--- /dev/null
+From dfff66f30f66b9524b661f311bbed8ff3d2ca49f Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 17 Sep 2022 17:38:05 +0800
+Subject: jbd2: add miss release buffer head in fc_do_one_pass()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit dfff66f30f66b9524b661f311bbed8ff3d2ca49f upstream.
+
+In fc_do_one_pass() miss release buffer head after use which will lead
+to reference count leak.
+
+Cc: stable@kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220917093805.1782845-1-yebin10@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/recovery.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jbd2/recovery.c
++++ b/fs/jbd2/recovery.c
+@@ -256,6 +256,7 @@ static int fc_do_one_pass(journal_t *jou
+ err = journal->j_fc_replay_callback(journal, bh, pass,
+ next_fc_block - journal->j_fc_first,
+ expected_commit_id);
++ brelse(bh);
+ next_fc_block++;
+ if (err < 0 || err == JBD2_FC_REPLAY_STOP)
+ break;
--- /dev/null
+From e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Wed, 14 Sep 2022 18:08:11 +0800
+Subject: jbd2: fix potential buffer head reference count leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a upstream.
+
+As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without
+update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head
+from ‘j_fc_off - 1’ if 'bh' is NULL will terminal release which will lead to
+buffer head buffer head reference count leak.
+To solve above issue, update 'journal->j_fc_off' before return -EIO.
+
+Cc: stable@kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220914100812.1414768-2-yebin10@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/journal.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -926,8 +926,14 @@ int jbd2_fc_wait_bufs(journal_t *journal
+ wait_on_buffer(bh);
+ put_bh(bh);
+ journal->j_fc_wbuf[i] = NULL;
+- if (unlikely(!buffer_uptodate(bh)))
++ /*
++ * Update j_fc_off so jbd2_fc_release_bufs can release remain
++ * buffer head.
++ */
++ if (unlikely(!buffer_uptodate(bh))) {
++ journal->j_fc_off = i;
+ return -EIO;
++ }
+ }
+
+ return 0;
--- /dev/null
+From 243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Wed, 14 Sep 2022 18:08:12 +0800
+Subject: jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd upstream.
+
+In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count
+which may lead to use-after-free.
+So judge buffer if uptodate before put buffer head reference count.
+
+Cc: stable@kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220914100812.1414768-3-yebin10@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/journal.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -924,16 +924,16 @@ int jbd2_fc_wait_bufs(journal_t *journal
+ for (i = j_fc_off - 1; i >= j_fc_off - num_blks; i--) {
+ bh = journal->j_fc_wbuf[i];
+ wait_on_buffer(bh);
+- put_bh(bh);
+- journal->j_fc_wbuf[i] = NULL;
+ /*
+ * Update j_fc_off so jbd2_fc_release_bufs can release remain
+ * buffer head.
+ */
+ if (unlikely(!buffer_uptodate(bh))) {
+- journal->j_fc_off = i;
++ journal->j_fc_off = i + 1;
+ return -EIO;
+ }
++ put_bh(bh);
++ journal->j_fc_wbuf[i] = NULL;
+ }
+
+ return 0;
--- /dev/null
+From 34fc8768ec6089565d6d73bad26724083cecf7bd Mon Sep 17 00:00:00 2001
+From: Andrew Perepechko <anserper@ya.ru>
+Date: Wed, 7 Sep 2022 19:59:59 +0300
+Subject: jbd2: wake up journal waiters in FIFO order, not LIFO
+
+From: Andrew Perepechko <anserper@ya.ru>
+
+commit 34fc8768ec6089565d6d73bad26724083cecf7bd upstream.
+
+LIFO wakeup order is unfair and sometimes leads to a journal
+user not being able to get a journal handle for hundreds of
+transactions in a row.
+
+FIFO wakeup can make things more fair.
+
+Cc: stable@kernel.org
+Signed-off-by: Alexey Lyashkov <alexey.lyashkov@gmail.com>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Link: https://lore.kernel.org/r/20220907165959.1137482-1-alexey.lyashkov@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -581,7 +581,7 @@ void jbd2_journal_commit_transaction(jou
+ journal->j_running_transaction = NULL;
+ start_time = ktime_get();
+ commit_transaction->t_log_start = journal->j_head;
+- wake_up(&journal->j_wait_transaction_locked);
++ wake_up_all(&journal->j_wait_transaction_locked);
+ write_unlock(&journal->j_state_lock);
+
+ jbd_debug(3, "JBD2: commit phase 2a\n");
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -173,7 +173,7 @@ static void wait_transaction_locked(jour
+ int need_to_start;
+ tid_t tid = journal->j_running_transaction->t_tid;
+
+- prepare_to_wait(&journal->j_wait_transaction_locked, &wait,
++ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait,
+ TASK_UNINTERRUPTIBLE);
+ need_to_start = !tid_geq(journal->j_commit_request, tid);
+ read_unlock(&journal->j_state_lock);
+@@ -199,7 +199,7 @@ static void wait_transaction_switching(j
+ read_unlock(&journal->j_state_lock);
+ return;
+ }
+- prepare_to_wait(&journal->j_wait_transaction_locked, &wait,
++ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait,
+ TASK_UNINTERRUPTIBLE);
+ read_unlock(&journal->j_state_lock);
+ /*
+@@ -911,7 +911,7 @@ void jbd2_journal_unlock_updates (journa
+ write_lock(&journal->j_state_lock);
+ --journal->j_barrier_count;
+ write_unlock(&journal->j_state_lock);
+- wake_up(&journal->j_wait_transaction_locked);
++ wake_up_all(&journal->j_wait_transaction_locked);
+ }
+
+ static void warn_dirty_buffer(struct buffer_head *bh)
f2fs-fix-to-do-sanity-check-on-summary-info.patch
hardening-avoid-harmless-clang-option-under-config_init_stack_all_zero.patch
hardening-remove-clang-s-enable-flag-for-ftrivial-auto-var-init-zero.patch
+jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch
+jbd2-fix-potential-buffer-head-reference-count-leak.patch
+jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch
+jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
