From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ye Bin <yebin10@huawei.com>,
Jan Kara <jack@suse.cz>, Theodore Tso <tytso@mit.edu>
Subject: [PATCH 5.10 82/86] jbd2: fix a potential race while discarding reserved buffers after an abort
Date: Tue, 26 Apr 2022 10:21:50 +0200 [thread overview]
Message-ID: <20220426081743.581782923@linuxfoundation.org> (raw)
In-Reply-To: <20220426081741.202366502@linuxfoundation.org>
From: Ye Bin <yebin10@huawei.com>
commit 23e3d7f7061f8682c751c46512718f47580ad8f0 upstream.
we got issue as follows:
[ 72.796117] EXT4-fs error (device sda): ext4_journal_check_start:83: comm fallocate: Detected aborted journal
[ 72.826847] EXT4-fs (sda): Remounting filesystem read-only
fallocate: fallocate failed: Read-only file system
[ 74.791830] jbd2_journal_commit_transaction: jh=0xffff9cfefe725d90 bh=0x0000000000000000 end delay
[ 74.793597] ------------[ cut here ]------------
[ 74.794203] kernel BUG at fs/jbd2/transaction.c:2063!
[ 74.794886] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 74.795533] CPU: 4 PID: 2260 Comm: jbd2/sda-8 Not tainted 5.17.0-rc8-next-20220315-dirty #150
[ 74.798327] RIP: 0010:__jbd2_journal_unfile_buffer+0x3e/0x60
[ 74.801971] RSP: 0018:ffffa828c24a3cb8 EFLAGS: 00010202
[ 74.802694] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 74.803601] RDX: 0000000000000001 RSI: ffff9cfefe725d90 RDI: ffff9cfefe725d90
[ 74.804554] RBP: ffff9cfefe725d90 R08: 0000000000000000 R09: ffffa828c24a3b20
[ 74.805471] R10: 0000000000000001 R11: 0000000000000001 R12: ffff9cfefe725d90
[ 74.806385] R13: ffff9cfefe725d98 R14: 0000000000000000 R15: ffff9cfe833a4d00
[ 74.807301] FS: 0000000000000000(0000) GS:ffff9d01afb00000(0000) knlGS:0000000000000000
[ 74.808338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 74.809084] CR2: 00007f2b81bf4000 CR3: 0000000100056000 CR4: 00000000000006e0
[ 74.810047] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 74.810981] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 74.811897] Call Trace:
[ 74.812241] <TASK>
[ 74.812566] __jbd2_journal_refile_buffer+0x12f/0x180
[ 74.813246] jbd2_journal_refile_buffer+0x4c/0xa0
[ 74.813869] jbd2_journal_commit_transaction.cold+0xa1/0x148
[ 74.817550] kjournald2+0xf8/0x3e0
[ 74.819056] kthread+0x153/0x1c0
[ 74.819963] ret_from_fork+0x22/0x30
Above issue may happen as follows:
write truncate kjournald2
generic_perform_write
ext4_write_begin
ext4_walk_page_buffers
do_journal_get_write_access ->add BJ_Reserved list
ext4_journalled_write_end
ext4_walk_page_buffers
write_end_fn
ext4_handle_dirty_metadata
***************JBD2 ABORT**************
jbd2_journal_dirty_metadata
-> return -EROFS, jh in reserved_list
jbd2_journal_commit_transaction
while (commit_transaction->t_reserved_list)
jh = commit_transaction->t_reserved_list;
truncate_pagecache_range
do_invalidatepage
ext4_journalled_invalidatepage
jbd2_journal_invalidatepage
journal_unmap_buffer
__dispose_buffer
__jbd2_journal_unfile_buffer
jbd2_journal_put_journal_head ->put last ref_count
__journal_remove_journal_head
bh->b_private = NULL;
jh->b_bh = NULL;
jbd2_journal_refile_buffer(journal, jh);
bh = jh2bh(jh);
->bh is NULL, later will trigger null-ptr-deref
journal_free_journal_head(jh);
After commit 96f1e0974575, we no longer hold the j_state_lock while
iterating over the list of reserved handles in
jbd2_journal_commit_transaction(). This potentially allows the
journal_head to be freed by journal_unmap_buffer while the commit
codepath is also trying to free the BJ_Reserved buffers. Keeping
j_state_lock held while trying extends hold time of the lock
minimally, and solves this issue.
Fixes: 96f1e0974575("jbd2: avoid long hold times of j_state_lock while committing a transaction")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220317142137.1821590-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/commit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -501,7 +501,6 @@ void jbd2_journal_commit_transaction(jou
}
spin_unlock(&commit_transaction->t_handle_lock);
commit_transaction->t_state = T_SWITCH;
- write_unlock(&journal->j_state_lock);
J_ASSERT (atomic_read(&commit_transaction->t_outstanding_credits) <=
journal->j_max_transaction_buffers);
@@ -521,6 +520,8 @@ void jbd2_journal_commit_transaction(jou
* has reserved. This is consistent with the existing behaviour
* that multiple jbd2_journal_get_write_access() calls to the same
* buffer are perfectly permissible.
+ * We use journal->j_state_lock here to serialize processing of
+ * t_reserved_list with eviction of buffers from journal_unmap_buffer().
*/
while (commit_transaction->t_reserved_list) {
jh = commit_transaction->t_reserved_list;
@@ -540,6 +541,7 @@ void jbd2_journal_commit_transaction(jou
jbd2_journal_refile_buffer(journal, jh);
}
+ write_unlock(&journal->j_state_lock);
/*
* Now try to drop any written-back buffers from the journal's
* checkpoint lists. We do this *before* commit because it potentially
next prev parent reply other threads:[~2022-04-26 8:58 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 8:20 [PATCH 5.10 00/86] 5.10.113-rc1 review Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 01/86] etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 02/86] mm: page_alloc: fix building error on -Werror=array-compare Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 03/86] tracing: Dump stacktrace trigger to the corresponding instance Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 04/86] perf tools: Fix segfault accessing sample_id xyarray Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 05/86] gfs2: assign rgrp glock before compute_bitstructs Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 06/86] net/sched: cls_u32: fix netns refcount changes in u32_change() Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 07/86] ALSA: usb-audio: Clear MIDI port active flag after draining Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 08/86] ALSA: hda/realtek: Add quirk for Clevo NP70PNP Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 09/86] dm: fix mempool NULL pointer race when completing IO Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 10/86] ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 11/86] ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 12/86] ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 13/86] dmaengine: imx-sdma: Fix error checking in sdma_event_remap Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 14/86] dmaengine: mediatek:Fix PM usage reference leak of mtk_uart_apdma_alloc_chan_resources Greg Kroah-Hartman
2022-04-27 20:28 ` Pavel Machek
2022-04-27 20:32 ` Pavel Machek
2022-04-26 8:20 ` [PATCH 5.10 15/86] spi: spi-mtk-nor: initialize spi controller after resume Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 16/86] esp: limit skb_page_frag_refill use to a single page Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 17/86] igc: Fix infinite loop in release_swfw_sync Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 18/86] igc: Fix BUG: scheduling while atomic Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 19/86] rxrpc: Restore removed timer deletion Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 20/86] net/smc: Fix sock leak when release after smc_shutdown() Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 21/86] net/packet: fix packet_sock xmit return value checking Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 22/86] ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 23/86] ip6_gre: Fix skb_under_panic " Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 24/86] net/sched: cls_u32: fix possible leak in u32_init_knode() Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 25/86] l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 26/86] ipv6: make ip6_rt_gc_expire an atomic_t Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 27/86] netlink: reset network and mac headers in netlink_dump() Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 28/86] net: stmmac: Use readl_poll_timeout_atomic() in atomic state Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 29/86] dmaengine: idxd: add RO check for wq max_batch_size write Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 30/86] dmaengine: idxd: add RO check for wq max_transfer_size write Greg Kroah-Hartman
2022-04-26 8:20 ` [PATCH 5.10 31/86] selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 32/86] arm64/mm: Remove [PUD|PMD]_TABLE_BIT from [pud|pmd]_bad() Greg Kroah-Hartman
2022-04-26 8:21 ` Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 33/86] arm64: mm: fix p?d_leaf() Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 34/86] ARM: vexpress/spc: Avoid negative array index when !SMP Greg Kroah-Hartman
2022-04-26 8:21 ` Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 35/86] reset: tegra-bpmp: Restore Handle errors in BPMP response Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 36/86] platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 37/86] ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 38/86] arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 39/86] vxlan: fix error return code in vxlan_fdb_append Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 40/86] cifs: Check the IOCB_DIRECT flag, not O_DIRECT Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 41/86] net: atlantic: Avoid out-of-bounds indexing Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 42/86] mt76: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 43/86] brcmfmac: sdio: " Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 44/86] dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 45/86] drm/msm/mdp5: check the return of kzalloc() Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 46/86] net: macb: Restart tx only if queue pointer is lagging Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 47/86] scsi: qedi: Fix failed disconnect handling Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 48/86] stat: fix inconsistency between struct stat and struct compat_stat Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 49/86] nvme: add a quirk to disable namespace identifiers Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 50/86] nvme-pci: disable namespace identifiers for Qemu controllers Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 51/86] EDAC/synopsys: Read the error count from the correct register Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 52/86] mm, hugetlb: allow for "high" userspace addresses Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 53/86] oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 54/86] mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove() Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 55/86] ata: pata_marvell: Check the bmdma_addr beforing reading Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 56/86] dma: at_xdmac: fix a missing check on list iterator Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 57/86] net: atlantic: invert deep par in pm functions, preventing null derefs Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 58/86] xtensa: patch_text: Fixup last cpu should be master Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 59/86] xtensa: fix a7 clobbering in coprocessor context load/store Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 60/86] openvswitch: fix OOB access in reserve_sfa_size() Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 61/86] gpio: Request interrupts after IRQ is initialized Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 62/86] ASoC: soc-dapm: fix two incorrect uses of list iterator Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 63/86] e1000e: Fix possible overflow in LTR decoding Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 64/86] ARC: entry: fix syscall_trace_exit argument Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 65/86] arm_pmu: Validate single/group leader events Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 66/86] sched/pelt: Fix attach_entity_load_avg() corner case Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 67/86] perf/core: Fix perf_mmap fail when CONFIG_PERF_USE_VMALLOC enabled Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 68/86] drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 69/86] drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 70/86] KVM: PPC: Fix TCE handling for VFIO Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 71/86] drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 72/86] powerpc/perf: Fix power9 event alternatives Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 73/86] perf report: Set PERF_SAMPLE_DATA_SRC bit for Arm SPE event Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 74/86] ext4: fix fallocate to use file_modified to update permissions consistently Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 75/86] ext4: fix symlink file size not match to file content Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 76/86] ext4: fix use-after-free in ext4_search_dir Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 77/86] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 78/86] ext4, doc: fix incorrect h_reserved size Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 79/86] ext4: fix overhead calculation to account for the reserved gdt blocks Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 80/86] ext4: force overhead calculation if the s_overhead_cluster makes no sense Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 81/86] can: isotp: stop timeout monitoring when no first frame was sent Greg Kroah-Hartman
2022-04-26 8:21 ` Greg Kroah-Hartman [this message]
2022-04-26 8:21 ` [PATCH 5.10 83/86] spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 84/86] staging: ion: Prevent incorrect reference counting behavour Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 85/86] block/compat_ioctl: fix range check in BLKGETSIZE Greg Kroah-Hartman
2022-04-26 8:21 ` [PATCH 5.10 86/86] Revert "net: micrel: fix KS8851_MLL Kconfig" Greg Kroah-Hartman
2022-04-26 16:20 ` [PATCH 5.10 00/86] 5.10.113-rc1 review Jon Hunter
2022-04-26 17:12 ` Florian Fainelli
2022-04-26 19:58 ` Pavel Machek
2022-04-26 20:12 ` Guenter Roeck
2022-04-26 20:14 ` Shuah Khan
2022-04-27 1:54 ` Slade Watkins
2022-04-27 8:08 ` Naresh Kamboju
2022-04-27 11:09 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220426081743.581782923@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.