Re: [tytso-ext4:dev] BUILD REGRESSION cc5fef71a1c741473eebb1aa6f7056ceb49bc33d

Lukas Czerner <lczerner@xxxxxxxxxx> · Mon, 3 Jan 2022 12:49:31 +0100

On Sun, Dec 26, 2021 at 08:12:47PM -0500, Theodore Ts'o wrote:
> On Sat, Dec 25, 2021 at 11:27:04PM +0800, kernel test robot wrote:
> > tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
> > branch HEAD: cc5fef71a1c741473eebb1aa6f7056ceb49bc33d  ext4: replace snprintf in show functions with sysfs_emit
> > 
> > Error/Warning reports:
> > 
> > https://lore.kernel.org/linux-ext4/202112101722.3Kpomg0h-lkp@xxxxxxxxx
> > 
> > possible Error/Warning in current branch (please contact us if interested):
> > 
> > fs/ext4/super.c:2640:22-40: ERROR: reference preceded by free on line 2639
> 
> The Intel test robot mis-identified the commit which introduced this
> problem (it looks like the first commit with the problem is commit
> e6e268cb6822 ("ext4: move quota configuration out of
> handle_mount_opt()"), but it caused me to take a closer look, and this
> looks... wrong.
> 
> From ext4_apply_quota_options() in fs/extr4/super.c:
> 
> 			qname = ctx->s_qf_names[i]; /* May be NULL */
> 			ctx->s_qf_names[i] = NULL;
> 			kfree(sbi->s_qf_names[i]);
> 			rcu_assign_pointer(sbi->s_qf_names[i], qname);
> 			set_opt(sb, QUOTA);
> 
> sbi->s_qf_names[i] is an RCU protected pointer, which is used via
> rcu_derference().  So how can it be safe to kfree() the pointer;
> should that be kfree_rcu() at the very least?
> 
> Lukas, can you take a look and let me know?   Thanks!
> 
>        	       	      	       	      - Ted

Hi Ted,

yes indeed this is a bug. Something like this untested patch should fix
it I believe.

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index b72d989b77fb..6f52609a334c 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2633,8 +2633,10 @@ static void ext4_apply_quota_options(struct fs_context *fc,

                        qname = ctx->s_qf_names[i]; /* May be NULL */
                        ctx->s_qf_names[i] = NULL;
-                       kfree(sbi->s_qf_names[i]);
-                       rcu_assign_pointer(sbi->s_qf_names[i], qname);
+                       qname = rcu_replace_pointer(sbi->s_qf_names[i], qname,
+                                               lockdep_is_held(&sb->s_umount));
+                       if (qname)
+                               kfree_rcu(qname);
                        set_opt(sb, QUOTA);
                }
        }


There is also a question of the other warning where we pass the pointer
to strcmp which we should silence as well. I'll send a proper patch.

Thanks!
-Lukas







