]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.9-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 11 Aug 2022 14:11:24 +0000 (16:11 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 11 Aug 2022 14:11:24 +0000 (16:11 +0200)
added patches:
add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch

queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch [new file with mode: 0644]
queue-4.9/series

diff --git a/queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch b/queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch
new file mode 100644 (file)
index 0000000..623c801
--- /dev/null
@@ -0,0 +1,77 @@
+From d4252071b97d2027d246f6a82cbee4d52f618b47 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 9 Aug 2022 14:32:13 -0400
+Subject: add barriers to buffer_uptodate and set_buffer_uptodate
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream.
+
+Let's have a look at this piece of code in __bread_slow:
+
+       get_bh(bh);
+       bh->b_end_io = end_buffer_read_sync;
+       submit_bh(REQ_OP_READ, 0, bh);
+       wait_on_buffer(bh);
+       if (buffer_uptodate(bh))
+               return bh;
+
+Neither wait_on_buffer nor buffer_uptodate contain any memory barrier.
+Consequently, if someone calls sb_bread and then reads the buffer data,
+the read of buffer data may be executed before wait_on_buffer(bh) on
+architectures with weak memory ordering and it may return invalid data.
+
+Fix this bug by adding a memory barrier to set_buffer_uptodate and an
+acquire barrier to buffer_uptodate (in a similar way as
+folio_test_uptodate and folio_mark_uptodate).
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/buffer_head.h |   25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/include/linux/buffer_head.h
++++ b/include/linux/buffer_head.h
+@@ -113,7 +113,6 @@ static __always_inline int test_clear_bu
+  * of the form "mark_buffer_foo()".  These are higher-level functions which
+  * do something in addition to setting a b_state bit.
+  */
+-BUFFER_FNS(Uptodate, uptodate)
+ BUFFER_FNS(Dirty, dirty)
+ TAS_BUFFER_FNS(Dirty, dirty)
+ BUFFER_FNS(Lock, locked)
+@@ -131,6 +130,30 @@ BUFFER_FNS(Meta, meta)
+ BUFFER_FNS(Prio, prio)
+ BUFFER_FNS(Defer_Completion, defer_completion)
++static __always_inline void set_buffer_uptodate(struct buffer_head *bh)
++{
++      /*
++       * make it consistent with folio_mark_uptodate
++       * pairs with smp_load_acquire in buffer_uptodate
++       */
++      smp_mb__before_atomic();
++      set_bit(BH_Uptodate, &bh->b_state);
++}
++
++static __always_inline void clear_buffer_uptodate(struct buffer_head *bh)
++{
++      clear_bit(BH_Uptodate, &bh->b_state);
++}
++
++static __always_inline int buffer_uptodate(const struct buffer_head *bh)
++{
++      /*
++       * make it consistent with folio_test_uptodate
++       * pairs with smp_mb__before_atomic in set_buffer_uptodate
++       */
++      return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) != 0;
++}
++
+ #define bh_offset(bh)         ((unsigned long)(bh)->b_data & ~PAGE_MASK)
+ /* If we *know* page->private refers to buffer_heads */
index a2351c06e56af30c63acd38f972d9ea7a9209359..2e6a958c2be3e8ce3a6b8c4091c4579e8189fcad 100644 (file)
@@ -25,3 +25,4 @@ macintosh-adb-fix-oob-read-in-do_adb_query-function.patch
 makefile-link-with-z-noexecstack-no-warn-rwx-segments.patch
 x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rwx-segments.patch
 alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch
+add-barriers-to-buffer_uptodate-and-set_buffer_uptodate.patch