Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.15/btrfs-add-a-sanity-check-for-btrfs-root-in-btrfs_sea.patch b/queue-5.15/btrfs-add-a-sanity-check-for-btrfs-root-in-btrfs_sea.patch
new file mode 100644 (file)
index 0000000..abef0f8
--- /dev/null
+++ b/queue-5.15/btrfs-add-a-sanity-check-for-btrfs-root-in-btrfs_sea.patch
@@ -0,0 +1,61 @@
+From f3feb84458850475627d283399fc095cfd3e8097 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 12:55:53 +0800
+Subject: btrfs: add a sanity check for btrfs root in btrfs_search_slot()
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 3ed51857a50f530ac7a1482e069dfbd1298558d4 ]
+
+Syzbot reports a null-ptr-deref in btrfs_search_slot().
+
+The reproducer is using rescue=ibadroots, and the extent tree root is
+corrupted thus the extent tree is NULL.
+
+When scrub tries to search the extent tree to gather the needed extent
+info, btrfs_search_slot() doesn't check if the target root is NULL or
+not, resulting the null-ptr-deref.
+
+Add sanity check for btrfs root before using it in btrfs_search_slot().
+
+Reported-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com
+Fixes: 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots")
+Link: https://syzkaller.appspot.com/bug?extid=3030e17bd57a73d39bd7
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Tested-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index af6ddf1f913ae..345f205af6198 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -1763,7 +1763,7 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+                     const struct btrfs_key *key, struct btrfs_path *p,
+                     int ins_len, int cow)
+ {
+-      struct btrfs_fs_info *fs_info = root->fs_info;
++      struct btrfs_fs_info *fs_info;
+       struct extent_buffer *b;
+       int slot;
+       int ret;
+@@ -1776,6 +1776,10 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+       int min_write_lock_level;
+       int prev_cmp;
+ 
++      if (!root)
++              return -EINVAL;
++
++      fs_info = root->fs_info;
+       might_sleep();
+ 
+       lowest_level = p->lowest_level;
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-add-might_sleep-annotations.patch b/queue-5.15/btrfs-add-might_sleep-annotations.patch
new file mode 100644 (file)
index 0000000..2907d1a
--- /dev/null
+++ b/queue-5.15/btrfs-add-might_sleep-annotations.patch
@@ -0,0 +1,70 @@
+From 5e0677569d3f16e57d4a8ee631057a2965056cea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 22:23:53 +0800
+Subject: btrfs: add might_sleep() annotations
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit a4c853af0c511d7e0f7cb306bbc8a4f1dbdb64ca ]
+
+Add annotations to functions that might sleep due to allocations or IO
+and could be called from various contexts. In case of btrfs_search_slot
+it's not obvious why it would sleep:
+
+    btrfs_search_slot
+      setup_nodes_for_search
+        reada_for_balance
+          btrfs_readahead_node_child
+            btrfs_readahead_tree_block
+              btrfs_find_create_tree_block
+                alloc_extent_buffer
+                  kmem_cache_zalloc
+                    /* allocate memory non-atomically, might sleep */
+                    kmem_cache_alloc(GFP_NOFS|__GFP_NOFAIL|__GFP_ZERO)
+              read_extent_buffer_pages
+                submit_extent_page
+                  /* disk IO, might sleep */
+                  submit_one_bio
+
+Other examples where the sleeping could happen is in 3 places might
+sleep in update_qgroup_limit_item(), as shown below:
+
+  update_qgroup_limit_item
+    btrfs_alloc_path
+      /* allocate memory non-atomically, might sleep */
+      kmem_cache_zalloc(btrfs_path_cachep, GFP_NOFS)
+
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 3ed51857a50f ("btrfs: add a sanity check for btrfs root in btrfs_search_slot()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 0b8c8b5094efb..af6ddf1f913ae 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -76,6 +76,8 @@ size_t __attribute_const__ btrfs_get_num_csums(void)
+ 
+ struct btrfs_path *btrfs_alloc_path(void)
+ {
++      might_sleep();
++
+       return kmem_cache_zalloc(btrfs_path_cachep, GFP_NOFS);
+ }
+ 
+@@ -1774,6 +1776,8 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+       int min_write_lock_level;
+       int prev_cmp;
+ 
++      might_sleep();
++
+       lowest_level = p->lowest_level;
+       WARN_ON(lowest_level && ins_len > 0);
+       WARN_ON(p->nodes[0] != NULL);
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch b/queue-5.15/btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch
new file mode 100644 (file)
index 0000000..679890d
--- /dev/null
+++ b/queue-5.15/btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch
@@ -0,0 +1,295 @@
+From d1ca6bc4737460c0e3ef71a20b1bcf5d3f2500b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 11:29:21 +0000
+Subject: btrfs: ref-verify: fix use-after-free after invalid ref action
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 7c4e39f9d2af4abaf82ca0e315d1fd340456620f ]
+
+At btrfs_ref_tree_mod() after we successfully inserted the new ref entry
+(local variable 'ref') into the respective block entry's rbtree (local
+variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,
+we error out and free the ref entry without removing it from the block
+entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call
+btrfs_free_ref_cache(), which iterates over all block entries and then
+calls free_block_entry() for each one, and there we will trigger a
+use-after-free when we are called against the block entry to which we
+added the freed ref entry to its rbtree, since the rbtree still points
+to the block entry, as we didn't remove it from the rbtree before freeing
+it in the error path at btrfs_ref_tree_mod(). Fix this by removing the
+new ref entry from the rbtree before freeing it.
+
+Syzbot report this with the following stack traces:
+
+   BTRFS error (device loop0 state EA):   Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
+      __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+      update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+      btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314
+      btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]
+      btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23
+      btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482
+      btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293
+      vfs_unlink+0x365/0x650 fs/namei.c:4469
+      do_unlinkat+0x4ae/0x830 fs/namei.c:4533
+      __do_sys_unlinkat fs/namei.c:4576 [inline]
+      __se_sys_unlinkat fs/namei.c:4569 [inline]
+      __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569
+      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+      entry_SYSCALL_64_after_hwframe+0x77/0x7f
+   BTRFS error (device loop0 state EA):   Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1
+      __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521
+      update_ref_for_cow+0x96a/0x11f0
+      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+      btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+      __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+      btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+      __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+      __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+      btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+      prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+      relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+      btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+      btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+      __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+      btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+   BTRFS error (device loop0 state EA):   Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
+      __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+      update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+      btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+      btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+      btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+      btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+      __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+      btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+      __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+      __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+      btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+      prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+      relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+      btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+      btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+      __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+      btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+   ==================================================================
+   BUG: KASAN: slab-use-after-free in rb_first+0x69/0x70 lib/rbtree.c:473
+   Read of size 8 at addr ffff888042d1af38 by task syz.0.0/5329
+
+   CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller #0
+   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+   Call Trace:
+    <TASK>
+    __dump_stack lib/dump_stack.c:94 [inline]
+    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+    print_address_description mm/kasan/report.c:377 [inline]
+    print_report+0x169/0x550 mm/kasan/report.c:488
+    kasan_report+0x143/0x180 mm/kasan/report.c:601
+    rb_first+0x69/0x70 lib/rbtree.c:473
+    free_block_entry+0x78/0x230 fs/btrfs/ref-verify.c:248
+    btrfs_free_ref_cache+0xa3/0x100 fs/btrfs/ref-verify.c:917
+    btrfs_ref_tree_mod+0x139f/0x15e0 fs/btrfs/ref-verify.c:898
+    btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+    __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+    update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+    btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+    btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+    btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+    btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+    __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+    btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+    __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+    __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+    btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+    prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+    relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+    btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+    btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+    __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+    btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+    btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+    vfs_ioctl fs/ioctl.c:51 [inline]
+    __do_sys_ioctl fs/ioctl.c:907 [inline]
+    __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+    entry_SYSCALL_64_after_hwframe+0x77/0x7f
+   RIP: 0033:0x7f996df7e719
+   RSP: 002b:00007f996ede7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+   RAX: ffffffffffffffda RBX: 00007f996e135f80 RCX: 00007f996df7e719
+   RDX: 0000000020000180 RSI: 00000000c4009420 RDI: 0000000000000004
+   RBP: 00007f996dff139e R08: 0000000000000000 R09: 0000000000000000
+   R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+   R13: 0000000000000000 R14: 00007f996e135f80 R15: 00007fff79f32e68
+    </TASK>
+
+   Allocated by task 5329:
+    kasan_save_stack mm/kasan/common.c:47 [inline]
+    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
+    kasan_kmalloc include/linux/kasan.h:257 [inline]
+    __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
+    kmalloc_noprof include/linux/slab.h:878 [inline]
+    kzalloc_noprof include/linux/slab.h:1014 [inline]
+    btrfs_ref_tree_mod+0x264/0x15e0 fs/btrfs/ref-verify.c:701
+    btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+    __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+    update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+    btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+    btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+    btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+    btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+    __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+    btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+    __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+    __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+    btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+    prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+    relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+    btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+    btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+    __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+    btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+    btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+    vfs_ioctl fs/ioctl.c:51 [inline]
+    __do_sys_ioctl fs/ioctl.c:907 [inline]
+    __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+    entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+   Freed by task 5329:
+    kasan_save_stack mm/kasan/common.c:47 [inline]
+    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
+    poison_slab_object mm/kasan/common.c:247 [inline]
+    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
+    kasan_slab_free include/linux/kasan.h:230 [inline]
+    slab_free_hook mm/slub.c:2342 [inline]
+    slab_free mm/slub.c:4579 [inline]
+    kfree+0x1a0/0x440 mm/slub.c:4727
+    btrfs_ref_tree_mod+0x136c/0x15e0
+    btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+    __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+    update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+    btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+    btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+    btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+    btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+    __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+    btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+    __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+    __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+    btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+    prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+    relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+    btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+    btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+    __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+    btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+    btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+    vfs_ioctl fs/ioctl.c:51 [inline]
+    __do_sys_ioctl fs/ioctl.c:907 [inline]
+    __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+    entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+   The buggy address belongs to the object at ffff888042d1af00
+    which belongs to the cache kmalloc-64 of size 64
+   The buggy address is located 56 bytes inside of
+    freed 64-byte region [ffff888042d1af00, ffff888042d1af40)
+
+   The buggy address belongs to the physical page:
+   page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42d1a
+   anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
+   page_type: f5(slab)
+   raw: 04fff00000000000 ffff88801ac418c0 0000000000000000 dead000000000001
+   raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
+   page dumped because: kasan: bad access detected
+   page_owner tracks the page as allocated
+   page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5055, tgid 5055 (dhcpcd-run-hook), ts 40377240074, free_ts 40376848335
+    set_page_owner include/linux/page_owner.h:32 [inline]
+    post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1541
+    prep_new_page mm/page_alloc.c:1549 [inline]
+    get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3459
+    __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4735
+    alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
+    alloc_slab_page+0x6a/0x140 mm/slub.c:2412
+    allocate_slab+0x5a/0x2f0 mm/slub.c:2578
+    new_slab mm/slub.c:2631 [inline]
+    ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
+    __slab_alloc+0x58/0xa0 mm/slub.c:3908
+    __slab_alloc_node mm/slub.c:3961 [inline]
+    slab_alloc_node mm/slub.c:4122 [inline]
+    __do_kmalloc_node mm/slub.c:4263 [inline]
+    __kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
+    kmalloc_noprof include/linux/slab.h:882 [inline]
+    kzalloc_noprof include/linux/slab.h:1014 [inline]
+    tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
+    tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
+    tomoyo_realpath_from_path+0x59e/0x5e0 security/tomoyo/realpath.c:283
+    tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+    tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771
+    security_file_open+0x777/0x990 security/security.c:3109
+    do_dentry_open+0x369/0x1460 fs/open.c:945
+    vfs_open+0x3e/0x330 fs/open.c:1088
+    do_open fs/namei.c:3774 [inline]
+    path_openat+0x2c84/0x3590 fs/namei.c:3933
+   page last free pid 5055 tgid 5055 stack trace:
+    reset_page_owner include/linux/page_owner.h:25 [inline]
+    free_pages_prepare mm/page_alloc.c:1112 [inline]
+    free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2642
+    free_pipe_info+0x300/0x390 fs/pipe.c:860
+    put_pipe_info fs/pipe.c:719 [inline]
+    pipe_release+0x245/0x320 fs/pipe.c:742
+    __fput+0x23f/0x880 fs/file_table.c:431
+    __do_sys_close fs/open.c:1567 [inline]
+    __se_sys_close fs/open.c:1552 [inline]
+    __x64_sys_close+0x7f/0x110 fs/open.c:1552
+    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+    entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+   Memory state around the buggy address:
+    ffff888042d1ae00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+    ffff888042d1ae80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+   >ffff888042d1af00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+                                           ^
+    ffff888042d1af80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+    ffff888042d1b000: 00 00 00 00 00 fc fc 00 00 00 00 00 fc fc 00 00
+
+Reported-by: syzbot+7325f164162e200000c1@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/673723eb.050a0220.1324f8.00a8.GAE@google.com/T/#u
+Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ref-verify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/ref-verify.c b/fs/btrfs/ref-verify.c
+index 4925666910267..5e46ca35b4fdf 100644
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -846,6 +846,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_info *fs_info,
+ "dropping a ref for a root that doesn't have a ref on the block");
+                       dump_block_entry(fs_info, be);
+                       dump_ref_action(fs_info, ra);
++                      rb_erase(&ref->node, &be->refs);
+                       kfree(ref);
+                       kfree(ra);
+                       goto out_unlock;
+-- 
+2.43.0
+

diff --git a/queue-5.15/quota-flush-quota_release_work-upon-quota-writeback.patch b/queue-5.15/quota-flush-quota_release_work-upon-quota-writeback.patch
new file mode 100644 (file)
index 0000000..1ec4ed5
--- /dev/null
+++ b/queue-5.15/quota-flush-quota_release_work-upon-quota-writeback.patch
@@ -0,0 +1,69 @@
+From ac64c92b36303f1d6c99939a5cf305d679820ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 18:08:54 +0530
+Subject: quota: flush quota_release_work upon quota writeback
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit ac6f420291b3fee1113f21d612fa88b628afab5b ]
+
+One of the paths quota writeback is called from is:
+
+freeze_super()
+  sync_filesystem()
+    ext4_sync_fs()
+      dquot_writeback_dquots()
+
+Since we currently don't always flush the quota_release_work queue in
+this path, we can end up with the following race:
+
+ 1. dquot are added to releasing_dquots list during regular operations.
+ 2. FS Freeze starts, however, this does not flush the quota_release_work queue.
+ 3. Freeze completes.
+ 4. Kernel eventually tries to flush the workqueue while FS is frozen which
+    hits a WARN_ON since transaction gets started during frozen state:
+
+  ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
+  __ext4_journal_start_sb+0x64/0x1c0 [ext4]
+  ext4_release_dquot+0x90/0x1d0 [ext4]
+  quota_release_workfn+0x43c/0x4d0
+
+Which is the following line:
+
+  WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);
+
+Which ultimately results in generic/390 failing due to dmesg
+noise. This was detected on powerpc machine 15 cores.
+
+To avoid this, make sure to flush the workqueue during
+dquot_writeback_dquots() so we dont have any pending workitems after
+freeze.
+
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+CC: stable@vger.kernel.org
+Fixes: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide")
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20241121123855.645335-2-ojaswin@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 3b62fbcefa8c3..5e2cf15b82f4d 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -690,6 +690,8 @@ int dquot_writeback_dquots(struct super_block *sb, int type)
+ 
+       WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount));
+ 
++      flush_delayed_work(&quota_release_work);
++
+       for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+               if (type != -1 && cnt != type)
+                       continue;
+-- 
+2.43.0
+

diff --git a/queue-5.15/series b/queue-5.15/series
index b0e9d3d87d394ca93200dc329cc51815084dd208..e213331864026acf7f3534fba0ee272f5163819c 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -359,3 +359,9 @@ sunrpc-replace-internal-use-of-sockwq_async_nospace.patch
 sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch
 sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch
 asoc-fsl_micfil-fix-the-naming-style-for-mask-definition.patch
+xfs-fix-log-recovery-when-unknown-rocompat-bits-are-.patch
+xfs-remove-unknown-compat-feature-check-in-superbloc.patch
+quota-flush-quota_release_work-upon-quota-writeback.patch
+btrfs-add-might_sleep-annotations.patch
+btrfs-add-a-sanity-check-for-btrfs-root-in-btrfs_sea.patch
+btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch

diff --git a/queue-5.15/xfs-fix-log-recovery-when-unknown-rocompat-bits-are-.patch b/queue-5.15/xfs-fix-log-recovery-when-unknown-rocompat-bits-are-.patch
new file mode 100644 (file)
index 0000000..a93e0be
--- /dev/null
+++ b/queue-5.15/xfs-fix-log-recovery-when-unknown-rocompat-bits-are-.patch
@@ -0,0 +1,98 @@
+From 4a0d75b7b28541dadf740eec67dc85bada354c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 08:42:35 -0700
+Subject: xfs: fix log recovery when unknown rocompat bits are set
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+[ Upstream commit 74ad4693b6473950e971b3dc525b5ee7570e05d0 ]
+
+Log recovery has always run on read only mounts, even where the primary
+superblock advertises unknown rocompat bits.  Due to a misunderstanding
+between Eric and Darrick back in 2018, we accidentally changed the
+superblock write verifier to shutdown the fs over that exact scenario.
+As a result, the log cleaning that occurs at the end of the mounting
+process fails if there are unknown rocompat bits set.
+
+As we now allow writing of the superblock if there are unknown rocompat
+bits set on a RO mount, we no longer want to turn off RO state to allow
+log recovery to succeed on a RO mount.  Hence we also remove all the
+(now unnecessary) RO state toggling from the log recovery path.
+
+Fixes: 9e037cb7972f ("xfs: check for unknown v5 feature bits in superblock write verifier"
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Stable-dep-of: 652f03db897b ("xfs: remove unknown compat feature check in superblock write validation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_sb.c |  3 ++-
+ fs/xfs/xfs_log.c       | 17 -----------------
+ 2 files changed, 2 insertions(+), 18 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c
+index 26dd9ceb44b42..f867da8128ca6 100644
+--- a/fs/xfs/libxfs/xfs_sb.c
++++ b/fs/xfs/libxfs/xfs_sb.c
+@@ -263,7 +263,8 @@ xfs_validate_sb_write(
+               return -EFSCORRUPTED;
+       }
+ 
+-      if (xfs_sb_has_ro_compat_feature(sbp, XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
++      if (!xfs_is_readonly(mp) &&
++          xfs_sb_has_ro_compat_feature(sbp, XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
+               xfs_alert(mp,
+ "Corruption detected in superblock read-only compatible features (0x%x)!",
+                       (sbp->sb_features_ro_compat &
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index eba295f666acc..be2f714d1553a 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -707,15 +707,7 @@ xfs_log_mount(
+        * just worked.
+        */
+       if (!xfs_has_norecovery(mp)) {
+-              /*
+-               * log recovery ignores readonly state and so we need to clear
+-               * mount-based read only state so it can write to disk.
+-               */
+-              bool    readonly = test_and_clear_bit(XFS_OPSTATE_READONLY,
+-                                              &mp->m_opstate);
+               error = xlog_recover(log);
+-              if (readonly)
+-                      set_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
+               if (error) {
+                       xfs_warn(mp, "log mount/recovery failed: error %d",
+                               error);
+@@ -764,7 +756,6 @@ xfs_log_mount_finish(
+       struct xfs_mount        *mp)
+ {
+       struct xlog             *log = mp->m_log;
+-      bool                    readonly;
+       int                     error = 0;
+ 
+       if (xfs_has_norecovery(mp)) {
+@@ -772,12 +763,6 @@ xfs_log_mount_finish(
+               return 0;
+       }
+ 
+-      /*
+-       * log recovery ignores readonly state and so we need to clear
+-       * mount-based read only state so it can write to disk.
+-       */
+-      readonly = test_and_clear_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
+-
+       /*
+        * During the second phase of log recovery, we need iget and
+        * iput to behave like they do for an active filesystem.
+@@ -828,8 +813,6 @@ xfs_log_mount_finish(
+       xfs_buftarg_drain(mp->m_ddev_targp);
+ 
+       clear_bit(XLOG_RECOVERY_NEEDED, &log->l_opstate);
+-      if (readonly)
+-              set_bit(XFS_OPSTATE_READONLY, &mp->m_opstate);
+ 
+       /* Make sure the log is dead if we're returning failure. */
+       ASSERT(!error || xlog_is_shutdown(log));
+-- 
+2.43.0
+

diff --git a/queue-5.15/xfs-remove-unknown-compat-feature-check-in-superbloc.patch b/queue-5.15/xfs-remove-unknown-compat-feature-check-in-superbloc.patch
new file mode 100644 (file)
index 0000000..de0c539
--- /dev/null
+++ b/queue-5.15/xfs-remove-unknown-compat-feature-check-in-superbloc.patch
@@ -0,0 +1,60 @@
+From 0a102a9204b281b0353fd64ca89b9b8441185964 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 17:17:15 +0800
+Subject: xfs: remove unknown compat feature check in superblock write
+ validation
+
+From: Long Li <leo.lilong@huawei.com>
+
+[ Upstream commit 652f03db897ba24f9c4b269e254ccc6cc01ff1b7 ]
+
+Compat features are new features that older kernels can safely ignore,
+allowing read-write mounts without issues. The current sb write validation
+implementation returns -EFSCORRUPTED for unknown compat features,
+preventing filesystem write operations and contradicting the feature's
+definition.
+
+Additionally, if the mounted image is unclean, the log recovery may need
+to write to the superblock. Returning an error for unknown compat features
+during sb write validation can cause mount failures.
+
+Although XFS currently does not use compat feature flags, this issue
+affects current kernels' ability to mount images that may use compat
+feature flags in the future.
+
+Since superblock read validation already warns about unknown compat
+features, it's unnecessary to repeat this warning during write validation.
+Therefore, the relevant code in write validation is being removed.
+
+Fixes: 9e037cb7972f ("xfs: check for unknown v5 feature bits in superblock write verifier")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_sb.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c
+index f867da8128ca6..3175e3620a418 100644
+--- a/fs/xfs/libxfs/xfs_sb.c
++++ b/fs/xfs/libxfs/xfs_sb.c
+@@ -256,13 +256,6 @@ xfs_validate_sb_write(
+        * the kernel cannot support since we checked for unsupported bits in
+        * the read verifier, which means that memory is corrupt.
+        */
+-      if (xfs_sb_has_compat_feature(sbp, XFS_SB_FEAT_COMPAT_UNKNOWN)) {
+-              xfs_warn(mp,
+-"Corruption detected in superblock compatible features (0x%x)!",
+-                      (sbp->sb_features_compat & XFS_SB_FEAT_COMPAT_UNKNOWN));
+-              return -EFSCORRUPTED;
+-      }
+-
+       if (!xfs_is_readonly(mp) &&
+           xfs_sb_has_ro_compat_feature(sbp, XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
+               xfs_alert(mp,
+-- 
+2.43.0
+