From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 13:09:13 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v5.4.219~113 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0245ebff3ba2c6fe1f59f470f0450d425a30de0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch jbd2-fix-potential-buffer-head-reference-count-leak.patch jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch --- diff --git a/queue-5.19/jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch b/queue-5.19/jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch new file mode 100644 index 00000000000..8517fcbf66f --- /dev/null +++ b/queue-5.19/jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch @@ -0,0 +1,32 @@ +From dfff66f30f66b9524b661f311bbed8ff3d2ca49f Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 17 Sep 2022 17:38:05 +0800 +Subject: jbd2: add miss release buffer head in fc_do_one_pass() + +From: Ye Bin + +commit dfff66f30f66b9524b661f311bbed8ff3d2ca49f upstream. + +In fc_do_one_pass() miss release buffer head after use which will lead +to reference count leak. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220917093805.1782845-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/recovery.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jbd2/recovery.c ++++ b/fs/jbd2/recovery.c +@@ -256,6 +256,7 @@ static int fc_do_one_pass(journal_t *jou + err = journal->j_fc_replay_callback(journal, bh, pass, + next_fc_block - journal->j_fc_first, + expected_commit_id); ++ brelse(bh); + next_fc_block++; + if (err < 0 || err == JBD2_FC_REPLAY_STOP) + break; diff --git a/queue-5.19/jbd2-fix-potential-buffer-head-reference-count-leak.patch b/queue-5.19/jbd2-fix-potential-buffer-head-reference-count-leak.patch new file mode 100644 index 00000000000..44e126a0217 --- /dev/null +++ b/queue-5.19/jbd2-fix-potential-buffer-head-reference-count-leak.patch @@ -0,0 +1,46 @@ +From e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Wed, 14 Sep 2022 18:08:11 +0800 +Subject: jbd2: fix potential buffer head reference count leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ye Bin + +commit e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a upstream. + +As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without +update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head +from ‘j_fc_off - 1’ if 'bh' is NULL will terminal release which will lead to +buffer head buffer head reference count leak. +To solve above issue, update 'journal->j_fc_off' before return -EIO. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220914100812.1414768-2-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -928,8 +928,14 @@ int jbd2_fc_wait_bufs(journal_t *journal + wait_on_buffer(bh); + put_bh(bh); + journal->j_fc_wbuf[i] = NULL; +- if (unlikely(!buffer_uptodate(bh))) ++ /* ++ * Update j_fc_off so jbd2_fc_release_bufs can release remain ++ * buffer head. ++ */ ++ if (unlikely(!buffer_uptodate(bh))) { ++ journal->j_fc_off = i; + return -EIO; ++ } + } + + return 0; diff --git a/queue-5.19/jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch b/queue-5.19/jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch new file mode 100644 index 00000000000..99934c47dde --- /dev/null +++ b/queue-5.19/jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch @@ -0,0 +1,45 @@ +From 243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Wed, 14 Sep 2022 18:08:12 +0800 +Subject: jbd2: fix potential use-after-free in jbd2_fc_wait_bufs + +From: Ye Bin + +commit 243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd upstream. + +In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count +which may lead to use-after-free. +So judge buffer if uptodate before put buffer head reference count. + +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220914100812.1414768-3-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -926,16 +926,16 @@ int jbd2_fc_wait_bufs(journal_t *journal + for (i = j_fc_off - 1; i >= j_fc_off - num_blks; i--) { + bh = journal->j_fc_wbuf[i]; + wait_on_buffer(bh); +- put_bh(bh); +- journal->j_fc_wbuf[i] = NULL; + /* + * Update j_fc_off so jbd2_fc_release_bufs can release remain + * buffer head. + */ + if (unlikely(!buffer_uptodate(bh))) { +- journal->j_fc_off = i; ++ journal->j_fc_off = i + 1; + return -EIO; + } ++ put_bh(bh); ++ journal->j_fc_wbuf[i] = NULL; + } + + return 0; diff --git a/queue-5.19/jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch b/queue-5.19/jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch new file mode 100644 index 00000000000..023adf65cda --- /dev/null +++ b/queue-5.19/jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch @@ -0,0 +1,66 @@ +From 34fc8768ec6089565d6d73bad26724083cecf7bd Mon Sep 17 00:00:00 2001 +From: Andrew Perepechko +Date: Wed, 7 Sep 2022 19:59:59 +0300 +Subject: jbd2: wake up journal waiters in FIFO order, not LIFO + +From: Andrew Perepechko + +commit 34fc8768ec6089565d6d73bad26724083cecf7bd upstream. + +LIFO wakeup order is unfair and sometimes leads to a journal +user not being able to get a journal handle for hundreds of +transactions in a row. + +FIFO wakeup can make things more fair. + +Cc: stable@kernel.org +Signed-off-by: Alexey Lyashkov +Reviewed-by: Ritesh Harjani (IBM) +Link: https://lore.kernel.org/r/20220907165959.1137482-1-alexey.lyashkov@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/commit.c | 2 +- + fs/jbd2/transaction.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -570,7 +570,7 @@ void jbd2_journal_commit_transaction(jou + journal->j_running_transaction = NULL; + start_time = ktime_get(); + commit_transaction->t_log_start = journal->j_head; +- wake_up(&journal->j_wait_transaction_locked); ++ wake_up_all(&journal->j_wait_transaction_locked); + write_unlock(&journal->j_state_lock); + + jbd_debug(3, "JBD2: commit phase 2a\n"); +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -168,7 +168,7 @@ static void wait_transaction_locked(jour + int need_to_start; + tid_t tid = journal->j_running_transaction->t_tid; + +- prepare_to_wait(&journal->j_wait_transaction_locked, &wait, ++ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait, + TASK_UNINTERRUPTIBLE); + need_to_start = !tid_geq(journal->j_commit_request, tid); + read_unlock(&journal->j_state_lock); +@@ -194,7 +194,7 @@ static void wait_transaction_switching(j + read_unlock(&journal->j_state_lock); + return; + } +- prepare_to_wait(&journal->j_wait_transaction_locked, &wait, ++ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait, + TASK_UNINTERRUPTIBLE); + read_unlock(&journal->j_state_lock); + /* +@@ -920,7 +920,7 @@ void jbd2_journal_unlock_updates (journa + write_lock(&journal->j_state_lock); + --journal->j_barrier_count; + write_unlock(&journal->j_state_lock); +- wake_up(&journal->j_wait_transaction_locked); ++ wake_up_all(&journal->j_wait_transaction_locked); + } + + static void warn_dirty_buffer(struct buffer_head *bh) diff --git a/queue-5.19/series b/queue-5.19/series index 040566d5dcd..818332e4f2d 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -115,3 +115,7 @@ f2fs-flush-pending-checkpoints-when-freezing-super.patch f2fs-increase-the-limit-for-reserve_root.patch f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch f2fs-fix-to-do-sanity-check-on-summary-info.patch +jbd2-wake-up-journal-waiters-in-fifo-order-not-lifo.patch +jbd2-fix-potential-buffer-head-reference-count-leak.patch +jbd2-fix-potential-use-after-free-in-jbd2_fc_wait_bufs.patch +jbd2-add-miss-release-buffer-head-in-fc_do_one_pass.patch