Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5506880rwd; Mon, 5 Jun 2023 04:54:00 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7iKfzG7Jnl9qj7tFe2kJd5Oc7zqzbEuxnZUimIV7yJKe04NrHpIVhunBzOO0ZgzS5sjz0l X-Received: by 2002:a17:90a:f40e:b0:256:82c0:8120 with SMTP id ch14-20020a17090af40e00b0025682c08120mr3540647pjb.13.1685966040352; Mon, 05 Jun 2023 04:54:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685966040; cv=none; d=google.com; s=arc-20160816; b=0z7Cnq0xDDoE/zwxIOkgBChdqpOhLWmv+VsXaSVKd1N0rwVjX5mPjxPvMnwVaoAkip s7KWDT7ki702DwdhFMHM139b3ll0h2O48IyUsRjEWD3k2VI+h4LFrmAT/bFzR4Ij3D1K VdMtXoldQcrCqI/pru+hv7E6jBf0icubSbnZm9cT0TEUYR4YUOjFycWtvwwdrfHdTdRV BLkqVJhgIS2xs+waTET6cXzNhEcSt8LVbV0ngOwYA7EzzXIhkjkY8HYTrDbqxNjmsZ3A gC3fdum7gsLk9iwnxMg0lN67FLj9Z7yoj1aE+VnEq/HXxWMxX2C1As8FKVghvpYD4nis WYaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=mWXI6wt2+qrPxokyP3MIOhyYU83+GbflH+z5Ur+r09w=; b=J2vFr9mxSgCPBXn0KWz7IO7ZDU87PJpJFwQVLZr9elEbEqvqbP/Gt3IZ1KdDBtM7iy 891BIfZwNf2U/75+p6aRIE2OVCAKfIVb/tF4+W70XRt47IEKj1hFR4yvbMOzVOmOjCJO OCIBFA99qKtjyC+54g0B/fWif2zLL6Ld4oKjL5BPK3eb9/i3Tm9LPz6VZ7vEc45lZq32 fkjjWpvnShjmfdxuMrCfgDWhZBKFdJNM24PQwZifUOJbbXkOespxFAOzwO2VAfizBJFR EevCzjbnW+w7wXNmIMej/ECVOKkKfXjoC/oiu/Fqvb3cUHFaSEuqrIvmxmEESxmnlsxz utvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="C/x8MXiG"; dkim=neutral (no key) header.i=@suse.cz header.b=2REczRNi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d24-20020a17090ac25800b0024e1138cd9dsi5391763pjx.157.2023.06.05.04.53.44; Mon, 05 Jun 2023 04:54:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b="C/x8MXiG"; dkim=neutral (no key) header.i=@suse.cz header.b=2REczRNi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230096AbjFELvs (ORCPT + 99 others); Mon, 5 Jun 2023 07:51:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231294AbjFELvr (ORCPT ); Mon, 5 Jun 2023 07:51:47 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7F1FA4 for ; Mon, 5 Jun 2023 04:51:45 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 444A921B39; Mon, 5 Jun 2023 11:51:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1685965904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mWXI6wt2+qrPxokyP3MIOhyYU83+GbflH+z5Ur+r09w=; b=C/x8MXiGoGdezEmbhVM5AWo590QdfJNC5rTKr+zfYsF9rfvPLXtE6K0Fwe7fuA6FDqOH88 wEeK8VdNj0w96RJNBl9kS/LQp4CkoHZbHhnFFp2c77m7X12lrvd1xfyHHBvaaSNRpKTedA Z0R5Il8RK59dy7h82UV0kLIpyfnUPNo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1685965904; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mWXI6wt2+qrPxokyP3MIOhyYU83+GbflH+z5Ur+r09w=; b=2REczRNi2OWX+1b576rp1is0Me8n12Y9vz+gzjxxrOTn3wr9Bk6yE0Ap+imxk3rc5xu78u 0EALgkNZAi95Y6Bw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 37DA8139C7; Mon, 5 Jun 2023 11:51:44 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id wfySDVDMfWTWegAAMHmgww (envelope-from ); Mon, 05 Jun 2023 11:51:44 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id C5F4CA0754; Mon, 5 Jun 2023 13:51:43 +0200 (CEST) Date: Mon, 5 Jun 2023 13:51:43 +0200 From: Jan Kara To: "yebin (H)" Cc: Jan Kara , jack@suse.com, linux-kernel@vger.kernel.org, syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com Subject: Re: [PATCH 1/2] quota: fix null-ptr-deref in ext4_acquire_dquot() Message-ID: <20230605115143.i3squdbqmqebu5ue@quack3> References: <20230527014018.47396-1-yebin10@huawei.com> <20230527014018.47396-2-yebin10@huawei.com> <20230530095726.t2grmww5rzofx5gp@quack3> <647ADA33.5010508@huawei.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="m5qv73rr3afoouf3" Content-Disposition: inline In-Reply-To: <647ADA33.5010508@huawei.com> X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --m5qv73rr3afoouf3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat 03-06-23 14:14:11, yebin (H) wrote: > > > On 2023/5/30 17:57, Jan Kara wrote: > > On Sat 27-05-23 09:40:17, Ye Bin wrote: > > > Syzbot found the following issue: > > > Unable to handle kernel paging request at virtual address dfff800000000005 > > > KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] > > ... > > > CPU: 0 PID: 6080 Comm: syz-executor747 Not tainted 6.3.0-rc7-syzkaller-g14f8db1c0f9a #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 > > > pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > > > pc : ext4_acquire_dquot+0x1d4/0x398 fs/ext4/super.c:6766 > > > lr : dquot_to_inode fs/ext4/super.c:6740 [inline] > > > lr : ext4_acquire_dquot+0x1ac/0x398 fs/ext4/super.c:6766 > > OK, this is bad... > > > > > Above issue may happens as follows: > > > ProcessA ProcessB ProcessC > > > sys_fsconfig > > > vfs_fsconfig_locked > > > reconfigure_super > > > ext4_remount > > > dquot_suspend -> suspend all type quota > > > > > > sys_fsconfig > > > vfs_fsconfig_locked > > > reconfigure_super > > > ext4_remount > > > dquot_resume > > > ret = dquot_load_quota_sb > > > add_dquot_ref > > > do_open -> open file O_RDWR > > > vfs_open > > > do_dentry_open > > > get_write_access > > > atomic_inc_unless_negative(&inode->i_writecount) > > > ext4_file_open > > > dquot_file_open > > > dquot_initialize > > > __dquot_initialize > > > dqget > > > if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) > > > > > > __dquot_initialize > > > __dquot_initialize > > > dqget > > > if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) > > > ext4_acquire_dquot -> Return error > > > if (ret < 0) > > > vfs_cleanup_quota_inode > > > dqopt->files[type] = NULL; > > But I don't see how this can happen. The code in dquot_load_quota_sb() > > looks like: > > > > error = add_dquot_ref(sb, type); > > if (error) > > dquot_disable(sb, type, flags); > > > > So if an error happens in add_dquot_ref(), we'll call dquot_disable(). > > dquot_disable() then does: > > > > drop_dquot_ref(sb, cnt); > > invalidate_dquots(sb, cnt); > > > > and invalidate_dquots() waits for reference count of all dquots to drop to > > 0. Hence if dqget() returned a dquot pointer to ProcessC, then ProcessB > > should wait until ProcessC drops the dquot reference (hence > > ext4_acquire_dquot() is done). > > > > What am I missing? > > > > Honza > My reproduction condition is: > mkfs.ext4 -F /dev/sda > tune2fs -Q usrquota /dev/sda > > dquot_disable > ... > if ((flags & DQUOT_USAGE_ENABLED && !(flags & > DQUOT_LIMITS_ENABLED)) > || (flags & DQUOT_SUSPENDED && flags & (DQUOT_LIMITS_ENABLED | > DQUOT_USAGE_ENABLED))) > return -EINVAL; > ... > If without enable DQUOT_LIMITS_ENABLED dquot_disable() will just return > -EINVAL. Aha, that is the bug! Does attached patch fix your problem? Honza -- Jan Kara SUSE Labs, CR --m5qv73rr3afoouf3 Content-Type: text/x-patch; charset=us-ascii Content-Disposition: attachment; filename="0001-quota-Properly-disable-quotas-when-add_dquot_ref-fai.patch" From 2bb758bff7f9c92a25af7156cdeedc1f39201eba Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Mon, 5 Jun 2023 13:39:28 +0200 Subject: [PATCH] quota: Properly disable quotas when add_dquot_ref() fails When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want to disable quotas we are trying to enable. However dquot_disable() call was passed just the flags we are enabling so in case flags == DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL instead of properly disabling quotas. Fix the problem by always passing DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this case. Reported-by: Ye Bin Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com Signed-off-by: Jan Kara --- fs/quota/dquot.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 226eb3cba1fb..e42cf387fa78 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -2409,7 +2409,8 @@ int dquot_load_quota_sb(struct super_block *sb, int type, int format_id, error = add_dquot_ref(sb, type); if (error) - dquot_disable(sb, type, flags); + dquot_disable(sb, type, + DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); return error; out_fmt: -- 2.35.3 --m5qv73rr3afoouf3--