git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Filipe Manana <fdmanana@suse.com>
	Mon, 30 Jun 2025 12:19:20 +0000 (13:19 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 20 Aug 2025 16:36:30 +0000 (18:36 +0200)
commit	c38028ce0d0045ca600b6a8345a0ff92bfb47b66
tree	b2b2909f10a3e4d78169aba8274275695c20a1cd	tree \| snapshot
parent	b76ad1da242014c1a8343746745e570a0781fc68	commit \| diff

btrfs: qgroup: fix race between quota disable and quota rescan ioctl

commit e1249667750399a48cafcf5945761d39fa584edf upstream.

There's a race between a task disabling quotas and another running the
rescan ioctl that can result in a use-after-free of qgroup records from
the fs_info->qgroup_tree rbtree.

This happens as follows:

1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();

2) Task B enters btrfs_quota_disable() and calls
   btrfs_qgroup_wait_for_completion(), which does nothing because at that
   point fs_info->qgroup_rescan_running is false (it wasn't set yet by
   task A);

3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups
   from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;

4) Task A enters qgroup_rescan_zero_tracking() which starts iterating
   the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,
   but task B is freeing qgroup records from that tree without holding
   the lock, resulting in a use-after-free.

Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().
Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas
were already disabled.

Reported-by: cen zhang <zzzccc427@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsHqPD6B3FetLpQ@mail.gmail.com/
CC: stable@vger.kernel.org # 6.1+
Reviewed-by: Boris Burkov <boris@bur.io>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>