From: Joseph Qi joseph.qi@linux.alibaba.com
mainline inclusion from mainline-v5.17-rc2 commit ddf4b773aa40790dfa936bd845c18e735a49c61c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV CVE: CVE-2021-47493
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
commit 6f1b228529ae introduces a regression which can deadlock as follows:
Task1: Task2: jbd2_journal_commit_transaction ocfs2_test_bg_bit_allocatable spin_lock(&jh->b_state_lock) jbd_lock_bh_journal_head __jbd2_journal_remove_checkpoint spin_lock(&jh->b_state_lock) jbd2_journal_put_journal_head jbd_lock_bh_journal_head
Task1 and Task2 lock bh->b_state and jh->b_state_lock in different order, which finally result in a deadlock.
So use jbd2_journal_[grab|put]_journal_head instead in ocfs2_test_bg_bit_allocatable() to fix it.
Link: https://lkml.kernel.org/r/20220121071205.100648-3-joseph.qi@linux.alibaba.co... Fixes: 6f1b228529ae ("ocfs2: fix race between searching chunks and release journal_head from buffer_head") Signed-off-by: Joseph Qi joseph.qi@linux.alibaba.com Reported-by: Gautham Ananthakrishna gautham.ananthakrishna@oracle.com Tested-by: Gautham Ananthakrishna gautham.ananthakrishna@oracle.com Reported-by: Saeed Mirzamohammadi saeed.mirzamohammadi@oracle.com Cc: "Theodore Ts'o" tytso@mit.edu Cc: Andreas Dilger adilger.kernel@dilger.ca Cc: Changwei Ge gechangwei@live.cn Cc: Gang He ghe@suse.com Cc: Joel Becker jlbec@evilplan.org Cc: Jun Piao piaojun@huawei.com Cc: Junxiao Bi junxiao.bi@oracle.com Cc: Mark Fasheh mark@fasheh.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Conflicts: fs/ocfs2/suballoc.c Signed-off-by: liwei liwei728@huawei.com --- fs/ocfs2/suballoc.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 46e226d565ec..0a6426e4568f 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1266,25 +1266,25 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh, int nr) { struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data; - int ret = 1; + struct journal_head *jh; + int ret;
if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap)) return 0;
- if (!buffer_jbd(bg_bh)) + jh = jbd2_journal_grab_journal_head(bg_bh); + if (!jh) return 1;
- jbd_lock_bh_journal_head(bg_bh); - if (buffer_jbd(bg_bh)) { - jbd_lock_bh_state(bg_bh); - bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; - if (bg) - ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); - else - ret = 1; - jbd_unlock_bh_state(bg_bh); - } - jbd_unlock_bh_journal_head(bg_bh); + jbd_lock_bh_state(bg_bh); + bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data; + if (bg) + ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap); + else + ret = 1; + jbd_unlock_bh_state(bg_bh); + + jbd2_journal_put_journal_head(jh);
return ret; }