| Message ID | 20221116130716.991901-3-chenxiaosong2@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: fix sleep from invalid context bug in update_qgroup_limit_item() | expand |
On 2022/11/16 21:07, ChenXiaoSong wrote: > Syzkaller reported BUG as follows: > > BUG: sleeping function called from invalid context at > include/linux/sched/mm.h:274 > Call Trace: > <TASK> > dump_stack_lvl+0xcd/0x134 > __might_resched.cold+0x222/0x26b > kmem_cache_alloc+0x2e7/0x3c0 > update_qgroup_limit_item+0xe1/0x390 > btrfs_qgroup_inherit+0x147b/0x1ee0 > create_subvol+0x4eb/0x1710 > btrfs_mksubvol+0xfe5/0x13f0 > __btrfs_ioctl_snap_create+0x2b0/0x430 > btrfs_ioctl_snap_create_v2+0x25a/0x520 > btrfs_ioctl+0x2a1c/0x5ce0 > __x64_sys_ioctl+0x193/0x200 > do_syscall_64+0x35/0x80 > > Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in > btrfs_run_qgroups() later. > > Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com> > --- > fs/btrfs/qgroup.c | 29 ++++++++++++----------------- > 1 file changed, 12 insertions(+), 17 deletions(-) > > diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c > index 9334c3157c22..8f5c52e24430 100644 > --- a/fs/btrfs/qgroup.c > +++ b/fs/btrfs/qgroup.c > @@ -2860,6 +2860,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > bool need_rescan = false; > u32 level_size = 0; > u64 nums; > + bool dirty_dstgrp = false; I don't know why you insist on such bool (and the extra lable). I have mentioned how qgroup_dirty() works, it can be called how ever many times, and the qgroup code will handle it without problem. So the whole patch can be just as simple as: diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 05e79f7b4433..e0522c6c0d67 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -2965,14 +2965,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup->rsv_rfer = inherit->lim.rsv_rfer; dstgroup->rsv_excl = inherit->lim.rsv_excl; - ret = update_qgroup_limit_item(trans, dstgroup); - if (ret) { - qgroup_mark_inconsistent(fs_info); - btrfs_info(fs_info, - "unable to update quota limit for %llu", - dstgroup->qgroupid); - goto unlock; - } + qgroup_dirty(fs_info, dstgroup); } if (srcid) { > > /* > * There are only two callers of this function. > @@ -2941,7 +2942,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup = add_qgroup_rb(fs_info, objectid); > if (IS_ERR(dstgroup)) { > ret = PTR_ERR(dstgroup); > - goto unlock; > + goto dirty; > } > > if (inherit && inherit->flags & BTRFS_QGROUP_INHERIT_SET_LIMITS) { > @@ -2950,21 +2951,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup->max_excl = inherit->lim.max_excl; > dstgroup->rsv_rfer = inherit->lim.rsv_rfer; > dstgroup->rsv_excl = inherit->lim.rsv_excl; > - > - ret = update_qgroup_limit_item(trans, dstgroup); > - if (ret) { > - qgroup_mark_inconsistent(fs_info); > - btrfs_info(fs_info, > - "unable to update quota limit for %llu", > - dstgroup->qgroupid); > - goto unlock; > - } > + dirty_dstgrp = true; > } > > if (srcid) { > srcgroup = find_qgroup_rb(fs_info, srcid); > if (!srcgroup) > - goto unlock; > + goto dirty; > > /* > * We call inherit after we clone the root in order to make sure > @@ -2985,20 +2978,20 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > dstgroup->max_excl = srcgroup->max_excl; > dstgroup->rsv_rfer = srcgroup->rsv_rfer; > dstgroup->rsv_excl = srcgroup->rsv_excl; > + dirty_dstgrp = true; > > - qgroup_dirty(fs_info, dstgroup); > qgroup_dirty(fs_info, srcgroup); > } > > if (!inherit) > - goto unlock; > + goto dirty; > > i_qgroups = (u64 *)(inherit + 1); > for (i = 0; i < inherit->num_qgroups; ++i) { > if (*i_qgroups) { > ret = add_relation_rb(fs_info, objectid, *i_qgroups); > if (ret) > - goto unlock; > + goto dirty; > } > ++i_qgroups; > > @@ -3022,7 +3015,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > > if (!src || !dst) { > ret = -EINVAL; > - goto unlock; > + goto dirty; > } > > dst->rfer = src->rfer - level_size; > @@ -3043,15 +3036,17 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, > > if (!src || !dst) { > ret = -EINVAL; > - goto unlock; > + goto dirty; > } > > dst->excl = src->excl + level_size; > dst->excl_cmpr = src->excl_cmpr + level_size; > need_rescan = true; > } > +dirty: > + if (dirty_dstgrp) > + qgroup_dirty(fs_info, dstgroup); > > -unlock: > spin_unlock(&fs_info->qgroup_lock); > if (!ret) > ret = btrfs_sysfs_add_one_qgroup(fs_info, dstgroup);
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 9334c3157c22..8f5c52e24430 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -2860,6 +2860,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, bool need_rescan = false; u32 level_size = 0; u64 nums; + bool dirty_dstgrp = false; /* * There are only two callers of this function. @@ -2941,7 +2942,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup = add_qgroup_rb(fs_info, objectid); if (IS_ERR(dstgroup)) { ret = PTR_ERR(dstgroup); - goto unlock; + goto dirty; } if (inherit && inherit->flags & BTRFS_QGROUP_INHERIT_SET_LIMITS) { @@ -2950,21 +2951,13 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup->max_excl = inherit->lim.max_excl; dstgroup->rsv_rfer = inherit->lim.rsv_rfer; dstgroup->rsv_excl = inherit->lim.rsv_excl; - - ret = update_qgroup_limit_item(trans, dstgroup); - if (ret) { - qgroup_mark_inconsistent(fs_info); - btrfs_info(fs_info, - "unable to update quota limit for %llu", - dstgroup->qgroupid); - goto unlock; - } + dirty_dstgrp = true; } if (srcid) { srcgroup = find_qgroup_rb(fs_info, srcid); if (!srcgroup) - goto unlock; + goto dirty; /* * We call inherit after we clone the root in order to make sure @@ -2985,20 +2978,20 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, dstgroup->max_excl = srcgroup->max_excl; dstgroup->rsv_rfer = srcgroup->rsv_rfer; dstgroup->rsv_excl = srcgroup->rsv_excl; + dirty_dstgrp = true; - qgroup_dirty(fs_info, dstgroup); qgroup_dirty(fs_info, srcgroup); } if (!inherit) - goto unlock; + goto dirty; i_qgroups = (u64 *)(inherit + 1); for (i = 0; i < inherit->num_qgroups; ++i) { if (*i_qgroups) { ret = add_relation_rb(fs_info, objectid, *i_qgroups); if (ret) - goto unlock; + goto dirty; } ++i_qgroups; @@ -3022,7 +3015,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, if (!src || !dst) { ret = -EINVAL; - goto unlock; + goto dirty; } dst->rfer = src->rfer - level_size; @@ -3043,15 +3036,17 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid, if (!src || !dst) { ret = -EINVAL; - goto unlock; + goto dirty; } dst->excl = src->excl + level_size; dst->excl_cmpr = src->excl_cmpr + level_size; need_rescan = true; } +dirty: + if (dirty_dstgrp) + qgroup_dirty(fs_info, dstgroup); -unlock: spin_unlock(&fs_info->qgroup_lock); if (!ret) ret = btrfs_sysfs_add_one_qgroup(fs_info, dstgroup);
Syzkaller reported BUG as follows: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80 Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in btrfs_run_qgroups() later. Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com> --- fs/btrfs/qgroup.c | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-)