From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4740C5475B for ; Fri, 8 Mar 2024 23:26:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1AFDF8D0013; Fri, 8 Mar 2024 18:26:36 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 160916B00F0; Fri, 8 Mar 2024 18:26:36 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 000AC8D0013; Fri, 8 Mar 2024 18:26:35 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E576B6B00EF for ; Fri, 8 Mar 2024 18:26:35 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 497FEA0538 for ; Fri, 8 Mar 2024 23:26:35 +0000 (UTC) X-FDA: 81875458350.14.8F1003B Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf22.hostedemail.com (Postfix) with ESMTP id EC8A2C000C for ; Fri, 8 Mar 2024 23:26:32 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=e5qnlAhU; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=F9tT9r8Z; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=e5qnlAhU; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=F9tT9r8Z; spf=pass (imf22.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709940393; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x9bMIrVz+2vYWJ99zrEtbk6NoEWfS3YaLas98WSlYRY=; b=KQOrA3kvdgxPJvvxA4eWPNG0iKIAdEv2Jbs9MEiJPgamf4ZoZa/FglvqN1SdTTJaI+zUsJ DsFJwMbvKHLwiPOBPTUs+xIHfUKijnz8dNM9kcWaienm0K+qiC0TRC1ZFfODp3innKQO2t yoEFy+i3EVxlxhrqi8OhjqBATPzgJoE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709940393; a=rsa-sha256; cv=none; b=IHLRcGZDNgKn2i9WE+KvF25cVQJSay1OSjIymdmOqSuYVJ2L7Z3NX01+ImUeHZh0u92Jvq BA/4KgLLqkl8v/ou8IsQyYtXol8viCBf2/HKLFfS++n0RIY20qz2UdsreNi8DitiA7XQyo YB+xzfs7Pc9/xAYO17yViKmOaMWLnmY= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=e5qnlAhU; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=F9tT9r8Z; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=e5qnlAhU; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=F9tT9r8Z; spf=pass (imf22.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 0AC0B22690; Fri, 8 Mar 2024 23:26:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1709940391; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=x9bMIrVz+2vYWJ99zrEtbk6NoEWfS3YaLas98WSlYRY=; b=e5qnlAhU85TzmG8vhOwRJuNvemsvj2YN4APt2cfnEBz6FLAZOtQ0z5FeqJ1Lk6BGE9itxu vlJbNn3+saFKGZpFcLoxHLI0TvH5t+kyh/k9P+D8fv32abtFPJvuT35NCH/qij4X/7dmKI hbDQekOhWAqMZn/1/eiQpOXiSodLv+I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1709940391; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=x9bMIrVz+2vYWJ99zrEtbk6NoEWfS3YaLas98WSlYRY=; b=F9tT9r8ZJN4msmncJGlghUC5a8g+RhErO4FB3gnvDhWZLU12EsUxTgpfm4rJ2uGRsNOMjH WSOrqmji8orP5KDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1709940391; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=x9bMIrVz+2vYWJ99zrEtbk6NoEWfS3YaLas98WSlYRY=; b=e5qnlAhU85TzmG8vhOwRJuNvemsvj2YN4APt2cfnEBz6FLAZOtQ0z5FeqJ1Lk6BGE9itxu vlJbNn3+saFKGZpFcLoxHLI0TvH5t+kyh/k9P+D8fv32abtFPJvuT35NCH/qij4X/7dmKI hbDQekOhWAqMZn/1/eiQpOXiSodLv+I= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1709940391; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=x9bMIrVz+2vYWJ99zrEtbk6NoEWfS3YaLas98WSlYRY=; b=F9tT9r8ZJN4msmncJGlghUC5a8g+RhErO4FB3gnvDhWZLU12EsUxTgpfm4rJ2uGRsNOMjH WSOrqmji8orP5KDQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id F3D7F13310; Fri, 8 Mar 2024 23:26:30 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id uLKCO6ae62XXVAAAD6G6ig (envelope-from ); Fri, 08 Mar 2024 23:26:30 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 984B2A0807; Sat, 9 Mar 2024 00:26:26 +0100 (CET) Date: Sat, 9 Mar 2024 00:26:26 +0100 From: Jan Kara To: cem@kernel.org Cc: hughd@google.com, jack@suse.cz, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH] tmpfs: Fix race on handling dquot rbtree Message-ID: <20240308232626.hlpleyydhh2awmit@quack3> References: <20240307174226.627962-1-cem@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240307174226.627962-1-cem@kernel.org> X-Stat-Signature: 5nte7adc7ydn9cs8s959r365x85dpgpt X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: EC8A2C000C X-Rspam-User: X-HE-Tag: 1709940392-603525 X-HE-Meta: U2FsdGVkX1/oeFXFVfh/ghVhfh/PGTRRRexmW2QFpwX60joGuqi4UXjhswFRFHAnkthxNVMi526zYAvDtu+QUPtv8Nbaus0sW6wzfB3zp8PWAXCfxqDjClmDm4wZ0SgoC47PmBcLJS73t1Ev1WlBmbCh9iGfoJMLOXr5Xb+ab29SMNiByJkVW9gyx1vtpfapVF2SQm99pSy1Epr0xqKmdsrRiiE3wjRQoSGuv+TVrdrrIgHSGwN3QmybfjXof9i0PvaSQTsH+Kp16p3II0J+ZxkEHlWPa98NL7+fBI9208qnnf+awMN2KRQXss/0+qEwoSLfA4xbT9oELWnpmVPYa1HNcAkeUFYN/+GZncMP7jp94kdTGv7a9igtiC4MVrFJ9NdN1dW4n8+uRh4bvtXbJ5hZJWz1+LJg64mNYoCBInFobrL8aa/dJH/Uf3qtvlWItChbM6fcpkDylPU57VNdBjAogpjFKC4H5oh6OCtt3yzR4G7ASmroEemNgD9xO0ogKrU5ySxzlHnpwyDndO5vGhrMo3e/BIO+g+V/I6Z8MEctYYExCYbMUFAuKtROdx6I4ghGkWlNzVqj9BaXLa0TgqegkMHsmG+PGYZ4CLGFR//+o+mRbLwx09GS7glcNtew+QjW47oJj8zqOtYe6RuS/M6BfwtQQMWh7Q3jNFcripFrSXwYbLIo/sPFU8ULKKrndaOvQkbmrEyE/RUKrqO3LrpBD2WaEQBPYZNV6XvWHynp8JGPfwPhXYW3Dqlald1olG2u7IK4TyB4EU8EwuEoXV8km7ZJ3vnHN8SZwl8/OHqHT4ZpFVbKaXCB6eXpiYOlHVAsASRHkjCO6r7rd3LeyW7DJT0JBSd1TcC3f/RssbZrnHoTQ7Re+SkVHK7jrFfFUf8ByGPa1WA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu 07-03-24 18:42:10, cem@kernel.org wrote: > From: Carlos Maiolino > > A syzkaller reproducer found a race while attempting to remove dquot information > from the rb tree. > Fetching the rb_tree root node must also be protected by the dqopt->dqio_sem, > otherwise, giving the right timing, shmem_release_dquot() will trigger a warning > because it couldn't find a node in the tree, when the real reason was the root > node changing before the search starts: > > Thread 1 Thread 2 > - shmem_release_dquot() - shmem_{acquire,release}_dquot() > > - fetch ROOT - Fetch ROOT > > - acquire dqio_sem > - wait dqio_sem > > - do something, triger a tree rebalance > - release dqio_sem > > - acquire dqio_sem > - start searching for the node, but > from the wrong location, missing > the node, and triggering a warning. > > Fixes: eafc474e202978 ("shmem: prepare shmem quota infrastructure") > Reported-by: Ubisectech Sirius > Signed-off-by: Carlos Maiolino Ah, good catch! Feel free to add: Reviewed-by: Jan Kara Honza > --- > > I had a chat with Aristeu Rozanski and Jan Kara about this issue, which made me > stop pursuing the wrong direction and reach the root cause faster, thanks guys. > > mm/shmem_quota.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/mm/shmem_quota.c b/mm/shmem_quota.c > index 062d1c1097ae3..ce514e700d2f6 100644 > --- a/mm/shmem_quota.c > +++ b/mm/shmem_quota.c > @@ -116,7 +116,7 @@ static int shmem_free_file_info(struct super_block *sb, int type) > static int shmem_get_next_id(struct super_block *sb, struct kqid *qid) > { > struct mem_dqinfo *info = sb_dqinfo(sb, qid->type); > - struct rb_node *node = ((struct rb_root *)info->dqi_priv)->rb_node; > + struct rb_node *node; > qid_t id = from_kqid(&init_user_ns, *qid); > struct quota_info *dqopt = sb_dqopt(sb); > struct quota_id *entry = NULL; > @@ -126,6 +126,7 @@ static int shmem_get_next_id(struct super_block *sb, struct kqid *qid) > return -ESRCH; > > down_read(&dqopt->dqio_sem); > + node = ((struct rb_root *)info->dqi_priv)->rb_node; > while (node) { > entry = rb_entry(node, struct quota_id, node); > > @@ -165,7 +166,7 @@ static int shmem_get_next_id(struct super_block *sb, struct kqid *qid) > static int shmem_acquire_dquot(struct dquot *dquot) > { > struct mem_dqinfo *info = sb_dqinfo(dquot->dq_sb, dquot->dq_id.type); > - struct rb_node **n = &((struct rb_root *)info->dqi_priv)->rb_node; > + struct rb_node **n; > struct shmem_sb_info *sbinfo = dquot->dq_sb->s_fs_info; > struct rb_node *parent = NULL, *new_node = NULL; > struct quota_id *new_entry, *entry; > @@ -176,6 +177,8 @@ static int shmem_acquire_dquot(struct dquot *dquot) > mutex_lock(&dquot->dq_lock); > > down_write(&dqopt->dqio_sem); > + n = &((struct rb_root *)info->dqi_priv)->rb_node; > + > while (*n) { > parent = *n; > entry = rb_entry(parent, struct quota_id, node); > @@ -264,7 +267,7 @@ static bool shmem_is_empty_dquot(struct dquot *dquot) > static int shmem_release_dquot(struct dquot *dquot) > { > struct mem_dqinfo *info = sb_dqinfo(dquot->dq_sb, dquot->dq_id.type); > - struct rb_node *node = ((struct rb_root *)info->dqi_priv)->rb_node; > + struct rb_node *node; > qid_t id = from_kqid(&init_user_ns, dquot->dq_id); > struct quota_info *dqopt = sb_dqopt(dquot->dq_sb); > struct quota_id *entry = NULL; > @@ -275,6 +278,7 @@ static int shmem_release_dquot(struct dquot *dquot) > goto out_dqlock; > > down_write(&dqopt->dqio_sem); > + node = ((struct rb_root *)info->dqi_priv)->rb_node; > while (node) { > entry = rb_entry(node, struct quota_id, node); > > -- > 2.44.0 > -- Jan Kara SUSE Labs, CR