Commit 2268f7fb authored Oct 26, 2024 by Joseph Qi Committed by Huang Xiaojia Oct 26, 2024

ocfs2: cancel dqi_sync_work before freeing oinfo

stable inclusion
from stable-v6.6.55
commit ef768020366f47d23f39c4f57bcb03af6d1e24b3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRD6
CVE: CVE-2024-49966

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef768020366f47d23f39c4f57bcb03af6d1e24b3

--------------------------------

commit 35fccce29feb3706f649726d410122dd81b92c18 upstream.

ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the
end, if error occurs after successfully reading global quota, it will
trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:

ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c

This reports that there is an active delayed work when freeing oinfo in
error handling, so cancel dqi_sync_work first.  BTW, return status instead
of -1 when .read_file_info fails.

Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd
Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.com


Fixes: 171bf93c ("ocfs2: Periodic quota syncing")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reported-by:  <syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com>
Tested-by:  <syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Huang Xiaojia <huangxiaojia2@huawei.com>

parent 43acbd37

fs/ocfs2/quota_local.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type)
		int status;
		struct buffer_head *bh = NULL;
		struct ocfs2_quota_recovery *rec;
		int locked = 0;
		int locked = 0, global_read = 0;

		info->dqi_max_spc_limit = 0x7fffffffffffffffLL;
		info->dqi_max_ino_limit = 0x7fffffffffffffffLL;
		@@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type)
		if (!oinfo) {
		mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota"
		" info.");
		status = -ENOMEM;
		goto out_err;
		}
		info->dqi_priv = oinfo;
		@@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type)
		status = ocfs2_global_read_info(sb, type);
		if (status < 0)
		goto out_err;
		global_read = 1;

		status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1);
		if (status < 0) {
		@@ -779,10 +781,12 @@ static int ocfs2_local_read_info(struct super_block *sb, int type)
		if (locked)
		ocfs2_inode_unlock(lqinode, 1);
		ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk);
		if (global_read)
		cancel_delayed_work_sync(&oinfo->dqi_sync_work);
		kfree(oinfo);
		}
		brelse(bh);
		return -1;
		return status;
		}

		/* Write local info to quota file */