On Sat, Dec 2, 2023 at 10:34 AM Edward Adam Davis <eadavis@xxxxxx> wrote:
> [Analysis]
> When the task exits, it will execute cleanup_mnt() to recycle the mounted gfs2
> file system, but it performs a system call fsconfig(4, FSCONFIG_CMD_RECONFIGURE,
> NULL, NULL, 0) before executing the task exit operation.
>
> This will execute the following kernel path to complete the setting of
> SDF_JOURNAL_LIVE for sd_flags:
>
> SYSCALL_DEFINE5(fsconfig, ..)->
> vfs_fsconfig_locked()->
> vfs_cmd_reconfigure()->
> gfs2_reconfigure()->
> gfs2_make_fs_rw()->
> set_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags);
>
> [Fix]
> Add SDF_NORECOVERY check in gfs2_quota_cleanup() to avoid checking
> SDF_JOURNAL_LIVE on the path where gfs2 is being unmounted.
Thanks for this fix, I've applied it and added the following tag:
Fixes: f66af88e3321 ("gfs2: Stop using gfs2_make_fs_ro for withdraw")
>
> Reported-and-tested-by: syzbot+3b6e67ac2b646da57862@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> fs/gfs2/quota.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
> index 95dae7838b4e..af32dd8a72fa 100644
> --- a/fs/gfs2/quota.c
> +++ b/fs/gfs2/quota.c
> @@ -1505,7 +1505,8 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
> LIST_HEAD(dispose);
> int count;
>
> - BUG_ON(test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags));
> + BUG_ON(!test_bit(SDF_NORECOVERY, &sdp->sd_flags) &&
> + test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags));
>
> spin_lock(&qd_lock);
> list_for_each_entry(qd, &sdp->sd_quota_list, qd_list) {
> --
> 2.43.0
Thanks,
Andreas
