--- /dev/null
+From 9a74cbbf7876567d87e4396d06ae003023264850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:58:56 +0800
+Subject: jbd2: do not clear the BH_Mapped flag when forgetting a metadata
+ buffer
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit c96dceeabf765d0b1b1f29c3bf50a5c01315b820 ]
+
+Commit 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from
+an older transaction") set the BH_Freed flag when forgetting a metadata
+buffer which belongs to the committing transaction, it indicate the
+committing process clear dirty bits when it is done with the buffer. But
+it also clear the BH_Mapped flag at the same time, which may trigger
+below NULL pointer oops when block_size < PAGE_SIZE.
+
+rmdir 1 kjournald2 mkdir 2
+ jbd2_journal_commit_transaction
+ commit transaction N
+jbd2_journal_forget
+set_buffer_freed(bh1)
+ jbd2_journal_commit_transaction
+ commit transaction N+1
+ ...
+ clear_buffer_mapped(bh1)
+ ext4_getblk(bh2 ummapped)
+ ...
+ grow_dev_page
+ init_page_buffers
+ bh1->b_private=NULL
+ bh2->b_private=NULL
+ jbd2_journal_put_journal_head(jh1)
+ __journal_remove_journal_head(hb1)
+ jh1 is NULL and trigger oops
+
+*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has
+ already been unmapped.
+
+For the metadata buffer we forgetting, we should always keep the mapped
+flag and clear the dirty flags is enough, so this patch pick out the
+these buffers and keep their BH_Mapped flag.
+
+Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com
+Fixes: 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from an older transaction")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 89cbf45a1dcda..cb0da3d4adc04 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -982,12 +982,29 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ * pagesize and it is attached to the last partial page.
+ */
+ if (buffer_freed(bh) && !jh->b_next_transaction) {
++ struct address_space *mapping;
++
+ clear_buffer_freed(bh);
+ clear_buffer_jbddirty(bh);
+- clear_buffer_mapped(bh);
+- clear_buffer_new(bh);
+- clear_buffer_req(bh);
+- bh->b_bdev = NULL;
++
++ /*
++ * Block device buffers need to stay mapped all the
++ * time, so it is enough to clear buffer_jbddirty and
++ * buffer_freed bits. For the file mapping buffers (i.e.
++ * journalled data) we need to unmap buffer and clear
++ * more bits. We also need to be careful about the check
++ * because the data page mapping can get cleared under
++ * out hands, which alse need not to clear more bits
++ * because the page and buffers will be freed and can
++ * never be reused once we are done with them.
++ */
++ mapping = READ_ONCE(bh->b_page->mapping);
++ if (mapping && !sb_is_blkdev_sb(mapping->host->i_sb)) {
++ clear_buffer_mapped(bh);
++ clear_buffer_new(bh);
++ clear_buffer_req(bh);
++ bh->b_bdev = NULL;
++ }
+ }
+
+ if (buffer_jbddirty(bh)) {
+--
+2.20.1
+
--- /dev/null
+From d599424163d380f75d1c84a466dfc1d5e4273eb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:58:55 +0800
+Subject: jbd2: move the clearing of b_modified flag to the
+ journal_unmap_buffer()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 ]
+
+There is no need to delay the clearing of b_modified flag to the
+transaction committing time when unmapping the journalled buffer, so
+just move it to the journal_unmap_buffer().
+
+Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 43 +++++++++++++++----------------------------
+ fs/jbd2/transaction.c | 10 ++++++----
+ 2 files changed, 21 insertions(+), 32 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 7dd6133925921..89cbf45a1dcda 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -973,34 +973,21 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ * it. */
+
+ /*
+- * A buffer which has been freed while still being journaled by
+- * a previous transaction.
+- */
+- if (buffer_freed(bh)) {
+- /*
+- * If the running transaction is the one containing
+- * "add to orphan" operation (b_next_transaction !=
+- * NULL), we have to wait for that transaction to
+- * commit before we can really get rid of the buffer.
+- * So just clear b_modified to not confuse transaction
+- * credit accounting and refile the buffer to
+- * BJ_Forget of the running transaction. If the just
+- * committed transaction contains "add to orphan"
+- * operation, we can completely invalidate the buffer
+- * now. We are rather through in that since the
+- * buffer may be still accessible when blocksize <
+- * pagesize and it is attached to the last partial
+- * page.
+- */
+- jh->b_modified = 0;
+- if (!jh->b_next_transaction) {
+- clear_buffer_freed(bh);
+- clear_buffer_jbddirty(bh);
+- clear_buffer_mapped(bh);
+- clear_buffer_new(bh);
+- clear_buffer_req(bh);
+- bh->b_bdev = NULL;
+- }
++ * A buffer which has been freed while still being journaled
++ * by a previous transaction, refile the buffer to BJ_Forget of
++ * the running transaction. If the just committed transaction
++ * contains "add to orphan" operation, we can completely
++ * invalidate the buffer now. We are rather through in that
++ * since the buffer may be still accessible when blocksize <
++ * pagesize and it is attached to the last partial page.
++ */
++ if (buffer_freed(bh) && !jh->b_next_transaction) {
++ clear_buffer_freed(bh);
++ clear_buffer_jbddirty(bh);
++ clear_buffer_mapped(bh);
++ clear_buffer_new(bh);
++ clear_buffer_req(bh);
++ bh->b_bdev = NULL;
+ }
+
+ if (buffer_jbddirty(bh)) {
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 7fe422eced89b..f2ff141a4479e 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2231,14 +2231,16 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh,
+ return -EBUSY;
+ }
+ /*
+- * OK, buffer won't be reachable after truncate. We just set
+- * j_next_transaction to the running transaction (if there is
+- * one) and mark buffer as freed so that commit code knows it
+- * should clear dirty bits when it is done with the buffer.
++ * OK, buffer won't be reachable after truncate. We just clear
++ * b_modified to not confuse transaction credit accounting, and
++ * set j_next_transaction to the running transaction (if there
++ * is one) and mark buffer as freed so that commit code knows
++ * it should clear dirty bits when it is done with the buffer.
+ */
+ set_buffer_freed(bh);
+ if (journal->j_running_transaction && buffer_jbddirty(bh))
+ jh->b_next_transaction = journal->j_running_transaction;
++ jh->b_modified = 0;
+ jbd2_journal_put_journal_head(jh);
+ spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
