search for: ocfs2_local_free_info

Now in ocfs2_local_free_info(), it returns 0 even if it actually fails. Though it doesn't cause any real problem since the only caller dquot_disable() ignores the return value, we'd better return correct as it is. Signed-off-by: Joseph Qi <joseph.qi at linux.alibaba.com> --- fs/ocfs2/quota_local.c | 9 +++------...

It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

On 5/23/23 5:33 PM, Lu?s Henriques wrote: > It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using > fstest generic/452. After a read-only remount, quotas are suspended and > ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting > the filesystem, an UAF access to the oinfo will eventually cause a crash. > > BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 > Read of size 8 at addr ffff8880389a8208 by task umount/669 > ... > Call Trace: > <TASK> > ... > timer_...

On Fri, 26 May 2023 09:36:25 +0800 Joseph Qi <joseph.qi at linux.alibaba.com> wrote: > Hi Andrew, > > There is an updated version v2, which describe more clearly about the > case: > https://lore.kernel.org/ocfs2-devel/e9fc4b2f-1fcc-7c31-f346-59eccff50f9b at linux.alibaba.com/T/#u Sigh. Thanks. As you can see from the above link, the email never hit ocfs2-devel and never

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...Henriques <ocfs2-devel at oss.oracle.com> commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream. It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After a read-only remount, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0 Read of size 8 at addr ffff8880389a8208 by task umount/669 ... Call Trace: <TASK> ... timer_delete+0x54/0xc0 try_to_grab_pending+0x31/0x...

...x use-after-free when unmounting read-only filesystem Date: Mon, 22 May 2023 11:21:12 +0100 It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using fstest generic/452. After mounting a filesystem as read-only, quotas are suspended and ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access to the oinfo will eventually cause a crash. Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques at suse.de Signed-off-by: Lu??s Henriques <lhenriques at suse.de> Reviewed-by: Joseph Qi <joseph.qi at linux.alibaba.com> Teste...

...ng read-only filesystem > Date: Mon, 22 May 2023 11:21:12 +0100 > > It's trivial to trigger a use-after-free bug in the ocfs2 quotas code > using fstest generic/452. After mounting a filesystem as read-only, > quotas are suspended and ocfs2_mem_dqinfo is freed through > ->ocfs2_local_free_info(). When unmounting the filesystem, an UAF access > to the oinfo will eventually cause a crash. > > Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques at suse.de > Signed-off-by: Lu?s Henriques <lhenriques at suse.de> > Reviewed-by: Joseph Qi <joseph.qi at lin...

...imer, + round_jiffies(jiffies + oinfo->dqi_syncjiff)); +} + +/* * Wrappers for generic quota functions */ diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 719659b..17509bd 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -367,6 +367,10 @@ static int ocfs2_local_free_info(struct super_block *sb, int type) int mark_clean = 1, len; int status; + /* At this point we know there are no more dquots and thus + * even if there's some sync in the pdflush queue, it won't + * find any dquots and return without doing anything */ + del_timer_sync(&oinfo->d...

Hi, This is the second batch of Ocfs2 patches intended for the merge window. The 1st batch were sent out previously: http://lkml.org/lkml/2008/12/19/280 The bulk of this set is comprised of Jan Kara's patches to add quota support to Ocfs2. Many of the quota patches are to generic code, which I carried to make merging of the Ocfs2 support easier. All of the non-ocfs2 patches should have