Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvolume create case because we'd commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled. This occurs because in btrfs_insert_delayed_dir_index(), which gets called when we're adding the dir item, we do the following: btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL); if we're able to skip reserving space. The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv. This is a problem because btrfs_block_rsv_release() will do the following: if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) { qgroup_to_release = block_rsv->qgroup_rsv_reserved - block_rsv->qgroup_rsv_size; block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size; } The temporary block rsv just has ->qgroup_rsv_reserved set, ->qgroup_rsv_size == 0. The optimization in btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then later on when we call btrfs_subvolume_release_metadata() which has btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); qgroup_to_release is set to 0, and we do not convert the reserved metadata space. The problem here is that the block rsv code has been unconditionally messing with ->qgroup_rsv_reserved, because the main place this is used is delalloc, and any time we call btrfs_block_rsv_release() we do it with qgroup_to_release set, and thus do the proper accounting. The subvolume code is the only other code that uses the qgroup reservation stuff, but it's intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space. The solution is to simply not mess with the qgroup reservations if we don't have qgroup_to_release set. This works with the existing code as anything that messes with the delalloc reservations always have qgroup_to_release set. This fixes the leak that Boris was observing.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1e05bf5e80bb1161b7294c9ce5292b26232ab853
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 148b16cd30b202999ec5b534e3e5d8ab4b766f21
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f264be24146bee2d652010a18ae2517df5856261
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 04ff6bd0317735791ef3e443c7c89f3c0dda548d
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 478bd15f46b6e3aae78aac4f3788697f1546eea6
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before d246331b78cbef86237f9c22389205bc9b4e1cc1
5.4.243 (semver)
5.10.180 (semver)
5.15.112 (semver)
6.1.29 (semver)
6.2.16 (semver)
6.3.3 (semver)
6.4 (original_commit_for_fix)
References
git.kernel.org/...c/1e05bf5e80bb1161b7294c9ce5292b26232ab853
git.kernel.org/...c/148b16cd30b202999ec5b534e3e5d8ab4b766f21
git.kernel.org/...c/f264be24146bee2d652010a18ae2517df5856261
git.kernel.org/...c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53
git.kernel.org/...c/04ff6bd0317735791ef3e443c7c89f3c0dda548d
git.kernel.org/...c/478bd15f46b6e3aae78aac4f3788697f1546eea6
git.kernel.org/...c/d246331b78cbef86237f9c22389205bc9b4e1cc1
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
