From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Jan Kara <jack@suse.cz>,
Baokun Li <libaokun1@huawei.com>, Theodore Tso <tytso@mit.edu>
Subject: [PATCH 5.10 35/42] ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()
Date: Mon, 4 Mar 2024 21:24:02 +0000 [thread overview]
Message-ID: <20240304211538.831054302@linuxfoundation.org> (raw)
In-Reply-To: <20240304211537.631764077@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 2331fd4a49864e1571b4f50aa3aa1536ed6220d0 upstream.
After updating bb_free in mb_free_blocks, it is possible to return without
updating bb_fragments because the block being freed is found to have
already been freed, which leads to inconsistency between bb_free and
bb_fragments.
Since the group may be unlocked in ext4_grp_locked_error(), this can lead
to problems such as dividing by zero when calculating the average fragment
length. Hence move the update of bb_free to after the block double-free
check guarantees that the corresponding statistics are updated only after
the core block bitmap is modified.
Fixes: eabe0444df90 ("ext4: speed-up releasing blocks on commit")
CC: <stable@vger.kernel.org> # 3.10
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240104142040.2835097-5-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1494,11 +1494,6 @@ static void mb_free_blocks(struct inode
mb_check_buddy(e4b);
mb_free_blocks_double(inode, e4b, first, count);
- this_cpu_inc(discard_pa_seq);
- e4b->bd_info->bb_free += count;
- if (first < e4b->bd_info->bb_first_free)
- e4b->bd_info->bb_first_free = first;
-
/* access memory sequentially: check left neighbour,
* clear range and then check right neighbour
*/
@@ -1512,23 +1507,31 @@ static void mb_free_blocks(struct inode
struct ext4_sb_info *sbi = EXT4_SB(sb);
ext4_fsblk_t blocknr;
+ /*
+ * Fastcommit replay can free already freed blocks which
+ * corrupts allocation info. Regenerate it.
+ */
+ if (sbi->s_mount_state & EXT4_FC_REPLAY) {
+ mb_regenerate_buddy(e4b);
+ goto check;
+ }
+
blocknr = ext4_group_first_block_no(sb, e4b->bd_group);
blocknr += EXT4_C2B(sbi, block);
- if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) {
- ext4_grp_locked_error(sb, e4b->bd_group,
- inode ? inode->i_ino : 0,
- blocknr,
- "freeing already freed block (bit %u); block bitmap corrupt.",
- block);
- ext4_mark_group_bitmap_corrupted(
- sb, e4b->bd_group,
+ ext4_grp_locked_error(sb, e4b->bd_group,
+ inode ? inode->i_ino : 0, blocknr,
+ "freeing already freed block (bit %u); block bitmap corrupt.",
+ block);
+ ext4_mark_group_bitmap_corrupted(sb, e4b->bd_group,
EXT4_GROUP_INFO_BBITMAP_CORRUPT);
- } else {
- mb_regenerate_buddy(e4b);
- }
- goto done;
+ return;
}
+ this_cpu_inc(discard_pa_seq);
+ e4b->bd_info->bb_free += count;
+ if (first < e4b->bd_info->bb_first_free)
+ e4b->bd_info->bb_first_free = first;
+
/* let's maintain fragments counter */
if (left_is_free && right_is_free)
e4b->bd_info->bb_fragments--;
@@ -1553,8 +1556,8 @@ static void mb_free_blocks(struct inode
if (first <= last)
mb_buddy_mark_free(e4b, first >> 1, last >> 1);
-done:
mb_set_largest_free_order(sb, e4b->bd_info);
+check:
mb_check_buddy(e4b);
}
next prev parent reply other threads:[~2024-03-04 21:35 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-04 21:23 [PATCH 5.10 00/42] 5.10.212-rc1 review Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 01/42] platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 02/42] crypto: virtio/akcipher - Fix stack overflow on memcpy Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 03/42] mtd: spinand: gigadevice: Support GD5F1GQ5UExxG Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 04/42] mtd: spinand: gigadevice: Fix the get ecc status issue Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 05/42] netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 06/42] net: ip_tunnel: prevent perpetual headroom growth Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 07/42] tun: Fix xdp_rxq_infos queue_index when detaching Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 08/42] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 09/42] lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is detected Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 10/42] net: usb: dm9601: fix wrong return value in dm9601_mdio_read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 11/42] Bluetooth: Avoid potential use-after-free in hci_error_reset Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 12/42] Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 13/42] Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 14/42] Bluetooth: Enforce validation on max value of connection interval Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 15/42] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 16/42] rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 17/42] efi/capsule-loader: fix incorrect allocation size Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 18/42] power: supply: bq27xxx-i2c: Do not free non existing IRQ Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 19/42] ALSA: Drop leftover snd-rtctimer stuff from Makefile Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 20/42] afs: Fix endless loop in directory parsing Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 21/42] riscv: Sparse-Memory/vmemmap out-of-bounds fix Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 22/42] tomoyo: fix UAF write bug in tomoyo_write_control() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 23/42] gtp: fix use-after-free and null-ptr-deref in gtp_newlink() Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 24/42] wifi: nl80211: reject iftype change with mesh ID change Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 25/42] btrfs: dev-replace: properly validate device names Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 26/42] dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 27/42] dmaengine: fsl-qdma: init irq after reg initialization Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 28/42] mmc: core: Fix eMMC initialization with 1-bit bus connection Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 29/42] mmc: sdhci-xenon: add timeout for PHY init complete Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 30/42] mmc: sdhci-xenon: fix PHY init clock stability Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 31/42] riscv: add CALLER_ADDRx support Greg Kroah-Hartman
2024-03-04 21:23 ` [PATCH 5.10 32/42] pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 33/42] x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 34/42] mptcp: fix possible deadlock in subflow diag Greg Kroah-Hartman
2024-03-04 21:24 ` Greg Kroah-Hartman [this message]
2024-03-04 21:24 ` [PATCH 5.10 36/42] cachefiles: fix memory leak in cachefiles_add_cache() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 37/42] fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 38/42] gpio: 74x164: Enable output pins after registers are reset Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 39/42] gpiolib: Fix the error path order in gpiochip_add_data_with_key() Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 40/42] gpio: fix resource unwinding order in error path Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 41/42] mtd: spinand: gigadevice: fix Quad IO for GD5F1GQ5UExxG Greg Kroah-Hartman
2024-03-04 21:24 ` [PATCH 5.10 42/42] mptcp: fix double-free on socket dismantle Greg Kroah-Hartman
2024-03-05 9:05 ` [PATCH 5.10 00/42] 5.10.212-rc1 review Dominique Martinet
2024-03-05 10:23 ` Naresh Kamboju
2024-03-05 10:58 ` Jon Hunter
2024-03-05 11:23 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304211538.831054302@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=libaokun1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox