From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Changwei Ge <ge.changwei@h3c.com>,
Guozhonghua <guozhonghua@h3c.com>, Mark Fasheh <mark@fasheh.com>,
Joel Becker <jlbec@evilplan.org>,
Junxiao Bi <junxiao.bi@oracle.com>,
Joseph Qi <jiangqi903@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 56/77] ocfs2: don't put and assigning null to bh allocated outside
Date: Sat, 16 Nov 2019 10:53:18 -0500 [thread overview]
Message-ID: <20191116155339.11909-56-sashal@kernel.org> (raw)
In-Reply-To: <20191116155339.11909-1-sashal@kernel.org>
From: Changwei Ge <ge.changwei@h3c.com>
[ Upstream commit cf76c78595ca87548ca5e45c862ac9e0949c4687 ]
ocfs2_read_blocks() and ocfs2_read_blocks_sync() are both used to read
several blocks from disk. Currently, the input argument *bhs* can be
NULL or NOT. It depends on the caller's behavior. If the function
fails in reading blocks from disk, the corresponding bh will be assigned
to NULL and put.
Obviously, above process for non-NULL input bh is not appropriate.
Because the caller doesn't even know its bhs are put and re-assigned.
If buffer head is managed by caller, ocfs2_read_blocks and
ocfs2_read_blocks_sync() should not evaluate it to NULL. It will cause
caller accessing illegal memory, thus crash.
Link: http://lkml.kernel.org/r/HK2PR06MB045285E0F4FBB561F9F2F9B3D5680@HK2PR06MB0452.apcprd06.prod.outlook.com
Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
Reviewed-by: Guozhonghua <guozhonghua@h3c.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Changwei Ge <ge.changwei@h3c.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/buffer_head_io.c | 77 ++++++++++++++++++++++++++++++---------
1 file changed, 59 insertions(+), 18 deletions(-)
diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index 9ee8bcfbf00f3..92593179f7e2b 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -98,25 +98,34 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh,
return ret;
}
+/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
+ * will be easier to handle read failure.
+ */
int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
unsigned int nr, struct buffer_head *bhs[])
{
int status = 0;
unsigned int i;
struct buffer_head *bh;
+ int new_bh = 0;
trace_ocfs2_read_blocks_sync((unsigned long long)block, nr);
if (!nr)
goto bail;
+ /* Don't put buffer head and re-assign it to NULL if it is allocated
+ * outside since the caller can't be aware of this alternation!
+ */
+ new_bh = (bhs[0] == NULL);
+
for (i = 0 ; i < nr ; i++) {
if (bhs[i] == NULL) {
bhs[i] = sb_getblk(osb->sb, block++);
if (bhs[i] == NULL) {
status = -ENOMEM;
mlog_errno(status);
- goto bail;
+ break;
}
}
bh = bhs[i];
@@ -151,9 +160,26 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
submit_bh(READ, bh);
}
+read_failure:
for (i = nr; i > 0; i--) {
bh = bhs[i - 1];
+ if (unlikely(status)) {
+ if (new_bh && bh) {
+ /* If middle bh fails, let previous bh
+ * finish its read and then put it to
+ * aovoid bh leak
+ */
+ if (!buffer_jbd(bh))
+ wait_on_buffer(bh);
+ put_bh(bh);
+ bhs[i - 1] = NULL;
+ } else if (bh && buffer_uptodate(bh)) {
+ clear_buffer_uptodate(bh);
+ }
+ continue;
+ }
+
/* No need to wait on the buffer if it's managed by JBD. */
if (!buffer_jbd(bh))
wait_on_buffer(bh);
@@ -163,8 +189,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
* so we can safely record this and loop back
* to cleanup the other buffers. */
status = -EIO;
- put_bh(bh);
- bhs[i - 1] = NULL;
+ goto read_failure;
}
}
@@ -172,6 +197,9 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
return status;
}
+/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it
+ * will be easier to handle read failure.
+ */
int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
struct buffer_head *bhs[], int flags,
int (*validate)(struct super_block *sb,
@@ -181,6 +209,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
int i, ignore_cache = 0;
struct buffer_head *bh;
struct super_block *sb = ocfs2_metadata_cache_get_super(ci);
+ int new_bh = 0;
trace_ocfs2_read_blocks_begin(ci, (unsigned long long)block, nr, flags);
@@ -206,6 +235,11 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
goto bail;
}
+ /* Don't put buffer head and re-assign it to NULL if it is allocated
+ * outside since the caller can't be aware of this alternation!
+ */
+ new_bh = (bhs[0] == NULL);
+
ocfs2_metadata_cache_io_lock(ci);
for (i = 0 ; i < nr ; i++) {
if (bhs[i] == NULL) {
@@ -214,7 +248,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
ocfs2_metadata_cache_io_unlock(ci);
status = -ENOMEM;
mlog_errno(status);
- goto bail;
+ /* Don't forget to put previous bh! */
+ break;
}
}
bh = bhs[i];
@@ -308,16 +343,27 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
}
}
- status = 0;
-
+read_failure:
for (i = (nr - 1); i >= 0; i--) {
bh = bhs[i];
if (!(flags & OCFS2_BH_READAHEAD)) {
- if (status) {
- /* Clear the rest of the buffers on error */
- put_bh(bh);
- bhs[i] = NULL;
+ if (unlikely(status)) {
+ /* Clear the buffers on error including those
+ * ever succeeded in reading
+ */
+ if (new_bh && bh) {
+ /* If middle bh fails, let previous bh
+ * finish its read and then put it to
+ * aovoid bh leak
+ */
+ if (!buffer_jbd(bh))
+ wait_on_buffer(bh);
+ put_bh(bh);
+ bhs[i] = NULL;
+ } else if (bh && buffer_uptodate(bh)) {
+ clear_buffer_uptodate(bh);
+ }
continue;
}
/* We know this can't have changed as we hold the
@@ -335,9 +381,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
* uptodate. */
status = -EIO;
clear_buffer_needs_validate(bh);
- put_bh(bh);
- bhs[i] = NULL;
- continue;
+ goto read_failure;
}
if (buffer_needs_validate(bh)) {
@@ -347,11 +391,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
BUG_ON(buffer_jbd(bh));
clear_buffer_needs_validate(bh);
status = validate(sb, bh);
- if (status) {
- put_bh(bh);
- bhs[i] = NULL;
- continue;
- }
+ if (status)
+ goto read_failure;
}
}
--
2.20.1
next prev parent reply other threads:[~2019-11-16 15:57 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-16 15:52 [PATCH AUTOSEL 4.4 01/77] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 02/77] printk: fix integer overflow in setup_log_buf() Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 03/77] gfs2: Fix marking bitmaps non-full Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 04/77] synclink_gt(): fix compat_ioctl() Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 05/77] powerpc: Fix signedness bug in update_flash_db() Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 06/77] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 07/77] brcmsmac: AP mode: update beacon when TIM changes Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 08/77] spi: sh-msiof: fix deferred probing Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 09/77] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 10/77] btrfs: handle error of get_old_root Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 11/77] gsmi: Fix bug in append_to_eventlog sysfs handler Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 12/77] misc: mic: fix a DMA pool free failure Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 13/77] amiflop: clean up on errors during setup Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 14/77] scsi: ips: fix missing break in switch Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 15/77] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 16/77] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 17/77] scsi: isci: Change sci_controller_start_task's return type to sci_status Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 18/77] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 19/77] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 20/77] scsi: dc395x: fix dma API usage in srb_done Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 21/77] scsi: dc395x: fix DMA API usage in sg_update_list Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 22/77] net: fix warning in af_unix Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 23/77] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 24/77] ALSA: i2c/cs8427: Fix int to char conversion Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 25/77] macintosh/windfarm_smu_sat: Fix debug output Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 26/77] USB: misc: appledisplay: fix backlight update_status return code Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 27/77] SUNRPC: Fix a compile warning for cmpxchg64() Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 28/77] atm: zatm: Fix empty body Clang warnings Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 29/77] s390/perf: Return error when debug_register fails Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 30/77] spi: omap2-mcspi: Set FIFO DMA trigger level to word length Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 31/77] sparc: Fix parport build warnings Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 32/77] ceph: fix dentry leak in ceph_readdir_prepopulate Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 33/77] rtc: s35390a: Change buf's type to u8 in s35390a_init Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 34/77] mISDN: Fix type of switch control variable in ctrl_teimanager Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 35/77] qlcnic: fix a return in qlcnic_dcb_get_capability() Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 36/77] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values Sasha Levin
2019-11-16 15:52 ` [PATCH AUTOSEL 4.4 37/77] mfd: max8997: Enale irq-wakeup unconditionally Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 38/77] selftests/ftrace: Fix to test kprobe $comm arg only if available Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 39/77] thermal: rcar_thermal: Prevent hardware access during system suspend Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 40/77] sparc64: Rework xchg() definition to avoid warnings Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 41/77] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 42/77] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 43/77] um: Make line/tty semantics use true write IRQ Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 44/77] linux/bitmap.h: handle constant zero-size bitmaps correctly Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 45/77] linux/bitmap.h: fix type of nbits in bitmap_shift_right() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 46/77] hfsplus: fix BUG on bnode parent update Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 47/77] hfs: " Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 48/77] hfsplus: prevent btree data loss on ENOSPC Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 49/77] hfs: " Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 50/77] hfsplus: fix return value of hfsplus_get_block() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 51/77] hfs: fix return value of hfs_get_block() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 52/77] fs/hfs/extent.c: fix array out of bounds read of array extent Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 53/77] igb: shorten maximum PHC timecounter update interval Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 54/77] ntb_netdev: fix sleep time mismatch Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 55/77] ntb: intel: fix return value for ndev_vec_mask() Sasha Levin
2019-11-16 15:53 ` Sasha Levin [this message]
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 57/77] ocfs2: fix clusters leak in ocfs2_defrag_extent() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 58/77] net: do not abort bulk send on BQL status Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 59/77] sched/fair: Don't increase sd->balance_interval on newidle balance Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 60/77] audit: print empty EXECVE args Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 61/77] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 62/77] rtl8xxxu: Fix missing break in switch Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 63/77] brcmsmac: never log "tid x is not agg'able" by default Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 64/77] wireless: airo: potential buffer overflow in sprintf() Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 65/77] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 66/77] scsi: mpt3sas: Fix Sync cache command failure during driver unload Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 67/77] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 68/77] scsi: megaraid_sas: Fix msleep granularity Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 69/77] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 70/77] dlm: fix invalid free Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 71/77] dlm: don't leak kernel pointer to userspace Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 72/77] net: bcmgenet: return correct value 'ret' from bcmgenet_power_down Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 73/77] sock: Reset dst when changing sk_mark via setsockopt Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 74/77] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 75/77] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 76/77] PCI: keystone: Use quirk to limit MRRS for K2G Sasha Levin
2019-11-16 15:53 ` [PATCH AUTOSEL 4.4 77/77] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191116155339.11909-56-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ge.changwei@h3c.com \
--cc=guozhonghua@h3c.com \
--cc=jiangqi903@gmail.com \
--cc=jlbec@evilplan.org \
--cc=junxiao.bi@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox