CVE-2022-49327

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcache: avoid journal no-space deadlock by reserving 1 journal bucket<br /> <br /> The journal no-space deadlock was reported time to time. Such deadlock<br /> can happen in the following situation.<br /> <br /> When all journal buckets are fully filled by active jset with heavy<br /> write I/O load, the cache set registration (after a reboot) will load<br /> all active jsets and inserting them into the btree again (which is<br /> called journal replay). If a journaled bkey is inserted into a btree<br /> node and results btree node split, new journal request might be<br /> triggered. For example, the btree grows one more level after the node<br /> split, then the root node record in cache device super block will be<br /> upgrade by bch_journal_meta() from bch_btree_set_root(). But there is no<br /> space in journal buckets, the journal replay has to wait for new journal<br /> bucket to be reclaimed after at least one journal bucket replayed. This<br /> is one example that how the journal no-space deadlock happens.<br /> <br /> The solution to avoid the deadlock is to reserve 1 journal bucket in<br /> run time, and only permit the reserved journal bucket to be used during<br /> cache set registration procedure for things like journal replay. Then<br /> the journal space will never be fully filled, there is no chance for<br /> journal no-space deadlock to happen anymore.<br /> <br /> This patch adds a new member "bool do_reserve" in struct journal, it is<br /> inititalized to 0 (false) when struct journal is allocated, and set to<br /> 1 (true) by bch_journal_space_reserve() when all initialization done in<br /> run_cache_set(). In the run time when journal_reclaim() tries to<br /> allocate a new journal bucket, free_journal_buckets() is called to check<br /> whether there are enough free journal buckets to use. If there is only<br /> 1 free journal bucket and journal-&gt;do_reserve is 1 (true), the last<br /> bucket is reserved and free_journal_buckets() will return 0 to indicate<br /> no free journal bucket. Then journal_reclaim() will give up, and try<br /> next time to see whetheer there is free journal bucket to allocate. By<br /> this method, there is always 1 jouranl bucket reserved in run time.<br /> <br /> During the cache set registration, journal-&gt;do_reserve is 0 (false), so<br /> the reserved journal bucket can be used to avoid the no-space deadlock.