From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Jan Kara <jack@suse.cz>, <linux-ext4@vger.kernel.org>
Subject: [patch 07/30] jbd: fix race in buffer processing in commit code
Date: Tue, 30 Jun 2009 16:59:51 -0700 [thread overview]
Message-ID: <20090701000357.276381426@mini.kroah.org> (raw)
In-Reply-To: <20090701002817.GA6156@kroah.com>
[-- Attachment #1: jbd-fix-race-in-buffer-processing-in-commit-code.patch --]
[-- Type: text/plain, Size: 1854 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jan Kara <jack@suse.cz>
commit a61d90d75d0f9e86432c45b496b4b0fbf0fd03dc upstream.
In commit code, we scan buffers attached to a transaction. During this
scan, we sometimes have to drop j_list_lock and then we recheck whether
the journal buffer head didn't get freed by journal_try_to_free_buffers().
But checking for buffer_jbd(bh) isn't enough because a new journal head
could get attached to our buffer head. So add a check whether the journal
head remained the same and whether it's still at the same transaction and
list.
This is a nasty bug and can cause problems like memory corruption (use after
free) or trigger various assertions in JBD code (observed).
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/jbd/commit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/jbd/commit.c
+++ b/fs/jbd/commit.c
@@ -238,7 +238,7 @@ write_out_data:
spin_lock(&journal->j_list_lock);
}
/* Someone already cleaned up the buffer? */
- if (!buffer_jbd(bh)
+ if (!buffer_jbd(bh) || bh2jh(bh) != jh
|| jh->b_transaction != commit_transaction
|| jh->b_jlist != BJ_SyncData) {
jbd_unlock_bh_state(bh);
@@ -463,7 +463,9 @@ void journal_commit_transaction(journal_
spin_lock(&journal->j_list_lock);
continue;
}
- if (buffer_jbd(bh) && jh->b_jlist == BJ_Locked) {
+ if (buffer_jbd(bh) && bh2jh(bh) == jh &&
+ jh->b_transaction == commit_transaction &&
+ jh->b_jlist == BJ_Locked) {
__journal_unfile_buffer(jh);
jbd_unlock_bh_state(bh);
journal_remove_journal_head(bh);
next prev parent reply other threads:[~2009-07-01 0:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090630235944.868879272@mini.kroah.org>
2009-07-01 0:28 ` [patch 00/30] 2.6.27-stable review Greg KH
2009-06-30 23:59 ` [patch 01/30] parport: netmos 9845 & 9855 1P4S fixes Greg KH
2009-06-30 23:59 ` [patch 02/30] atmel_lcdfb: correct fifo size for some products Greg KH
2009-06-30 23:59 ` [patch 03/30] bonding: fix multiple module load problem Greg KH
2009-06-30 23:59 ` [patch 04/30] char: moxa, prevent opening unavailable ports Greg KH
2009-06-30 23:59 ` [patch 05/30] char: mxser, fix ISA board lookup Greg KH
2009-06-30 23:59 ` [patch 06/30] firmware_map: fix hang with x86/32bit Greg KH
2009-06-30 23:59 ` Greg KH [this message]
2009-06-30 23:59 ` [patch 08/30] PCI: disable ASPM on VIA root-port-under-bridge configurations Greg KH
2009-06-30 23:59 ` [patch 09/30] r8169: fix crash when large packets are received Greg KH
2009-06-30 23:59 ` [patch 10/30] ISDN: Fix DMA alloc for hfcpci Greg KH
2009-06-30 23:59 ` [patch 11/30] x86: Add quirk for reboot stalls on a Dell Optiplex 360 Greg KH
2009-06-30 23:59 ` [patch 12/30] x86: quirk for reboot stalls on a Dell Optiplex 330 Greg KH
2009-06-30 23:59 ` [patch 13/30] ALSA: ca0106 - Add missing registrations of vmaster controls Greg KH
2009-06-30 23:59 ` [patch 14/30] floppy: provide a PNP device table in the module Greg KH
2009-06-30 23:59 ` [patch 15/30] floppy: request and release only the ports we actually use Greg KH
2009-07-01 0:00 ` [patch 16/30] IB/mlx4: Add strong ordering to local inval and fast reg work requests Greg KH
2009-07-01 0:00 ` [patch 17/30] x86: handle initrd that extends into unusable memory Greg KH
2009-07-01 0:00 ` [patch 18/30] lockdep: Select frame pointers on x86 Greg KH
2009-07-01 0:00 ` [patch 19/30] md/raid5: add missing call to schedule() after prepare_to_wait() Greg KH
2009-07-01 0:00 ` [patch 20/30] tcp: advertise MSS requested by user Greg KH
2009-07-01 0:00 ` [patch 21/30] parport_pc: after superio probing restore original register values Greg KH
2009-07-01 0:00 ` [patch 22/30] parport_pc: set properly the dma_mask for parport_pc device Greg KH
2009-07-01 0:00 ` [patch 23/30] PCI PM: Fix handling of devices without PM support by pci_target_state() Greg KH
2009-07-01 0:00 ` [patch 24/30] PCI PM: Follow PCI_PM_CTRL_NO_SOFT_RESET during transitions from D3 Greg KH
2009-07-01 0:00 ` [patch 25/30] pcmcia/cm4000: fix lock imbalance Greg KH
2009-07-01 0:00 ` [patch 26/30] sound: seq_midi_event: fix decoding of (N)RPN events Greg KH
2009-07-01 0:00 ` [patch 27/30] mm: fix handling of pagesets for downed cpus Greg KH
2009-07-01 0:00 ` [patch 28/30] dm mpath: validate hw_handler argument count Greg KH
2009-07-01 0:00 ` [patch 29/30] dm mpath: validate table " Greg KH
2009-07-01 0:00 ` [patch 30/30] dm: sysfs skip output when device is being destroyed Greg KH
2009-07-01 6:04 ` [patch 00/30] 2.6.27-stable review Christoph Biedl
2009-07-01 18:49 ` [stable] " Greg KH
2009-07-17 19:43 ` Greg KH
2009-07-01 18:35 ` Greg KH
2009-07-01 18:36 ` [patch 31/30] bsdacct: fix access to invalid filp in acct_on() Greg KH
2009-07-01 18:38 ` [patch 32/30] kbuild: fix C libary confusion in unifdef.c due to getline() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090701000357.276381426@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox