linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-06 10:58:48 +09:00

Go to file

Filipe Manana b172535ccb btrfs: qgroup: fix race between quota disable and quota rescan ioctl

[ Upstream commit e1249667750399a48cafcf5945761d39fa584edf ]

There's a race between a task disabling quotas and another running the
rescan ioctl that can result in a use-after-free of qgroup records from
the fs_info->qgroup_tree rbtree.

This happens as follows:

1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();

2) Task B enters btrfs_quota_disable() and calls
   btrfs_qgroup_wait_for_completion(), which does nothing because at that
   point fs_info->qgroup_rescan_running is false (it wasn't set yet by
   task A);

3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups
   from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;

4) Task A enters qgroup_rescan_zero_tracking() which starts iterating
   the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,
   but task B is freeing qgroup records from that tree without holding
   the lock, resulting in a use-after-free.

Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().
Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas
were already disabled.

Reported-by: cen zhang <zzzccc427@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsHqPD6B3FetLpQ@mail.gmail.com/
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ Check for BTRFS_FS_QUOTA_ENABLED, instead of btrfs_qgroup_full_accounting() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2025-08-28 16:28:40 +02:00

arch

parisc: Update comments in make_insert_tlb

2025-08-28 16:28:37 +02:00

block

block: reject invalid operation in submit_bio_noacct

2025-08-28 16:28:40 +02:00

certs

sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

2025-04-25 10:45:58 +02:00

crypto

crypto: jitter - fix intermediary handling

2025-08-28 16:28:26 +02:00

Documentation

fscrypt: Don't use problematic non-inline crypto engines

2025-08-28 16:28:40 +02:00

drivers

usb: typec: fusb302: cache PD RX state

2025-08-28 16:28:40 +02:00

btrfs: qgroup: fix race between quota disable and quota rescan ioctl

2025-08-28 16:28:40 +02:00

include

PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports

2025-08-28 16:28:40 +02:00

init

sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP

2025-05-02 07:50:57 +02:00

io_uring

io_uring/net: commit partial buffers on retry

2025-08-28 16:28:11 +02:00

ipc

ipc: fix to protect IPCS lookups using RCU

2025-06-27 11:08:49 +01:00

kernel

mm: drop the assumption that VM_SHARED always implies writable

2025-08-28 16:28:39 +02:00

lib

maple_tree: fix mt_destroy_walk() on root leaf node

2025-07-17 18:35:14 +02:00

LICENSES

LICENSES: Add the copyleft-next-0.3.1 license

2022-11-08 15:44:01 +01:00

mm: reinstate ability to map write-sealed memfd mappings read-only

2025-08-28 16:28:39 +02:00

net

net/sched: ets: use old 'nbands' while purging unused classes

2025-08-28 16:28:40 +02:00

rust

rust: module: place cleanup_module() in .exit.text section

2025-07-06 11:00:06 +02:00

samples

samples: mei: Fix building on musl libc

2025-08-15 12:08:43 +02:00

scripts

kconfig: lxdialog: fix 'space' to (de)select options

2025-08-28 16:28:29 +02:00

security

apparmor: use the condition in AA_BUG_FMT even with debug disabled

2025-08-28 16:28:28 +02:00

sound

ASoC: fsl_sai: replace regmap_write with regmap_update_bits

2025-08-28 16:28:30 +02:00

tools

selftests/memfd: add test for mapping write-sealed memfd read-only

2025-08-28 16:28:39 +02:00

usr

kbuild: hdrcheck: fix cross build with clang

2025-03-13 12:58:38 +01:00

virt

KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock

2024-10-04 16:29:47 +02:00

.clang-format

iommu: Add for_each_group_device()

2023-05-23 08:15:51 +02:00

.cocciconfig

…

.get_maintainer.ignore

get_maintainer: add Alan to .get_maintainer.ignore

2022-08-20 15:17:44 -07:00

.gitattributes

.gitattributes: set diff driver for Rust source code files

2023-05-31 17:48:25 +02:00

.gitignore

Remove *.orig pattern from .gitignore

2024-10-04 16:29:44 +02:00

.mailmap

Merge tag 'mm-hotfixes-stable-2023-10-24-09-40' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2023-10-24 09:52:16 -10:00

.rustfmt.toml

rust: add .rustfmt.toml

2022-09-28 09:02:20 +02:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

USB: Remove Wireless USB and UWB documentation

2023-08-09 14:17:32 +02:00

Kbuild

Merge tag 'kbuild-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-10 12:00:45 -07:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

sign-file,extract-cert: move common SSL helper functions to a header

2025-04-25 10:45:57 +02:00

Makefile

Linux 6.6.102

2025-08-15 12:09:09 +02:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.