From patchwork Fri Jan 2 00:50:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 1185 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1767315160; bh=1prV6nGMCB+M3cnrN/31GZqnCy1J2GhDaE6MmY/mMJM=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=cI882lCfQu3ZNnnw9K2P/Ue/hCc9uXqs9dq2RFtuB+xOgqkIHo/uKfS7FeKUEM6TG QBydlhoEtdo/3IMNinLU5Ni4YuJoMg35uA7oUkvBlsl3sftYyiyubbAKvcUTeKOwmu 7qNViTB4PeqmbgYmsJgaqlD34J97x6OdYyGfB+3ey3glay3Nq+goi5y09CqTtfsm82 Z55Dyg3h834LTD9ibu3VvIpVN9EGaN3uQx1htMpZ5BXstENbGZWekkNgjSiREVSoxK qbP9gFi725IN7BA8II6dATLelqe5TvP+k4qQ2O990mYmKLGzP0FW45dTW5FqPywfwJ RSLEVRQ1yZqug== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id CD5EB68313 for ; Thu, 1 Jan 2026 17:52:40 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id lwlP9g5IY2_c for ; Thu, 1 Jan 2026 17:52:40 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1767315160; bh=1prV6nGMCB+M3cnrN/31GZqnCy1J2GhDaE6MmY/mMJM=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=cI882lCfQu3ZNnnw9K2P/Ue/hCc9uXqs9dq2RFtuB+xOgqkIHo/uKfS7FeKUEM6TG QBydlhoEtdo/3IMNinLU5Ni4YuJoMg35uA7oUkvBlsl3sftYyiyubbAKvcUTeKOwmu 7qNViTB4PeqmbgYmsJgaqlD34J97x6OdYyGfB+3ey3glay3Nq+goi5y09CqTtfsm82 Z55Dyg3h834LTD9ibu3VvIpVN9EGaN3uQx1htMpZ5BXstENbGZWekkNgjSiREVSoxK qbP9gFi725IN7BA8II6dATLelqe5TvP+k4qQ2O990mYmKLGzP0FW45dTW5FqPywfwJ RSLEVRQ1yZqug== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id B3B4768F58 for ; Thu, 1 Jan 2026 17:52:40 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1767315157; bh=YuLznqL6Eg+VMPq1MGzNeBaI1jNnUrPBn/2KKH6LwX4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wsGrXOGDjD/xjE9tclFLpapyTK4yLoGgapzPC8NWYars3dndRhYIUyhwOACctSHVv yJAGaQKOnOpujPUuGNYTw4g6WWhYlBArRPwxq2vUyZtI8kO7GEPXHy30JP8fxQKZt8 93zWbKP9GtJ6pa6v2ZS9fCN3/SZDikrpWdCatZWFikMgF1UtVWDiEdjetQeDpmaaGQ ZixVO4xKM0FgN497IIzJdGwWkC5C41dQj8eLqBuc5p/s1LVY/pMasiZQhWo7oJFB0h r974dJUVisbMTkBnw/EwbKL7ZcECbsl1u+WZ1RPdp+3UlG+h5rzKGgNg9IZEODrN/j LBCWR6rtkunGw== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id D559768F58; Thu, 1 Jan 2026 17:52:37 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id GSQ9581YUw49; Thu, 1 Jan 2026 17:52:37 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1767315151; bh=6ZRGRb4ZxPdgVImImakStOxmsE9ADzGNVWklf/a8mMA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lIYF9ySZkHP5tli69sRZ4xJGIaPfu6hiwYQ9+Y4usmhCzkVXjcpUB6/u1AqPgHmxa 1X9cnKLqi08STnx2NXmPzEQCmcATyBeGn0v3u+SXspN/TB7iw/l32/sDAcoVksBiGh GsFdtvnso5qvozgWJOh+DXWxllmqHXs2vI3MB6ugpYPtbunDkcbqrrENd+8nnQnpKC Td46SSuQKw56M1EnmttSTofsEpCV2K0eajRqWdZT4o+62ZX9dKhy2V2fzmUuVp6S05 NfORpzBGhhzK6iq94loZZ3gZOkr99bOSr14CApbcI/y0b8rEjAYaSL7E2uMIA8/Io0 sOSrHb90qKEyQ== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 800B568F53; Thu, 1 Jan 2026 17:52:31 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Thu, 1 Jan 2026 17:50:51 -0700 Message-ID: <20260102005112.552256-22-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260102005112.552256-1-sjg@u-boot.org> References: <20260102005112.552256-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: 72UJGDKSMUOF2CZR2YWU7ML573YNNNYM X-Message-ID-Hash: 72UJGDKSMUOF2CZR2YWU7ML573YNNNYM X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Heinrich Schuchardt , Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH v2 21/30] ext4l: Prevent freeing buffer_heads with active journal_heads List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass When running filesystem tests back-to-back, buffer_heads could be freed while journal_heads still reference them. This causes use-after-free crashes when the journal code later accesses the stale b_bh pointer. Add protection in free_buffer_head() to skip buffers with JBD attached, since the journal owns a reference and will clean them up properly. Also add protection in brelse() to prevent the ref count from dropping to zero while JBD is still attached. Update comments in ext4l_close_internal() to clarify why cache cleanup is critical even during skip_io mode. Fixes crashes when test_fs13 runs after test_fs11 in the same session. Co-developed-by: Claude Signed-off-by: Simon Glass --- (no changes since v1) fs/ext4l/support.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/ext4l/support.c b/fs/ext4l/support.c index 71c906d9c88..4025d291fec 100644 --- a/fs/ext4l/support.c +++ b/fs/ext4l/support.c @@ -469,6 +469,15 @@ void free_buffer_head(struct buffer_head *bh) if (!bh) return; + /* + * Never free a buffer_head that has a journal_head attached. + * This would cause use-after-free when the journal tries to access it. + * The journal owns a reference and the buffer will be cleaned up when + * the journal_head is properly released. + */ + if (buffer_jbd(bh)) + return; + /* * Shadow buffers (b_private != NULL) share their folio with the * original buffer. Don't free the shared folio.