From: Jan Kara jack@suse.cz
mainline inclusion from mainline-5.8-rc1 commit ceff86fddae8748fe00d4f2d249cb02cae62ad84 category: bugfix bugzilla: 37213 CVE: NA
-------------------------------------------------
When we are evicting inode with journalled data, we may race with transaction commit in the following way:
CPU0 CPU1 jbd2_journal_commit_transaction() evict(inode) inode_io_list_del() inode_wait_for_writeback() process BJ_Forget list __jbd2_journal_insert_checkpoint() __jbd2_journal_refile_buffer() __jbd2_journal_unfile_buffer() if (test_clear_buffer_jbddirty(bh)) mark_buffer_dirty(bh) __mark_inode_dirty(inode) ext4_evict_inode(inode) frees the inode
This results in use-after-free issues in the writeback code (or the assertion added in the previous commit triggering).
Fix the problem by removing inode from writeback lists once all the page cache is evicted and so inode cannot be added to writeback lists again.
Signed-off-by: Jan Kara jack@suse.cz Link: https://lore.kernel.org/r/20200421085445.5731-4-jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Luo Meng luomeng12@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- fs/ext4/inode.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 81abc917f2b0f..f2a82cdc6b1e7 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -222,6 +222,16 @@ void ext4_evict_inode(struct inode *inode) ext4_begin_ordered_truncate(inode, 0); truncate_inode_pages_final(&inode->i_data);
+ /* + * For inodes with journalled data, transaction commit could have + * dirtied the inode. Flush worker is ignoring it because of I_FREEING + * flag but we still need to remove the inode from the writeback lists. + */ + if (!list_empty_careful(&inode->i_io_list)) { + WARN_ON_ONCE(!ext4_should_journal_data(inode)); + inode_io_list_del(inode); + } + /* * Protect us against freezing - iput() caller didn't have to have any * protection against it