From c7185d72b368c96d3553879f0a0a5e1c3495241c Mon Sep 17 00:00:00 2001 From: Gautham Ananthakrishna Date: Tue, 28 May 2024 15:17:17 +0800 Subject: [PATCH 1/3] ocfs2: fix race between searching chunks and release journal_head from buffer_head mainline inclusion from mainline-v5.15 commit 6f1b228529ae49b0f85ab89bcdb6c365df401558 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV CVE: CVE-2021-47493 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6f1b228529ae49b0f85ab89bcdb6c365df401558 -------------------------------- Encountered a race between ocfs2_test_bg_bit_allocatable() and jbd2_journal_put_journal_head() resulting in the below vmcore. PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3" Call trace: panic oops_end no_context __bad_area_nosemaphore bad_area_nosemaphore __do_page_fault do_page_fault page_fault [exception RIP: ocfs2_block_group_find_clear_bits+316] ocfs2_block_group_find_clear_bits [ocfs2] ocfs2_cluster_group_search [ocfs2] ocfs2_search_chain [ocfs2] ocfs2_claim_suballoc_bits [ocfs2] __ocfs2_claim_clusters [ocfs2] ocfs2_claim_clusters [ocfs2] ocfs2_local_alloc_slide_window [ocfs2] ocfs2_reserve_local_alloc_bits [ocfs2] ocfs2_reserve_clusters_with_limit [ocfs2] ocfs2_reserve_clusters [ocfs2] ocfs2_lock_refcount_allocators [ocfs2] ocfs2_make_clusters_writable [ocfs2] ocfs2_replace_cow [ocfs2] ocfs2_refcount_cow [ocfs2] ocfs2_file_write_iter [ocfs2] lo_rw_aio loop_queue_work kthread_worker_fn kthread ret_from_fork When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and released the jounal head from the buffer head. Needed to take bit lock for the bit 'BH_JournalHead' to fix this race. Link: https://lkml.kernel.org/r/1634820718-6043-1-git-send-email-gautham.ananthakrishna@oracle.com Signed-off-by: Gautham Ananthakrishna Reviewed-by: Joseph Qi Cc: Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/ocfs2/suballoc.c Signed-off-by: liwei --- fs/ocfs2/suballoc.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index f7c972fbed6a..46e226d565ec 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1266,7 +1266,7 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh, int nr) { struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data; - int ret; + int ret = 1; if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap)) return 0; @@ -1274,13 +1274,17 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh, if (!buffer_jbd(bg_bh)) return 1; - jbd_lock_bh_state(bg_bh); - bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; - if (bg) - ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); - else - ret = 1; - jbd_unlock_bh_state(bg_bh); + jbd_lock_bh_journal_head(bg_bh); + if (buffer_jbd(bg_bh)) { + jbd_lock_bh_state(bg_bh); + bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; + if (bg) + ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); + else + ret = 1; + jbd_unlock_bh_state(bg_bh); + } + jbd_unlock_bh_journal_head(bg_bh); return ret; } -- Gitee From c893071dff0c8fecfacbc3ae619953d7ffd84b4a Mon Sep 17 00:00:00 2001 From: Joseph Qi Date: Tue, 28 May 2024 15:17:18 +0800 Subject: [PATCH 2/3] ocfs2: fix a deadlock when commit trans mainline inclusion from mainline-v5.17-rc2 commit ddf4b773aa40790dfa936bd845c18e735a49c61c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV CVE: CVE-2021-47493 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ddf4b773aa40790dfa936bd845c18e735a49c61c -------------------------------- commit 6f1b228529ae introduces a regression which can deadlock as follows: Task1: Task2: jbd2_journal_commit_transaction ocfs2_test_bg_bit_allocatable spin_lock(&jh->b_state_lock) jbd_lock_bh_journal_head __jbd2_journal_remove_checkpoint spin_lock(&jh->b_state_lock) jbd2_journal_put_journal_head jbd_lock_bh_journal_head Task1 and Task2 lock bh->b_state and jh->b_state_lock in different order, which finally result in a deadlock. So use jbd2_journal_[grab|put]_journal_head instead in ocfs2_test_bg_bit_allocatable() to fix it. Link: https://lkml.kernel.org/r/20220121071205.100648-3-joseph.qi@linux.alibaba.com Fixes: 6f1b228529ae ("ocfs2: fix race between searching chunks and release journal_head from buffer_head") Signed-off-by: Joseph Qi Reported-by: Gautham Ananthakrishna Tested-by: Gautham Ananthakrishna Reported-by: Saeed Mirzamohammadi Cc: "Theodore Ts'o" Cc: Andreas Dilger Cc: Changwei Ge Cc: Gang He Cc: Joel Becker Cc: Jun Piao Cc: Junxiao Bi Cc: Mark Fasheh Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/ocfs2/suballoc.c Signed-off-by: liwei --- fs/ocfs2/suballoc.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 46e226d565ec..0a6426e4568f 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1266,25 +1266,25 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh, int nr) { struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data; - int ret = 1; + struct journal_head *jh; + int ret; if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap)) return 0; - if (!buffer_jbd(bg_bh)) + jh = jbd2_journal_grab_journal_head(bg_bh); + if (!jh) return 1; - jbd_lock_bh_journal_head(bg_bh); - if (buffer_jbd(bg_bh)) { - jbd_lock_bh_state(bg_bh); - bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; - if (bg) - ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); - else - ret = 1; - jbd_unlock_bh_state(bg_bh); - } - jbd_unlock_bh_journal_head(bg_bh); + jbd_lock_bh_state(bg_bh); + bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; + if (bg) + ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); + else + ret = 1; + jbd_unlock_bh_state(bg_bh); + + jbd2_journal_put_journal_head(jh); return ret; } -- Gitee From c45d02ea3bd35c899481a331b96713810df79668 Mon Sep 17 00:00:00 2001 From: Joseph Qi Date: Tue, 28 May 2024 15:17:19 +0800 Subject: [PATCH 3/3] jbd2: export jbd2_journal_[grab|put]_journal_head mainline inclusion from mainline-v5.17-rc2 commit 4cd1103d8c66b2cdb7e64385c274edb0ac5e8887 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV CVE: CVE-2021-47493 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4cd1103d8c66b2cdb7e64385c274edb0ac5e8887 -------------------------------- Patch series "ocfs2: fix a deadlock case". This fixes a deadlock case in ocfs2. We firstly export jbd2 symbols jbd2_journal_[grab|put]_journal_head as preparation and later use them in ocfs2 insread of jbd_[lock|unlock]_bh_journal_head to fix the deadlock. This patch (of 2): This exports symbols jbd2_journal_[grab|put]_journal_head, which will be used outside modules, e.g. ocfs2. Link: https://lkml.kernel.org/r/20220121071205.100648-2-joseph.qi@linux.alibaba.com Signed-off-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Andreas Dilger Cc: Gautham Ananthakrishna Cc: Saeed Mirzamohammadi Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: liwei --- fs/jbd2/journal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index 8eecb2e1abbc..4462b6ec32b7 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -2628,6 +2628,7 @@ struct journal_head *jbd2_journal_grab_journal_head(struct buffer_head *bh) jbd_unlock_bh_journal_head(bh); return jh; } +EXPORT_SYMBOL(jbd2_journal_grab_journal_head); static void __journal_remove_journal_head(struct buffer_head *bh) { @@ -2673,6 +2674,7 @@ void jbd2_journal_put_journal_head(struct journal_head *jh) } else jbd_unlock_bh_journal_head(bh); } +EXPORT_SYMBOL(jbd2_journal_put_journal_head); /* * Initialize jbd inode head -- Gitee