diff options
| author | Filipe Manana <[email protected]> | 2022-08-23 11:45:42 +0000 |
|---|---|---|
| committer | David Sterba <[email protected]> | 2022-09-26 10:27:58 +0000 |
| commit | 331cd9461412e103d07595a10289de90004ac890 (patch) | |
| tree | eb9429aba3331512dec86301a4c1ca5b6d6987b9 /fs/btrfs/dev-replace.c | |
| parent | btrfs: don't print information about space cache or tree every remount (diff) | |
| download | kernel-331cd9461412e103d07595a10289de90004ac890.tar.gz kernel-331cd9461412e103d07595a10289de90004ac890.zip | |
btrfs: fix race between quota enable and quota rescan ioctl
When enabling quotas, at btrfs_quota_enable(), after committing the
transaction, we change fs_info->quota_root to point to the quota root we
created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try
to start the qgroup rescan worker, first by initializing it with a call
to qgroup_rescan_init() - however if that fails we end up freeing the
quota root but we leave fs_info->quota_root still pointing to it, this
can later result in a use-after-free somewhere else.
We have previously set the flags BTRFS_FS_QUOTA_ENABLED and
BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at
btrfs_quota_enable(), which is possible if someone already called the
quota rescan ioctl, and therefore started the rescan worker.
So fix this by ignoring an -EINPROGRESS and asserting we can't get any
other error.
Reported-by: Ye Bin <[email protected]>
Link: https://lore.kernel.org/linux-btrfs/[email protected]/
CC: [email protected] # 4.19+
Reviewed-by: Qu Wenruo <[email protected]>
Signed-off-by: Filipe Manana <[email protected]>
Signed-off-by: David Sterba <[email protected]>
Diffstat (limited to 'fs/btrfs/dev-replace.c')
0 files changed, 0 insertions, 0 deletions