mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/fs/ubifs
History
Petr Cvachoucek 8130a1c0bf ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers 
commit 3fea4d9d16 upstream.

it seems freeing the write buffers in the error path of the
ubifs_remount_rw() is wrong. It leads later to a kernel oops like this:

[10016.431274] UBIFS (ubi0:0): start fixing up free space
[10090.810042] UBIFS (ubi0:0): free space fixup complete
[10090.814623] UBIFS error (ubi0:0 pid 512): ubifs_remount_fs: cannot
spawn "ubifs_bgt0_0", error -4
[10101.915108] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started,
PID 517
[10105.275498] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000030
[10105.284352] Mem abort info:
[10105.287160]   ESR = 0x96000006
[10105.290252]   EC = 0x25: DABT (current EL), IL = 32 bits
[10105.295592]   SET = 0, FnV = 0
[10105.298652]   EA = 0, S1PTW = 0
[10105.301848] Data abort info:
[10105.304723]   ISV = 0, ISS = 0x00000006
[10105.308573]   CM = 0, WnR = 0
[10105.311564] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000f03d1000
[10105.318034] [0000000000000030] pgd=00000000f6cee003,
pud=00000000f4884003, pmd=0000000000000000
[10105.326783] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[10105.332355] Modules linked in: ath10k_pci ath10k_core ath mac80211
libarc4 cfg80211 nvme nvme_core cryptodev(O)
[10105.342468] CPU: 3 PID: 518 Comm: touch Tainted: G           O
5.4.3 #1
[10105.349517] Hardware name: HYPEX CPU (DT)
[10105.353525] pstate: 40000005 (nZcv daif -PAN -UAO)
[10105.358324] pc : atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34
[10105.364596] lr : mutex_lock+0x1c/0x34
[10105.368253] sp : ffff000075633aa0
[10105.371563] x29: ffff000075633aa0 x28: 0000000000000001
[10105.376874] x27: ffff000076fa80c8 x26: 0000000000000004
[10105.382185] x25: 0000000000000030 x24: 0000000000000000
[10105.387495] x23: 0000000000000000 x22: 0000000000000038
[10105.392807] x21: 000000000000000c x20: ffff000076fa80c8
[10105.398119] x19: ffff000076fa8000 x18: 0000000000000000
[10105.403429] x17: 0000000000000000 x16: 0000000000000000
[10105.408741] x15: 0000000000000000 x14: fefefefefefefeff
[10105.414052] x13: 0000000000000000 x12: 0000000000000fe0
[10105.419364] x11: 0000000000000fe0 x10: ffff000076709020
[10105.424675] x9 : 0000000000000000 x8 : 00000000000000a0
[10105.429986] x7 : ffff000076fa80f4 x6 : 0000000000000030
[10105.435297] x5 : 0000000000000000 x4 : 0000000000000000
[10105.440609] x3 : 0000000000000000 x2 : ffff00006f276040
[10105.445920] x1 : ffff000075633ab8 x0 : 0000000000000030
[10105.451232] Call trace:
[10105.453676]  atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34
[10105.459600]  ubifs_garbage_collect+0xb4/0x334
[10105.463956]  ubifs_budget_space+0x398/0x458
[10105.468139]  ubifs_create+0x50/0x180
[10105.471712]  path_openat+0x6a0/0x9b0
[10105.475284]  do_filp_open+0x34/0x7c
[10105.478771]  do_sys_open+0x78/0xe4
[10105.482170]  __arm64_sys_openat+0x1c/0x24
[10105.486180]  el0_svc_handler+0x84/0xc8
[10105.489928]  el0_svc+0x8/0xc
[10105.492808] Code: 52800013 17fffffb d2800003 f9800011 (c85ffc05)
[10105.498903] ---[ end trace 46b721d93267a586 ]---

To reproduce the problem:

1. Filesystem initially mounted read-only, free space fixup flag set.

2. mount -o remount,rw <mountpoint>

3. it takes some time (free space fixup running)
    ... try to terminate running mount by CTRL-C
    ... does not respond, only after free space fixup is complete
    ... then "ubifs_remount_fs: cannot spawn "ubifs_bgt0_0", error -4"

4. mount -o remount,rw <mountpoint>
    ... now finished instantly (fixup already done).

5. Create file or just unmount the filesystem and we get the oops.

Cc: <stable@vger.kernel.org>
Fixes: b50b9f4085 ("UBIFS: do not free write-buffers when in R/O mode")
Signed-off-by: Petr Cvachoucek <cvachoucek@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2022-01-27 09:19:49 +01:00
..
Kconfig ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
Makefile fscrypt: remove filesystem specific build config option 2019-01-23 23:56:43 -05:00
auth.c ubifs: Fix memleak in ubifs_init_authentication 2021-03-04 10:26:25 +01:00
budget.c ubifs: Limit the number of pages in shrink_liability 2019-08-22 17:25:33 +02:00
commit.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
compress.c ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
crypto.c fscrypt: introduce fscrypt_decrypt_block_inplace() 2019-05-28 10:27:53 -07:00
debug.c ubifs: dent: Fix some potential memory leaks while iterating entries 2020-11-05 11:43:32 +01:00
debug.h Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
dir.c ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode 2021-07-20 16:10:50 +02:00
file.c ubifs: report correct st_size for encrypted symlinks 2021-09-12 08:56:39 +02:00
find.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
gc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
io.c ubifs: wbuf: Don't leak kernel memory to flash 2020-12-30 11:51:40 +01:00
ioctl.c ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag 2020-02-11 04:35:20 -08:00
journal.c ubifs: journal: Make sure to not dirty twice for auth nodes 2020-11-05 11:43:32 +01:00
key.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
log.c ubifs: remove unnecessary check in ubifs_log_start_commit 2019-07-08 19:43:51 +02:00
lprops.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
lpt.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
lpt_commit.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
master.c ubifs: support offline signed images 2019-07-08 19:43:52 +02:00
misc.c ubifs: Allow setting assert action as mount parameter 2018-08-15 00:25:21 +02:00
misc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
orphan.c ubifs: xattr: Fix some potential memory leaks while iterating entries 2020-11-05 11:43:32 +01:00
recovery.c ubifs: Fix typo of output in get_cs_sqnum 2019-07-08 19:43:43 +02:00
replay.c ubifs: Only check replay with inode type to judge if inode linked 2021-05-11 14:04:14 +02:00
sb.c ubifs: Fix wrong memory allocation 2020-02-11 04:35:20 -08:00
scan.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
shrinker.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
super.c ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers 2022-01-27 09:19:49 +01:00
tnc.c ubifs: xattr: Fix some potential memory leaks while iterating entries 2020-11-05 11:43:32 +01:00
tnc_commit.c ubifs: ubifs_tnc_start_commit: Fix OOB in layout_in_gaps 2020-01-09 10:20:06 +01:00
tnc_misc.c ubifs: Fix memory leak in read_znode() error path 2019-09-15 22:11:18 +02:00
ubifs-media.h ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
ubifs.h ubifs: Fix races between xattr_{set|get} and listxattr operations 2021-07-19 08:53:16 +02:00
xattr.c ubifs: Fix races between xattr_{set|get} and listxattr operations 2021-07-19 08:53:16 +02:00