: 16386 at fs/btrfs/disk-io.c:4142 close_ctree+0x1dc/0x323 [btrfs] RIP: 0010:close_ctree+0x1dc/0x323 [btrfs] Call Trace: btrfs_put_super+0x15/0x17 [btrfs] generic_shutdown_super+0x72/0x110 kill_anon_super+0x18/0x30 btrfs_kill_super+0x17/0x30 [btrfs] deactivate_locked_super+0x3b/0xa0 deactivate_super+0x40/0x50 cleanup_mnt+0x135/0x190 __cleanup_mnt+0x12/0x20 task_work_run+0x64/0xb0 __prepare_exit_to_usermode+0x1bc/0x1c0 __syscall_return_slowpath+0x47/0x230 do_syscall_64+0x64/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 ---[ end trace caf08beafeca2392 ]--- BTRFS error (device dm-3): qgroup reserved space leaked [CAUSE] In the offending case, the offending operations are: 2/6: writev f2X[269 1 0 0 0 0] [1006997,67,288] 0 2/7: truncate f2X[269 1 0 0 48 1026293] 18388 0 The following sequence of events could happen after the writev(): CPU1 (writeback) | CPU2 (truncate) ----------------------------------------------------------------- btrfs_writepages() | |- extent_write_cache_pages() | |- Got page for 1003520 | | 1003520 is Dirty, no writeback | | So (!clear_page_dirty_for_io()) | | gets called for it | |- Now page 1003520 is Clean. | | | btrfs_setattr() | | |- btrfs_setsize() | | |- truncate_setsize() | | New i_size is 18388 |- __extent_writepage() | | |- page_offset() > i_size | |- btrfs_invalidatepage() | |- Page is clean, so no qgroup | callback executed This means, the qgroup reserved data space is not properly released in btrfs_invalidatepage() as the page is Clean. [FIX] Instead of checking the dirty bit of a page, call btrfs_qgroup_free_data() unconditionally in btrfs_invalidatepage(). As qgroup rsv are completely bound to the QGROUP_RESERVED bit of io_tree, not bound to page status, thus we won't cause double freeing anyway. Fixes: 0b34c261e235 ("btrfs: qgroup: Prevent qgroup->reserved from going subzero") CC: stable@vger.kernel.org # 4.14+ Reviewed-by: Josef Bacik Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/inode.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index e9787b7b943a2..182e93a5b11d5 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9044,20 +9044,17 @@ again: /* * Qgroup reserved space handler * Page here will be either - * 1) Already written to disk - * In this case, its reserved space is released from data rsv map - * and will be freed by delayed_ref handler finally. - * So even we call qgroup_free_data(), it won't decrease reserved - * space. - * 2) Not written to disk - * This means the reserved space should be freed here. However, - * if a truncate invalidates the page (by clearing PageDirty) - * and the page is accounted for while allocating extent - * in btrfs_check_data_free_space() we let delayed_ref to - * free the entire extent. + * 1) Already written to disk or ordered extent already submitted + * Then its QGROUP_RESERVED bit in io_tree is already cleaned. + * Qgroup will be handled by its qgroup_record then. + * btrfs_qgroup_free_data() call will do nothing here. + * + * 2) Not written to disk yet + * Then btrfs_qgroup_free_data() call will clear the QGROUP_RESERVED + * bit of its io_tree, and free the qgroup reserved data space. + * Since the IO will never happen for this page. */ - if (PageDirty(page)) - btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE); + btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE); if (!inode_evicting) { clear_extent_bit(tree, page_start, page_end, EXTENT_LOCKED | EXTENT_DELALLOC | EXTENT_DELALLOC_NEW | -- 2.25.1