From: Sasha Levin <sashal@kernel.org>
Date: Tue, 18 Feb 2020 18:17:22 +0000 (-0500)
Subject: fixes for 4.14
X-Git-Tag: v4.19.105~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06e0bddd953315bb05e611b447dc0aa4cc0a82d8;p=thirdparty%2Fkernel%2Fstable-queue.git

fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.14/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch b/queue-4.14/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch
new file mode 100644
index 00000000000..a6a85b5b15c
--- /dev/null
+++ b/queue-4.14/jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch
@@ -0,0 +1,95 @@
+From 9a74cbbf7876567d87e4396d06ae003023264850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:58:56 +0800
+Subject: jbd2: do not clear the BH_Mapped flag when forgetting a metadata
+ buffer
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit c96dceeabf765d0b1b1f29c3bf50a5c01315b820 ]
+
+Commit 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from
+an older transaction") set the BH_Freed flag when forgetting a metadata
+buffer which belongs to the committing transaction, it indicate the
+committing process clear dirty bits when it is done with the buffer. But
+it also clear the BH_Mapped flag at the same time, which may trigger
+below NULL pointer oops when block_size < PAGE_SIZE.
+
+rmdir 1             kjournald2                 mkdir 2
+                    jbd2_journal_commit_transaction
+		    commit transaction N
+jbd2_journal_forget
+set_buffer_freed(bh1)
+                    jbd2_journal_commit_transaction
+                     commit transaction N+1
+                     ...
+                     clear_buffer_mapped(bh1)
+                                               ext4_getblk(bh2 ummapped)
+                                               ...
+                                               grow_dev_page
+                                                init_page_buffers
+                                                 bh1->b_private=NULL
+                                                 bh2->b_private=NULL
+                     jbd2_journal_put_journal_head(jh1)
+                      __journal_remove_journal_head(hb1)
+		       jh1 is NULL and trigger oops
+
+*) Dir entry block bh1 and bh2 belongs to one page, and the bh2 has
+   already been unmapped.
+
+For the metadata buffer we forgetting, we should always keep the mapped
+flag and clear the dirty flags is enough, so this patch pick out the
+these buffers and keep their BH_Mapped flag.
+
+Link: https://lore.kernel.org/r/20200213063821.30455-3-yi.zhang@huawei.com
+Fixes: 904cdbd41d74 ("jbd2: clear dirty flag when revoking a buffer from an older transaction")
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 89cbf45a1dcda..cb0da3d4adc04 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -982,12 +982,29 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ 		 * pagesize and it is attached to the last partial page.
+ 		 */
+ 		if (buffer_freed(bh) && !jh->b_next_transaction) {
++			struct address_space *mapping;
++
+ 			clear_buffer_freed(bh);
+ 			clear_buffer_jbddirty(bh);
+-			clear_buffer_mapped(bh);
+-			clear_buffer_new(bh);
+-			clear_buffer_req(bh);
+-			bh->b_bdev = NULL;
++
++			/*
++			 * Block device buffers need to stay mapped all the
++			 * time, so it is enough to clear buffer_jbddirty and
++			 * buffer_freed bits. For the file mapping buffers (i.e.
++			 * journalled data) we need to unmap buffer and clear
++			 * more bits. We also need to be careful about the check
++			 * because the data page mapping can get cleared under
++			 * out hands, which alse need not to clear more bits
++			 * because the page and buffers will be freed and can
++			 * never be reused once we are done with them.
++			 */
++			mapping = READ_ONCE(bh->b_page->mapping);
++			if (mapping && !sb_is_blkdev_sb(mapping->host->i_sb)) {
++				clear_buffer_mapped(bh);
++				clear_buffer_new(bh);
++				clear_buffer_req(bh);
++				bh->b_bdev = NULL;
++			}
+ 		}
+ 
+ 		if (buffer_jbddirty(bh)) {
+-- 
+2.20.1
+
diff --git a/queue-4.14/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch b/queue-4.14/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch
new file mode 100644
index 00000000000..6843d43a8d6
--- /dev/null
+++ b/queue-4.14/jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch
@@ -0,0 +1,107 @@
+From d599424163d380f75d1c84a466dfc1d5e4273eb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2020 18:58:55 +0800
+Subject: jbd2: move the clearing of b_modified flag to the
+ journal_unmap_buffer()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 6a66a7ded12baa6ebbb2e3e82f8cb91382814839 ]
+
+There is no need to delay the clearing of b_modified flag to the
+transaction committing time when unmapping the journalled buffer, so
+just move it to the journal_unmap_buffer().
+
+Link: https://lore.kernel.org/r/20200213063821.30455-2-yi.zhang@huawei.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c      | 43 +++++++++++++++----------------------------
+ fs/jbd2/transaction.c | 10 ++++++----
+ 2 files changed, 21 insertions(+), 32 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 7dd6133925921..89cbf45a1dcda 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -973,34 +973,21 @@ void jbd2_journal_commit_transaction(journal_t *journal)
+ 		 * it. */
+ 
+ 		/*
+-		* A buffer which has been freed while still being journaled by
+-		* a previous transaction.
+-		*/
+-		if (buffer_freed(bh)) {
+-			/*
+-			 * If the running transaction is the one containing
+-			 * "add to orphan" operation (b_next_transaction !=
+-			 * NULL), we have to wait for that transaction to
+-			 * commit before we can really get rid of the buffer.
+-			 * So just clear b_modified to not confuse transaction
+-			 * credit accounting and refile the buffer to
+-			 * BJ_Forget of the running transaction. If the just
+-			 * committed transaction contains "add to orphan"
+-			 * operation, we can completely invalidate the buffer
+-			 * now. We are rather through in that since the
+-			 * buffer may be still accessible when blocksize <
+-			 * pagesize and it is attached to the last partial
+-			 * page.
+-			 */
+-			jh->b_modified = 0;
+-			if (!jh->b_next_transaction) {
+-				clear_buffer_freed(bh);
+-				clear_buffer_jbddirty(bh);
+-				clear_buffer_mapped(bh);
+-				clear_buffer_new(bh);
+-				clear_buffer_req(bh);
+-				bh->b_bdev = NULL;
+-			}
++		 * A buffer which has been freed while still being journaled
++		 * by a previous transaction, refile the buffer to BJ_Forget of
++		 * the running transaction. If the just committed transaction
++		 * contains "add to orphan" operation, we can completely
++		 * invalidate the buffer now. We are rather through in that
++		 * since the buffer may be still accessible when blocksize <
++		 * pagesize and it is attached to the last partial page.
++		 */
++		if (buffer_freed(bh) && !jh->b_next_transaction) {
++			clear_buffer_freed(bh);
++			clear_buffer_jbddirty(bh);
++			clear_buffer_mapped(bh);
++			clear_buffer_new(bh);
++			clear_buffer_req(bh);
++			bh->b_bdev = NULL;
+ 		}
+ 
+ 		if (buffer_jbddirty(bh)) {
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 7fe422eced89b..f2ff141a4479e 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2231,14 +2231,16 @@ static int journal_unmap_buffer(journal_t *journal, struct buffer_head *bh,
+ 			return -EBUSY;
+ 		}
+ 		/*
+-		 * OK, buffer won't be reachable after truncate. We just set
+-		 * j_next_transaction to the running transaction (if there is
+-		 * one) and mark buffer as freed so that commit code knows it
+-		 * should clear dirty bits when it is done with the buffer.
++		 * OK, buffer won't be reachable after truncate. We just clear
++		 * b_modified to not confuse transaction credit accounting, and
++		 * set j_next_transaction to the running transaction (if there
++		 * is one) and mark buffer as freed so that commit code knows
++		 * it should clear dirty bits when it is done with the buffer.
+ 		 */
+ 		set_buffer_freed(bh);
+ 		if (journal->j_running_transaction && buffer_jbddirty(bh))
+ 			jh->b_next_transaction = journal->j_running_transaction;
++		jh->b_modified = 0;
+ 		jbd2_journal_put_journal_head(jh);
+ 		spin_unlock(&journal->j_list_lock);
+ 		jbd_unlock_bh_state(bh);
+-- 
+2.20.1
+
diff --git a/queue-4.14/series b/queue-4.14/series
index d1bc407246d..38cb7b020c1 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -24,3 +24,5 @@ rdma-core-fix-protection-fault-in-get_pkey_idx_qp_list.patch
 s390-time-fix-clk-type-in-get_tod_clock.patch
 perf-x86-intel-fix-inaccurate-period-in-context-switch-for-auto-reload.patch
 hwmon-pmbus-ltc2978-fix-pmbus-polling-of-mfr_common-definitions.patch
+jbd2-move-the-clearing-of-b_modified-flag-to-the-jou.patch
+jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch