[PATCH openEuler-1.0-LTS] ocfs2: fix race between searching chunks and release journal_head from buffer_head - Kernel

28 May 2024

From: Gautham Ananthakrishna gautham.ananthakrishna@oracle.com
mainline inclusion
from mainline-v5.15
commit 6f1b228529ae49b0f85ab89bcdb6c365df401558
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV
CVE: CVE-2021-47493
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Encountered a race between ocfs2_test_bg_bit_allocatable() and
jbd2_journal_put_journal_head() resulting in the below vmcore.
PID: 106879  TASK: ffff880244ba9c00  CPU: 2   COMMAND: "loop3"
  Call trace:
    panic
    oops_end
    no_context
    __bad_area_nosemaphore
    bad_area_nosemaphore
    __do_page_fault
    do_page_fault
    page_fault
      [exception RIP: ocfs2_block_group_find_clear_bits+316]
    ocfs2_block_group_find_clear_bits [ocfs2]
    ocfs2_cluster_group_search [ocfs2]
    ocfs2_search_chain [ocfs2]
    ocfs2_claim_suballoc_bits [ocfs2]
    __ocfs2_claim_clusters [ocfs2]
    ocfs2_claim_clusters [ocfs2]
    ocfs2_local_alloc_slide_window [ocfs2]
    ocfs2_reserve_local_alloc_bits [ocfs2]
    ocfs2_reserve_clusters_with_limit [ocfs2]
    ocfs2_reserve_clusters [ocfs2]
    ocfs2_lock_refcount_allocators [ocfs2]
    ocfs2_make_clusters_writable [ocfs2]
    ocfs2_replace_cow [ocfs2]
    ocfs2_refcount_cow [ocfs2]
    ocfs2_file_write_iter [ocfs2]
    lo_rw_aio
    loop_queue_work
    kthread_worker_fn
    kthread
    ret_from_fork
When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the
bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and
released the jounal head from the buffer head.  Needed to take bit lock
for the bit 'BH_JournalHead' to fix this race.
Link: https://lkml.kernel.org/r/1634820718-6043-1-git-send-email-gautham.ananthakr...
Signed-off-by: Gautham Ananthakrishna gautham.ananthakrishna@oracle.com
Reviewed-by: Joseph Qi joseph.qi@linux.alibaba.com
Cc: rajesh.sivaramasubramaniom@oracle.com
Cc: Mark Fasheh mark@fasheh.com
Cc: Joel Becker jlbec@evilplan.org
Cc: Junxiao Bi junxiao.bi@oracle.com
Cc: Changwei Ge gechangwei@live.cn
Cc: Gang He ghe@suse.com
Cc: Jun Piao piaojun@huawei.com
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton akpm@linux-foundation.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Conflicts:
    fs/ocfs2/suballoc.c
[464170647b5648bb81f3615567485fcb9a685bed("jbd2: Make state lock a spinlock") was not merged]
Signed-off-by: liwei liwei728@huawei.com
---
 fs/ocfs2/suballoc.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index f7c972fbed6a..46e226d565ec 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1266,7 +1266,7 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh,
    				 int nr)
 {
    struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
-	int ret;
+	int ret = 1;
if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap))
    	return 0;
@@ -1274,13 +1274,17 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh,
    if (!buffer_jbd(bg_bh))
    	return 1;
-	jbd_lock_bh_state(bg_bh);
-	bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data;
-	if (bg)
-		ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
-	else
-		ret = 1;
-	jbd_unlock_bh_state(bg_bh);
+	jbd_lock_bh_journal_head(bg_bh);
+	if (buffer_jbd(bg_bh)) {
+		jbd_lock_bh_state(bg_bh);
+		bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data;
+		if (bg)
+			ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
+		else
+			ret = 1;
+		jbd_unlock_bh_state(bg_bh);
+	}
+	jbd_unlock_bh_journal_head(bg_bh);
return ret;
 }
-- 
2.25.1


    