mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-19 17:11:03 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/ubifs
History
Petr Cvachoucek 76006d33f1 ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers 
commit 3fea4d9d16 upstream.

it seems freeing the write buffers in the error path of the
ubifs_remount_rw() is wrong. It leads later to a kernel oops like this:

[10016.431274] UBIFS (ubi0:0): start fixing up free space
[10090.810042] UBIFS (ubi0:0): free space fixup complete
[10090.814623] UBIFS error (ubi0:0 pid 512): ubifs_remount_fs: cannot
spawn "ubifs_bgt0_0", error -4
[10101.915108] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started,
PID 517
[10105.275498] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000030
[10105.284352] Mem abort info:
[10105.287160]   ESR = 0x96000006
[10105.290252]   EC = 0x25: DABT (current EL), IL = 32 bits
[10105.295592]   SET = 0, FnV = 0
[10105.298652]   EA = 0, S1PTW = 0
[10105.301848] Data abort info:
[10105.304723]   ISV = 0, ISS = 0x00000006
[10105.308573]   CM = 0, WnR = 0
[10105.311564] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000f03d1000
[10105.318034] [0000000000000030] pgd=00000000f6cee003,
pud=00000000f4884003, pmd=0000000000000000
[10105.326783] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[10105.332355] Modules linked in: ath10k_pci ath10k_core ath mac80211
libarc4 cfg80211 nvme nvme_core cryptodev(O)
[10105.342468] CPU: 3 PID: 518 Comm: touch Tainted: G           O
5.4.3 #1
[10105.349517] Hardware name: HYPEX CPU (DT)
[10105.353525] pstate: 40000005 (nZcv daif -PAN -UAO)
[10105.358324] pc : atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34
[10105.364596] lr : mutex_lock+0x1c/0x34
[10105.368253] sp : ffff000075633aa0
[10105.371563] x29: ffff000075633aa0 x28: 0000000000000001
[10105.376874] x27: ffff000076fa80c8 x26: 0000000000000004
[10105.382185] x25: 0000000000000030 x24: 0000000000000000
[10105.387495] x23: 0000000000000000 x22: 0000000000000038
[10105.392807] x21: 000000000000000c x20: ffff000076fa80c8
[10105.398119] x19: ffff000076fa8000 x18: 0000000000000000
[10105.403429] x17: 0000000000000000 x16: 0000000000000000
[10105.408741] x15: 0000000000000000 x14: fefefefefefefeff
[10105.414052] x13: 0000000000000000 x12: 0000000000000fe0
[10105.419364] x11: 0000000000000fe0 x10: ffff000076709020
[10105.424675] x9 : 0000000000000000 x8 : 00000000000000a0
[10105.429986] x7 : ffff000076fa80f4 x6 : 0000000000000030
[10105.435297] x5 : 0000000000000000 x4 : 0000000000000000
[10105.440609] x3 : 0000000000000000 x2 : ffff00006f276040
[10105.445920] x1 : ffff000075633ab8 x0 : 0000000000000030
[10105.451232] Call trace:
[10105.453676]  atomic64_try_cmpxchg_acquire.constprop.22+0x8/0x34
[10105.459600]  ubifs_garbage_collect+0xb4/0x334
[10105.463956]  ubifs_budget_space+0x398/0x458
[10105.468139]  ubifs_create+0x50/0x180
[10105.471712]  path_openat+0x6a0/0x9b0
[10105.475284]  do_filp_open+0x34/0x7c
[10105.478771]  do_sys_open+0x78/0xe4
[10105.482170]  __arm64_sys_openat+0x1c/0x24
[10105.486180]  el0_svc_handler+0x84/0xc8
[10105.489928]  el0_svc+0x8/0xc
[10105.492808] Code: 52800013 17fffffb d2800003 f9800011 (c85ffc05)
[10105.498903] ---[ end trace 46b721d93267a586 ]---

To reproduce the problem:

1. Filesystem initially mounted read-only, free space fixup flag set.

2. mount -o remount,rw <mountpoint>

3. it takes some time (free space fixup running)
    ... try to terminate running mount by CTRL-C
    ... does not respond, only after free space fixup is complete
    ... then "ubifs_remount_fs: cannot spawn "ubifs_bgt0_0", error -4"

4. mount -o remount,rw <mountpoint>
    ... now finished instantly (fixup already done).

5. Create file or just unmount the filesystem and we get the oops.

Cc: <stable@vger.kernel.org>
Fixes: b50b9f4085 ("UBIFS: do not free write-buffers when in R/O mode")
Signed-off-by: Petr Cvachoucek <cvachoucek@gmail.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-27 10:54:24 +01:00
..
auth.c ubifs: Fix memleak in ubifs_init_authentication 2021-03-04 11:37:51 +01:00
budget.c ubifs: Limit the number of pages in shrink_liability 2019-08-22 17:25:33 +02:00
commit.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
compress.c ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
crypto.c
debug.c ubifs: dent: Fix some potential memory leaks while iterating entries 2020-09-17 22:55:51 +02:00
debug.h Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
dir.c ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode 2021-07-20 16:05:51 +02:00
file.c ubifs: report correct st_size for encrypted symlinks 2021-09-08 08:48:59 +02:00
find.c
gc.c treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
io.c ubifs: wbuf: Don't leak kernel memory to flash 2020-12-30 11:54:17 +01:00
ioctl.c ubifs: setflags: Don't show error message when vfs_ioc_setflags_prepare() fails 2020-09-17 22:56:19 +02:00
journal.c ubifs: journal: Fix error return code in ubifs_jnl_write_inode() 2021-07-20 16:05:51 +02:00
Kconfig fscrypt: Allow modular crypto algorithms 2019-12-31 10:33:51 -06:00
key.h ubifs: allow both hash and disk name to be provided in no-key names 2020-01-22 14:49:56 -08:00
log.c ubifs: remove unnecessary check in ubifs_log_start_commit 2019-07-08 19:43:51 +02:00
lprops.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
lpt.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
lpt_commit.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
Makefile
master.c ubifs: use crypto_shash_tfm_digest() 2020-05-08 15:32:15 +10:00
misc.c
misc.h ubifs: misc.h: delete a duplicated word 2020-08-02 22:59:03 +02:00
orphan.c ubifs: xattr: Fix some potential memory leaks while iterating entries 2020-09-17 22:55:41 +02:00
recovery.c ubifs: Fix typo of output in get_cs_sqnum 2019-07-08 19:43:43 +02:00
replay.c treewide: Change list_sort to use const pointers 2021-09-30 10:11:04 +02:00
sb.c ubifs: add option to specify version for new file systems 2020-08-02 22:23:46 +02:00
scan.c
shrinker.c
super.c ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers 2022-01-27 10:54:24 +01:00
tnc.c This pull request contains fixes for UBI and UBIFS 2020-10-18 09:56:50 -07:00
tnc_commit.c ubifs: ubifs_tnc_start_commit: Fix OOB in layout_in_gaps 2019-11-17 22:22:54 +01:00
tnc_misc.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ubifs-media.h ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
ubifs.h ubifs: Fix races between xattr_{set|get} and listxattr operations 2021-07-19 09:45:00 +02:00
xattr.c ubifs: Fix off-by-one error 2021-07-20 16:05:51 +02:00