public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Xiangyu Chen <xiangyu.chen@eng.windriver.com>,
	Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 6.1] btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
Date: Fri, 29 Nov 2024 15:03:15 -0500	[thread overview]
Message-ID: <20241129141301-d4029fe61627016f@stable.kernel.org> (raw)
In-Reply-To: <20241129082100.981101-1-xiangyu.chen@eng.windriver.com>

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 74e97958121aa1f5854da6effba70143f051b0cd

WARNING: Author mismatch between patch and upstream commit:
Backport author: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Commit author: Boris Burkov <boris@bur.io>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 14431815a4ae)
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  74e97958121aa ! 1:  bd47b55888ef7 btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
    @@ Metadata
      ## Commit message ##
         btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations
     
    +    commit 74e97958121aa1f5854da6effba70143f051b0cd upstream.
    +
         Create subvolume, create snapshot and delete subvolume all use
         btrfs_subvolume_reserve_metadata() to reserve metadata for the changes
         done to the parent subvolume's fs tree, which cannot be mediated in the
    @@ Commit message
         Reviewed-by: Qu Wenruo <wqu@suse.com>
         Signed-off-by: Boris Burkov <boris@bur.io>
         Signed-off-by: David Sterba <dsterba@suse.com>
    +    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    +    [Xiangyu: BP to fix CVE-2024-35956, due to 6.1 btrfs_subvolume_release_metadata()
    +    defined in ctree.h, modified the header file name from root-tree.h to ctree.h]
    +    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    +
    + ## fs/btrfs/ctree.h ##
    +@@ fs/btrfs/ctree.h: enum btrfs_flush_state {
    + int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
    + 				     struct btrfs_block_rsv *rsv,
    + 				     int nitems, bool use_global_rsv);
    +-void btrfs_subvolume_release_metadata(struct btrfs_root *root,
    +-				      struct btrfs_block_rsv *rsv);
    + void btrfs_delalloc_release_extents(struct btrfs_inode *inode, u64 num_bytes);
    + 
    + int btrfs_delalloc_reserve_metadata(struct btrfs_inode *inode, u64 num_bytes,
     
      ## fs/btrfs/inode.c ##
    -@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct dentry *dentry)
    +@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry)
      	struct btrfs_trans_handle *trans;
      	struct btrfs_block_rsv block_rsv;
      	u64 root_flags;
    @@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct den
      	int ret;
      
      	down_write(&fs_info->subvol_sem);
    -@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct dentry *dentry)
    +@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry)
      	ret = btrfs_subvolume_reserve_metadata(root, &block_rsv, 5, true);
      	if (ret)
      		goto out_undead;
    @@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct den
      	trans->block_rsv = &block_rsv;
      	trans->bytes_reserved = block_rsv.size;
      
    -@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct dentry *dentry)
    +@@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct inode *dir, struct dentry *dentry)
      	ret = btrfs_end_transaction(trans);
      	inode->i_flags |= S_DEAD;
      out_release:
    @@ fs/btrfs/inode.c: int btrfs_delete_subvolume(struct btrfs_inode *dir, struct den
      		spin_lock(&dest->root_item_lock);
     
      ## fs/btrfs/ioctl.c ##
    -@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct mnt_idmap *idmap,
    +@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct user_namespace *mnt_userns,
      	int ret;
      	dev_t anon_dev;
      	u64 objectid;
    @@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct mnt_idmap *idmap,
      
      	root_item = kzalloc(sizeof(*root_item), GFP_KERNEL);
      	if (!root_item)
    -@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct mnt_idmap *idmap,
    +@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct user_namespace *mnt_userns,
      					       trans_num_items, false);
      	if (ret)
      		goto out_new_inode_args;
    @@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct mnt_idmap *idmap,
     +	qgroup_reserved = 0;
      	trans->block_rsv = &block_rsv;
      	trans->bytes_reserved = block_rsv.size;
    - 	/* Tree log can't currently deal with an inode which is a new root. */
    -@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct mnt_idmap *idmap,
    + 
    +@@ fs/btrfs/ioctl.c: static noinline int create_subvol(struct user_namespace *mnt_userns,
      out:
      	trans->block_rsv = NULL;
      	trans->bytes_reserved = 0;
     -	btrfs_subvolume_release_metadata(root, &block_rsv);
    --
    - 	btrfs_end_transaction(trans);
    + 
    + 	if (ret)
    + 		btrfs_end_transaction(trans);
    + 	else
    + 		ret = btrfs_commit_transaction(trans);
     +out_release_rsv:
     +	btrfs_block_rsv_release(fs_info, &block_rsv, (u64)-1, NULL);
     +	if (qgroup_reserved)
    @@ fs/btrfs/root-tree.c: int btrfs_subvolume_reserve_metadata(struct btrfs_root *ro
     -	btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);
     -	btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);
     -}
    -
    - ## fs/btrfs/root-tree.h ##
    -@@ fs/btrfs/root-tree.h: struct btrfs_trans_handle;
    - int btrfs_subvolume_reserve_metadata(struct btrfs_root *root,
    - 				     struct btrfs_block_rsv *rsv,
    - 				     int nitems, bool use_global_rsv);
    --void btrfs_subvolume_release_metadata(struct btrfs_root *root,
    --				      struct btrfs_block_rsv *rsv);
    - int btrfs_add_root_ref(struct btrfs_trans_handle *trans, u64 root_id,
    - 		       u64 ref_id, u64 dirid, u64 sequence,
    - 		       const struct fscrypt_str *name);
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |

      reply	other threads:[~2024-11-29 20:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-29  8:21 [PATCH 6.1] btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Xiangyu Chen
2024-11-29 20:03 ` Sasha Levin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241129141301-d4029fe61627016f@stable.kernel.org \
    --to=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=xiangyu.chen@eng.windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox