| Message ID | 20221115171709.3774614-4-chenxiaosong2@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: fix sleep from invalid context bug in update_qgroup_limit_item() | expand |
在 2022/11/16 1:17, ChenXiaoSong 写道: > @@ -2987,6 +2986,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup->max_excl = srcgroup->max_excl; > dstgroup->rsv_rfer = srcgroup->rsv_rfer; > dstgroup->rsv_excl = srcgroup->rsv_excl; > + update_limit = false; > > qgroup_dirty(fs_info, dstgroup); > qgroup_dirty(fs_info, srcgroup); No need to call update_qgroup_limit_item() when condition "if (srcid)" is true according to Qu Wenruo's suggestions, btrfs_run_qgroups() will update the quota tree to reflect the result after calling qgroup_dirty().
On 2022/11/16 01:17, ChenXiaoSong wrote: > Syzkaller reported BUG as follows: > > BUG: sleeping function called from invalid context at > include/linux/sched/mm.h:274 > Call Trace: > <TASK> > dump_stack_lvl+0xcd/0x134 > __might_resched.cold+0x222/0x26b > kmem_cache_alloc+0x2e7/0x3c0 > update_qgroup_limit_item+0xe1/0x390 > btrfs_qgroup_inherit+0x147b/0x1ee0 > create_subvol+0x4eb/0x1710 > btrfs_mksubvol+0xfe5/0x13f0 > __btrfs_ioctl_snap_create+0x2b0/0x430 > btrfs_ioctl_snap_create_v2+0x25a/0x520 > btrfs_ioctl+0x2a1c/0x5ce0 > __x64_sys_ioctl+0x193/0x200 > do_syscall_64+0x35/0x80 > > Fix this by delaying the limit item updates until unlock the spin lock. > > Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com> > --- > fs/btrfs/qgroup.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c > index ca609a70d067..f84507ca3b99 100644 > --- a/fs/btrfs/qgroup.c > +++ b/fs/btrfs/qgroup.c > @@ -2867,6 +2867,8 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > bool need_rescan = false; > u32 level_size = 0; > u64 nums; > + bool update_limit = false; > + int err; > > /* > * There are only two callers of this function. > @@ -2957,10 +2959,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup->max_excl = inherit->lim.max_excl; > dstgroup->rsv_rfer = inherit->lim.rsv_rfer; > dstgroup->rsv_excl = inherit->lim.rsv_excl; > - > - ret = btrfs_update_quoto_limit(trans, dstgroup, fs_info); > - if (ret) > - goto unlock; > + update_limit = true; Nope, just call qgroup_dirty() for @dstgroup. Thanks, Qu > } > > if (srcid) { > @@ -2987,6 +2986,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup->max_excl = srcgroup->max_excl; > dstgroup->rsv_rfer = srcgroup->rsv_rfer; > dstgroup->rsv_excl = srcgroup->rsv_excl; > + update_limit = false; > > qgroup_dirty(fs_info, dstgroup); > qgroup_dirty(fs_info, srcgroup); > @@ -3055,6 +3055,11 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > > unlock: > spin_unlock(&fs_info->qgroup_lock); > + if (update_limit) { > + err = btrfs_update_quoto_limit(trans, dstgroup, fs_info); > + if (err) > + ret = err; > + } > if (!ret) > ret = btrfs_sysfs_add_one_qgroup(fs_info, dstgroup); > out:
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index ca609a70d067..f84507ca3b99 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -2867,6 +2867,8 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, bool need_rescan = false; u32 level_size = 0; u64 nums; + bool update_limit = false; + int err; /* * There are only two callers of this function. @@ -2957,10 +2959,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup->max_excl = inherit->lim.max_excl; dstgroup->rsv_rfer = inherit->lim.rsv_rfer; dstgroup->rsv_excl = inherit->lim.rsv_excl; - - ret = btrfs_update_quoto_limit(trans, dstgroup, fs_info); - if (ret) - goto unlock; + update_limit = true; } if (srcid) { @@ -2987,6 +2986,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup->max_excl = srcgroup->max_excl; dstgroup->rsv_rfer = srcgroup->rsv_rfer; dstgroup->rsv_excl = srcgroup->rsv_excl; + update_limit = false; qgroup_dirty(fs_info, dstgroup); qgroup_dirty(fs_info, srcgroup); @@ -3055,6 +3055,11 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, unlock: spin_unlock(&fs_info->qgroup_lock); + if (update_limit) { + err = btrfs_update_quoto_limit(trans, dstgroup, fs_info); + if (err) + ret = err; + } if (!ret) ret = btrfs_sysfs_add_one_qgroup(fs_info, dstgroup); out:
Syzkaller reported BUG as follows: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80 Fix this by delaying the limit item updates until unlock the spin lock. Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com> --- fs/btrfs/qgroup.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)