Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQu Wenruo <wqu@suse.com>2019-10-04 09:51:29 +0800
committerQu Wenruo <wqu@suse.com>2019-10-04 09:51:29 +0800
commitdd30f5543b46b14398830e9ce8a5c3349fc57545 (patch)
tree1b21eaf883ad8e860e402c0c160be0ee238bea87
parentc3a25871e08daf4cf90535f50fabc8254bd9da51 (diff)
btrfs: qgroup: Fix reserved data space leak if we have multiple
reserve calls (bsc#1152975).
-rw-r--r--patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch90
-rw-r--r--series.conf1
2 files changed, 91 insertions, 0 deletions
diff --git a/patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch b/patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch
new file mode 100644
index 0000000000..cba19a4188
--- /dev/null
+++ b/patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch
@@ -0,0 +1,90 @@
+From d4e204948fe3e0dc8e1fbf3f8f3290c9c2823be3 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Mon, 16 Sep 2019 20:02:39 +0800
+Patch-mainline: v5.4-rc1
+Git-commit: d4e204948fe3e0dc8e1fbf3f8f3290c9c2823be3
+References: bsc#1152975
+Subject: [PATCH 2/2] btrfs: qgroup: Fix reserved data space leak if we have
+ multiple reserve calls
+
+[BUG]
+The following script can cause btrfs qgroup data space leak:
+
+ mkfs.btrfs -f $dev
+ mount $dev -o nospace_cache $mnt
+
+ btrfs subv create $mnt/subv
+ btrfs quota en $mnt
+ btrfs quota rescan -w $mnt
+ btrfs qgroup limit 128m $mnt/subv
+
+ for (( i = 0; i < 3; i++)); do
+ # Create 3 64M holes for latter fallocate to fail
+ truncate -s 192m $mnt/subv/file
+ xfs_io -c "pwrite 64m 4k" $mnt/subv/file > /dev/null
+ xfs_io -c "pwrite 128m 4k" $mnt/subv/file > /dev/null
+ sync
+
+ # it's supposed to fail, and each failure will leak at least 64M
+ # data space
+ xfs_io -f -c "falloc 0 192m" $mnt/subv/file &> /dev/null
+ rm $mnt/subv/file
+ sync
+ done
+
+ # Shouldn't fail after we removed the file
+ xfs_io -f -c "falloc 0 64m" $mnt/subv/file
+
+[CAUSE]
+Btrfs qgroup data reserve code allow multiple reservations to happen on
+a single extent_changeset:
+E.g:
+ btrfs_qgroup_reserve_data(inode, &data_reserved, 0, SZ_1M);
+ btrfs_qgroup_reserve_data(inode, &data_reserved, SZ_1M, SZ_2M);
+ btrfs_qgroup_reserve_data(inode, &data_reserved, 0, SZ_4M);
+
+Btrfs qgroup code has its internal tracking to make sure we don't
+double-reserve in above example.
+
+The only pattern utilizing this feature is in the main while loop of
+btrfs_fallocate() function.
+
+However btrfs_qgroup_reserve_data()'s error handling has a bug in that
+on error it clears all ranges in the io_tree with EXTENT_QGROUP_RESERVED
+flag but doesn't free previously reserved bytes.
+
+This bug has a two fold effect:
+- Clearing EXTENT_QGROUP_RESERVED ranges
+ This is the correct behavior, but it prevents
+ btrfs_qgroup_check_reserved_leak() to catch the leakage as the
+ detector is purely EXTENT_QGROUP_RESERVED flag based.
+
+- Leak the previously reserved data bytes.
+
+The bug manifests when N calls to btrfs_qgroup_reserve_data are made and
+the last one fails, leaking space reserved in the previous ones.
+
+[FIX]
+Also free previously reserved data bytes when btrfs_qgroup_reserve_data
+fails.
+
+Fixes: 524725537023 ("btrfs: qgroup: Introduce btrfs_qgroup_reserve_data function")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/qgroup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3376,6 +3376,9 @@ cleanup:
+ clear_extent_bit(&BTRFS_I(inode)->io_tree, unode->val,
+ unode->aux, EXTENT_QGROUP_RESERVED, 0, 0, NULL,
+ GFP_NOFS);
++ /* Also free data bytes of already reserved one */
++ btrfs_qgroup_free_refroot(root->fs_info, root->root_key.objectid,
++ orig_reserved, BTRFS_QGROUP_RSV_DATA);
+ extent_changeset_release(reserved);
+ return ret;
+ }
diff --git a/series.conf b/series.conf
index efbf395723..7b2be1b8fc 100644
--- a/series.conf
+++ b/series.conf
@@ -24651,6 +24651,7 @@
patches.suse/suse-hv-PCI-hv-Detect-and-fix-Hyper-V-PCI-domain-number-coll.patch
patches.suse/0001-btrfs-relocation-fix-use-after-free-on-dead-relocati.patch
patches.suse/0001-btrfs-qgroup-Fix-the-wrong-target-io_tree-when-freei.patch
+ patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch
# jejb/scsi for-next
patches.suse/scsi-qla2xxx-Fix-Nport-ID-display-value.patch