Patch "btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 3 Dec 2022 04:36:09 -0500

This is a note to let you know that I've just added the patch titled

    btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 25efb09df2881b5aef9ed0d48073ea7670c8eb78
Author: ChenXiaoSong <chenxiaosong2@xxxxxxxxxx>
Date:   Wed Nov 16 22:23:54 2022 +0800

    btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
    
    [ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ]
    
    Syzkaller reported BUG as follows:
    
      BUG: sleeping function called from invalid context at
           include/linux/sched/mm.h:274
      Call Trace:
       <TASK>
       dump_stack_lvl+0xcd/0x134
       __might_resched.cold+0x222/0x26b
       kmem_cache_alloc+0x2e7/0x3c0
       update_qgroup_limit_item+0xe1/0x390
       btrfs_qgroup_inherit+0x147b/0x1ee0
       create_subvol+0x4eb/0x1710
       btrfs_mksubvol+0xfe5/0x13f0
       __btrfs_ioctl_snap_create+0x2b0/0x430
       btrfs_ioctl_snap_create_v2+0x25a/0x520
       btrfs_ioctl+0x2a1c/0x5ce0
       __x64_sys_ioctl+0x193/0x200
       do_syscall_64+0x35/0x80
    
    Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
    btrfs_run_qgroups() later outside of the spinlock context.
    
    CC: stable@xxxxxxxxxxxxxxx # 4.9+
    Reviewed-by: Qu Wenruo <wqu@xxxxxxxx>
    Signed-off-by: ChenXiaoSong <chenxiaosong2@xxxxxxxxxx>
    Reviewed-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 47c28983fd01..4ad588ed5813 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2239,14 +2239,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans,
 		dstgroup->rsv_rfer = inherit->lim.rsv_rfer;
 		dstgroup->rsv_excl = inherit->lim.rsv_excl;
 
-		ret = update_qgroup_limit_item(trans, quota_root, dstgroup);
-		if (ret) {
-			fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
-			btrfs_info(fs_info,
-				   "unable to update quota limit for %llu",
-				   dstgroup->qgroupid);
-			goto unlock;
-		}
+		qgroup_dirty(fs_info, dstgroup);
 	}
 
 	if (srcid) {






