From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Jan Kara <jack@suse.cz>, <linux-ext4@vger.kernel.org>
Subject: [patch 04/35] jbd: fix race in buffer processing in commit code
Date: Tue, 30 Jun 2009 17:14:00 -0700 [thread overview]
Message-ID: <20090701001548.636200762@mini.kroah.org> (raw)
In-Reply-To: <20090701002825.GA6518@kroah.com>
[-- Attachment #1: jbd-fix-race-in-buffer-processing-in-commit-code.patch --]
[-- Type: text/plain, Size: 1854 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jan Kara <jack@suse.cz>
commit a61d90d75d0f9e86432c45b496b4b0fbf0fd03dc upstream.
In commit code, we scan buffers attached to a transaction. During this
scan, we sometimes have to drop j_list_lock and then we recheck whether
the journal buffer head didn't get freed by journal_try_to_free_buffers().
But checking for buffer_jbd(bh) isn't enough because a new journal head
could get attached to our buffer head. So add a check whether the journal
head remained the same and whether it's still at the same transaction and
list.
This is a nasty bug and can cause problems like memory corruption (use after
free) or trigger various assertions in JBD code (observed).
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/jbd/commit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/jbd/commit.c
+++ b/fs/jbd/commit.c
@@ -238,7 +238,7 @@ write_out_data:
spin_lock(&journal->j_list_lock);
}
/* Someone already cleaned up the buffer? */
- if (!buffer_jbd(bh)
+ if (!buffer_jbd(bh) || bh2jh(bh) != jh
|| jh->b_transaction != commit_transaction
|| jh->b_jlist != BJ_SyncData) {
jbd_unlock_bh_state(bh);
@@ -466,7 +466,9 @@ void journal_commit_transaction(journal_
spin_lock(&journal->j_list_lock);
continue;
}
- if (buffer_jbd(bh) && jh->b_jlist == BJ_Locked) {
+ if (buffer_jbd(bh) && bh2jh(bh) == jh &&
+ jh->b_transaction == commit_transaction &&
+ jh->b_jlist == BJ_Locked) {
__journal_unfile_buffer(jh);
jbd_unlock_bh_state(bh);
journal_remove_journal_head(bh);
next prev parent reply other threads:[~2009-07-01 0:39 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090701001356.007288418@mini.kroah.org>
2009-07-01 0:28 ` [patch 00/35] 2.6.29-stable review Greg KH
2009-07-01 0:13 ` [patch 01/35] parport: netmos 9845 & 9855 1P4S fixes Greg KH
2009-07-01 0:13 ` [patch 02/35] 8250: Fix oops from setserial Greg KH
2009-07-01 0:13 ` [patch 03/35] char: mxser, fix ISA board lookup Greg KH
2009-07-01 0:14 ` Greg KH [this message]
2009-07-01 0:14 ` [patch 05/35] r8169: fix crash when large packets are received Greg KH
2009-07-01 0:14 ` [patch 06/35] fs: remove incorrect I_NEW warnings Greg KH
2009-07-01 0:14 ` [patch 07/35] firmware_map: fix hang with x86/32bit Greg KH
2009-07-01 0:14 ` [patch 08/35] PCI: disable ASPM on VIA root-port-under-bridge configurations Greg KH
2009-07-01 0:14 ` [patch 09/35] atkbd: add forced release quirks for four more keyboard models Greg KH
2009-07-01 0:14 ` [patch 10/35] atmel_lcdfb: correct fifo size for some products Greg KH
2009-07-01 0:14 ` [patch 11/35] bonding: fix multiple module load problem Greg KH
2009-07-01 0:14 ` [patch 12/35] char: moxa, prevent opening unavailable ports Greg KH
2009-07-01 0:14 ` [patch 13/35] ISDN: Fix DMA alloc for hfcpci Greg KH
2009-07-01 0:14 ` [patch 14/35] USB: usbtmc: fix switch statment Greg KH
2009-07-01 0:14 ` [patch 15/35] x86: Add quirk for reboot stalls on a Dell Optiplex 360 Greg KH
2009-07-01 0:14 ` [patch 16/35] ALSA: ca0106 - Add missing registrations of vmaster controls Greg KH
2009-07-01 0:14 ` [patch 17/35] floppy: provide a PNP device table in the module Greg KH
2009-07-01 0:14 ` [patch 18/35] IB/mlx4: Add strong ordering to local inval and fast reg work requests Greg KH
2009-07-01 0:14 ` [patch 19/35] x86: handle initrd that extends into unusable memory Greg KH
2009-07-01 0:14 ` [patch 20/35] lockdep: Select frame pointers on x86 Greg KH
2009-07-01 0:14 ` [patch 21/35] mac80211: fix minstrel single-rate memory corruption Greg KH
2009-07-01 0:14 ` [patch 22/35] md/raid5: add missing call to schedule() after prepare_to_wait() Greg KH
2009-07-01 0:14 ` [patch 23/35] vt_ioctl: fix lock imbalance Greg KH
2009-07-01 0:14 ` [patch 24/35] x86: Set cpu_llc_id on AMD CPUs Greg KH
2009-07-01 0:14 ` [patch 25/35] parport_pc: after superio probing restore original register values Greg KH
2009-07-01 0:14 ` [patch 26/35] parport_pc: set properly the dma_mask for parport_pc device Greg KH
2009-07-01 0:14 ` [patch 27/35] PCI PM: Fix handling of devices without PM support by pci_target_state() Greg KH
2009-07-01 0:14 ` [patch 28/35] PCI PM: Follow PCI_PM_CTRL_NO_SOFT_RESET during transitions from D3 Greg KH
2009-07-01 0:14 ` [patch 29/35] pcmcia/cm4000: fix lock imbalance Greg KH
2009-07-01 0:14 ` [patch 30/35] qla2xxx: Correct (again) overflow during dump-processing on large-memory ISP23xx parts Greg KH
2009-07-01 0:14 ` [patch 31/35] sound: seq_midi_event: fix decoding of (N)RPN events Greg KH
2009-07-01 0:14 ` [patch 32/35] mm: fix handling of pagesets for downed cpus Greg KH
2009-07-01 0:14 ` [patch 33/35] dm mpath: validate table argument count Greg KH
2009-07-01 0:14 ` [patch 34/35] dm mpath: validate hw_handler " Greg KH
2009-07-01 0:14 ` [patch 35/35] dm: sysfs skip output when device is being destroyed Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090701001548.636200762@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox