Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4280792rwd; Tue, 30 May 2023 03:11:35 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ikK8195pwVqrNwM8A3CS+GecmeMRqCvVNBNKWH6BnjAwKFZh6OTLnyHtlTN3dlA2qLpgv X-Received: by 2002:a17:902:c3c6:b0:1af:bade:2b0a with SMTP id j6-20020a170902c3c600b001afbade2b0amr1662549plj.3.1685441494781; Tue, 30 May 2023 03:11:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685441494; cv=none; d=google.com; s=arc-20160816; b=jC2c9BcrBPRdoO3znfOt3ZVmpDyvIyZwUf408LRD5ZsPvN4lYBdQ1LJTXgfVwF0r6H qe8M781JJaMxNOk1gnc9GzmVwUTs8umi2/OkS5vcYYrygdUrQCu5E9Il+X4gxkw0r8as ggqJ/8iflB5YneamCLnpJiuj5cXRCyRs9/FKdcn8NxDVl9rGCa3i0ZiyE4k7FMu5hfR5 Agrh+R5KD9XQfcsY9yVKrTcvgQbENUzG/K7j2Jficg51FIQpsEPHNvaK9Bsp6G4/AQWW /fCCZVbkC5oYwgvi86tnDoRxUWmO5PFOjsTU4z4BT5ZIM3IXtzXYtI4EXDeH7BsxkuSq HU/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=nmXj3HNTjsUwVAZezuPc0zuSiCPXa6fgrbpfIWY+R8U=; b=HEBwZKcqwFQX+4rTXLKkGb3RsvXBx+AiJ/p9KpM2mKV9XBECIkj63THx2z/GQIohRa uU9ixfU3KjwUFGfJzd2pVzkFHWZ6tJN2xGxtfj+Ac3NeNKEuialsjREvMW/FAa/qoryG mU8i5m3dgwvOgo+VU89YuB3afU1aho5DJF91zuhQo2UoRQpf/Y7+xt5hy+gur6tfOp6S vq7KkCRkIls8ndU63AkgZSAkDuVxkr/1daTYPdBxBmKUuqAfwo1zKIGH2dj/GtIOA1AT AF3M1sEB/U2nMIffRmq/7sJ1nfecQvEn0fFJTZg3lJFI8V38Vo4nYo45udth/wFZbWR2 OzAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=vvDaECXS; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q16-20020a170902edd000b001b027afdef5si6053741plk.231.2023.05.30.03.11.22; Tue, 30 May 2023 03:11:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=vvDaECXS; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230397AbjE3J5d (ORCPT + 99 others); Tue, 30 May 2023 05:57:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37608 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230254AbjE3J5a (ORCPT ); Tue, 30 May 2023 05:57:30 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B41A9C for ; Tue, 30 May 2023 02:57:28 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id CF09021A8B; Tue, 30 May 2023 09:57:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1685440646; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nmXj3HNTjsUwVAZezuPc0zuSiCPXa6fgrbpfIWY+R8U=; b=vvDaECXS3ILXXNdMW9yXGRGoLHwq8YjsDeUoY2fXGCAzOX9jhc5obY0kCvplyfurFfE3AL FdFaEkqC1H+/fulIeNJBkfXIyX3+i5el4zAJ5U9EQd+2v2//o0ZyLItx0Lp7/cJUWTqhma H29ikzU84adIpL/9LqfP0PSuFY1JKY8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1685440646; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nmXj3HNTjsUwVAZezuPc0zuSiCPXa6fgrbpfIWY+R8U=; b=czpzyc6GPWcA/FxkC5ui0/uS5ewWZ0qGTzHFtgxPQlCNspAqvOSIpOTIkE/dXybRCIewAp 8zaaT+adGGoQu6BQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id C310D13478; Tue, 30 May 2023 09:57:26 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id aHqUL4bIdWTSSQAAMHmgww (envelope-from ); Tue, 30 May 2023 09:57:26 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 54A34A0754; Tue, 30 May 2023 11:57:26 +0200 (CEST) Date: Tue, 30 May 2023 11:57:26 +0200 From: Jan Kara To: Ye Bin Cc: jack@suse.com, linux-kernel@vger.kernel.org, syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com Subject: Re: [PATCH 1/2] quota: fix null-ptr-deref in ext4_acquire_dquot() Message-ID: <20230530095726.t2grmww5rzofx5gp@quack3> References: <20230527014018.47396-1-yebin10@huawei.com> <20230527014018.47396-2-yebin10@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230527014018.47396-2-yebin10@huawei.com> X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat 27-05-23 09:40:17, Ye Bin wrote: > Syzbot found the following issue: > Unable to handle kernel paging request at virtual address dfff800000000005 > KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... > CPU: 0 PID: 6080 Comm: syz-executor747 Not tainted 6.3.0-rc7-syzkaller-g14f8db1c0f9a #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : ext4_acquire_dquot+0x1d4/0x398 fs/ext4/super.c:6766 > lr : dquot_to_inode fs/ext4/super.c:6740 [inline] > lr : ext4_acquire_dquot+0x1ac/0x398 fs/ext4/super.c:6766 OK, this is bad... > Above issue may happens as follows: > ProcessA ProcessB ProcessC > sys_fsconfig > vfs_fsconfig_locked > reconfigure_super > ext4_remount > dquot_suspend -> suspend all type quota > > sys_fsconfig > vfs_fsconfig_locked > reconfigure_super > ext4_remount > dquot_resume > ret = dquot_load_quota_sb > add_dquot_ref > do_open -> open file O_RDWR > vfs_open > do_dentry_open > get_write_access > atomic_inc_unless_negative(&inode->i_writecount) > ext4_file_open > dquot_file_open > dquot_initialize > __dquot_initialize > dqget > if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) > > __dquot_initialize > __dquot_initialize > dqget > if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) > ext4_acquire_dquot -> Return error > if (ret < 0) > vfs_cleanup_quota_inode > dqopt->files[type] = NULL; But I don't see how this can happen. The code in dquot_load_quota_sb() looks like: error = add_dquot_ref(sb, type); if (error) dquot_disable(sb, type, flags); So if an error happens in add_dquot_ref(), we'll call dquot_disable(). dquot_disable() then does: drop_dquot_ref(sb, cnt); invalidate_dquots(sb, cnt); and invalidate_dquots() waits for reference count of all dquots to drop to 0. Hence if dqget() returned a dquot pointer to ProcessC, then ProcessB should wait until ProcessC drops the dquot reference (hence ext4_acquire_dquot() is done). What am I missing? Honza > > ext4_acquire_dquot > -->dquot_to_inode(dquot) is NULL > > To solve above issue, if quota has been loaded, there's unneed to cleaup quota > inode if dquot_load_quota_sb() return failed when do dquot_resume(); > > Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com > Signed-off-by: Ye Bin > --- > fs/quota/dquot.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c > index ffd40dc3e4e9..4b913faa48ec 100644 > --- a/fs/quota/dquot.c > +++ b/fs/quota/dquot.c > @@ -2476,7 +2476,7 @@ int dquot_resume(struct super_block *sb, int type) > flags = dquot_generic_flag(flags, cnt); > ret = dquot_load_quota_sb(sb, cnt, dqopt->info[cnt].dqi_fmt_id, > flags); > - if (ret < 0) > + if (ret < 0 && !sb_has_quota_loaded(sb, cnt)) > vfs_cleanup_quota_inode(sb, cnt); > } > > -- > 2.31.1 > -- Jan Kara SUSE Labs, CR