[PATCH 1/2] quota: Handle Q_GETNEXTQUOTA when quota is disabled

[PATCH 1/2] quota: Handle Q_GETNEXTQUOTA when quota is disabled

[Jan Kara]

Currently we oopsed when Q_GETNEXTQUOTA got called when quota was
disabled. Properly check whether quota is enabled for the filesystem
before calling into quota format handler.

Reported-by: Ted Tso <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/quota/dquot.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

I have queue this fix for the bug Ted reported and will push it to Linus soon.

diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index ba827daea5a0..ff21980d0119 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -2047,11 +2047,20 @@ int dquot_get_next_id(struct super_block *sb, struct kqid *qid)
 	struct quota_info *dqopt = sb_dqopt(sb);
 	int err;
 
-	if (!dqopt->ops[qid->type]->get_next_id)
-		return -ENOSYS;
+	mutex_lock(&dqopt->dqonoff_mutex);
+	if (!sb_has_quota_active(sb, qid->type)) {
+		err = -ESRCH;
+		goto out;
+	}
+	if (!dqopt->ops[qid->type]->get_next_id) {
+		err = -ENOSYS;
+		goto out;
+	}
 	mutex_lock(&dqopt->dqio_mutex);
 	err = dqopt->ops[qid->type]->get_next_id(sb, qid);
 	mutex_unlock(&dqopt->dqio_mutex);
+out:
+	mutex_unlock(&dqopt->dqonoff_mutex);
 
 	return err;
 }
-- 
2.6.2

[PATCH 2/2] ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas

[Jan Kara]

When Q_GETNEXTQUOTA was called for filesystem with quotas disabled
ocfs2_get_next_id() oopses. Fix the problem by checking early whether
the filesystem has quotas enabled.

Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/ocfs2/quota_global.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 3892f3c079ca..ab6a6cdcf91c 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -867,6 +867,10 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
 	int status = 0;
 
 	trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
+	if (!sb_has_quota_loaded(sb, type)) {
+		status = -ESRCH;
+		goto out;
+	}
 	status = ocfs2_lock_global_qf(info, 0);
 	if (status < 0)
 		goto out;
@@ -878,8 +882,11 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
 out_global:
 	ocfs2_unlock_global_qf(info, 0);
 out:
-	/* Avoid logging ENOENT since it just means there isn't next ID */
-	if (status && status != -ENOENT)
+	/*
+	 * Avoid logging ENOENT since it just means there isn't next ID and
+	 * ESRCH which means quota isn't enabled for the filesystem.
+	 */
+	if (status && status != -ENOENT && status != -ESRCH)
 		mlog_errno(status);
 	return status;
 }
-- 
2.6.2

Re: [PATCH 1/2] quota: Handle Q_GETNEXTQUOTA when quota is disabled

[Theodore Ts'o]

On Tue, Mar 29, 2016 at 06:11:43PM +0200, Jan Kara wrote:
> Currently we oopsed when Q_GETNEXTQUOTA got called when quota was
> disabled. Properly check whether quota is enabled for the filesystem
> before calling into quota format handler.
> 
> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> index ba827daea5a0..ff21980d0119 100644
> --- a/fs/quota/dquot.c
> +++ b/fs/quota/dquot.c
> @@ -2047,11 +2047,20 @@ int dquot_get_next_id(struct super_block *sb, struct kqid *qid)
>  	struct quota_info *dqopt = sb_dqopt(sb);
>  	int err;
>  
> -	if (!dqopt->ops[qid->type]->get_next_id)
> -		return -ENOSYS;
> +	mutex_lock(&dqopt->dqonoff_mutex);
> +	if (!sb_has_quota_active(sb, qid->type)) {
> +		err = -ESRCH;
> +		goto out;
> +	}
> +	if (!dqopt->ops[qid->type]->get_next_id) {
> +		err = -ENOSYS;
> +		goto out;
> +	}

Don't you also have to test if dqopt->ops[qid->type] is NULL?  e.g.,
if the quota inode hasn't been loaded for that quota type?

Also, I notice you have this queued on the for_next branch and not the
for_linus branch.  I was hoping you could push this to Linus sooner
than the next merge cycle, since this is (a) making my testing hard,
and (b) it makes it easy for an attacker to crash the system.  For
similar reasons, perhaps this should have a cc: stable@vger.kernel.org
tag?

Thanks,

					- Ted

Re: [PATCH 1/2] quota: Handle Q_GETNEXTQUOTA when quota is disabled

[Jan Kara]

On Fri 01-04-16 10:39:56, Ted Tso wrote:
> On Tue, Mar 29, 2016 at 06:11:43PM +0200, Jan Kara wrote:
> > Currently we oopsed when Q_GETNEXTQUOTA got called when quota was
> > disabled. Properly check whether quota is enabled for the filesystem
> > before calling into quota format handler.
> > 
> > diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
> > index ba827daea5a0..ff21980d0119 100644
> > --- a/fs/quota/dquot.c
> > +++ b/fs/quota/dquot.c
> > @@ -2047,11 +2047,20 @@ int dquot_get_next_id(struct super_block *sb, struct kqid *qid)
> >  	struct quota_info *dqopt = sb_dqopt(sb);
> >  	int err;
> >  
> > -	if (!dqopt->ops[qid->type]->get_next_id)
> > -		return -ENOSYS;
> > +	mutex_lock(&dqopt->dqonoff_mutex);
> > +	if (!sb_has_quota_active(sb, qid->type)) {
> > +		err = -ESRCH;
> > +		goto out;
> > +	}
> > +	if (!dqopt->ops[qid->type]->get_next_id) {
> > +		err = -ENOSYS;
> > +		goto out;
> > +	}
> 
> Don't you also have to test if dqopt->ops[qid->type] is NULL?  e.g.,
> if the quota inode hasn't been loaded for that quota type?

Well, we first setup ->ops[type], then load quota inode, and only after
that enable flags which sb_has_quota_active() is checking so I don't see a
need for additional checking of dqopt->ops[qid->type].

> Also, I notice you have this queued on the for_next branch and not the
> for_linus branch.  I was hoping you could push this to Linus sooner
> than the next merge cycle, since this is (a) making my testing hard,
> and (b) it makes it easy for an attacker to crash the system.  For
> similar reasons, perhaps this should have a cc: stable@vger.kernel.org
> tag?

The problematic code was merged in this merge window so no point to cc
stable. I want to push the fix to Linus for rc3 (likely today or tomorrow)
so you should be able to get that soon. Sorry for complications.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR