Commit c893071d authored May 28, 2024 by Joseph Qi Committed by liwei May 28, 2024

ocfs2: fix a deadlock when commit trans

mainline inclusion
from mainline-v5.17-rc2
commit ddf4b773
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RDCV
CVE: CVE-2021-47493

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ddf4b773aa40790dfa936bd845c18e735a49c61c

--------------------------------

commit 6f1b2285 introduces a regression which can deadlock as
follows:

  Task1:                              Task2:
  jbd2_journal_commit_transaction     ocfs2_test_bg_bit_allocatable
  spin_lock(&jh->b_state_lock)        jbd_lock_bh_journal_head
  __jbd2_journal_remove_checkpoint    spin_lock(&jh->b_state_lock)
  jbd2_journal_put_journal_head
  jbd_lock_bh_journal_head

Task1 and Task2 lock bh->b_state and jh->b_state_lock in different
order, which finally result in a deadlock.

So use jbd2_journal_[grab|put]_journal_head instead in
ocfs2_test_bg_bit_allocatable() to fix it.

Link: https://lkml.kernel.org/r/20220121071205.100648-3-joseph.qi@linux.alibaba.com


Fixes: 6f1b2285 ("ocfs2: fix race between searching chunks and release journal_head from buffer_head")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
Tested-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
Reported-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Conflicts:
	fs/ocfs2/suballoc.c
Signed-off-by: liwei <liwei728@huawei.com>

parent c7185d72

fs/ocfs2/suballoc.c

+13 −13

Original line number	Diff line number	Diff line
		@@ -1266,16 +1266,16 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh,
		int nr)
		{
		struct ocfs2_group_desc bg = (struct ocfs2_group_desc ) bg_bh->b_data;
		int ret = 1;
		struct journal_head *jh;
		int ret;

		if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap))
		return 0;

		if (!buffer_jbd(bg_bh))
		jh = jbd2_journal_grab_journal_head(bg_bh);
		if (!jh)
		return 1;

		jbd_lock_bh_journal_head(bg_bh);
		if (buffer_jbd(bg_bh)) {
		jbd_lock_bh_state(bg_bh);
		bg = (struct ocfs2_group_desc *) bh2jh(bg_bh)->b_committed_data;
		if (bg)
		@@ -1283,8 +1283,8 @@ static int ocfs2_test_bg_bit_allocatable(struct buffer_head *bg_bh,
		else
		ret = 1;
		jbd_unlock_bh_state(bg_bh);
		}
		jbd_unlock_bh_journal_head(bg_bh);

		jbd2_journal_put_journal_head(jh);

		return ret;
		}