298b5c5217
We got issue as follows when run syzkaller test: [ 1901.130043] EXT4-fs error (device vda): ext4_remount:5624: comm syz-executor.5: Abort forced by user [ 1901.130901] Aborting journal on device vda-8. [ 1901.131437] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.16: Detected aborted journal [ 1901.131566] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.11: Detected aborted journal [ 1901.132586] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.18: Detected aborted journal [ 1901.132751] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.9: Detected aborted journal [ 1901.136149] EXT4-fs error (device vda) in ext4_reserve_inode_write:6035: Journal has aborted [ 1901.136837] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-fuzzer: Detected aborted journal [ 1901.136915] ================================================================== [ 1901.138175] BUG: KASAN: null-ptr-deref in __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.138343] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.13: Detected aborted journal [ 1901.138398] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.1: Detected aborted journal [ 1901.138808] Read of size 8 at addr 0000000000000000 by task syz-executor.17/968 [ 1901.138817] [ 1901.138852] EXT4-fs error (device vda): ext4_journal_check_start:61: comm syz-executor.30: Detected aborted journal [ 1901.144779] CPU: 1 PID: 968 Comm: syz-executor.17 Not tainted 4.19.90-vhulk2111.1.0.h893.eulerosv2r10.aarch64+ #1 [ 1901.146479] Hardware name: linux,dummy-virt (DT) [ 1901.147317] Call trace: [ 1901.147552] dump_backtrace+0x0/0x2d8 [ 1901.147898] show_stack+0x28/0x38 [ 1901.148215] dump_stack+0xec/0x15c [ 1901.148746] kasan_report+0x108/0x338 [ 1901.149207] __asan_load8+0x58/0xb0 [ 1901.149753] __ext4_journal_ensure_credits+0x74/0x140 [ext4] [ 1901.150579] ext4_xattr_delete_inode+0xe4/0x700 [ext4] [ 1901.151316] ext4_evict_inode+0x524/0xba8 [ext4] [ 1901.151985] evict+0x1a4/0x378 [ 1901.152353] iput+0x310/0x428 [ 1901.152733] do_unlinkat+0x260/0x428 [ 1901.153056] __arm64_sys_unlinkat+0x6c/0xc0 [ 1901.153455] el0_svc_common+0xc8/0x320 [ 1901.153799] el0_svc_handler+0xf8/0x160 [ 1901.154265] el0_svc+0x10/0x218 [ 1901.154682] ================================================================== This issue may happens like this: Process1 Process2 ext4_evict_inode ext4_journal_start ext4_truncate ext4_ind_truncate ext4_free_branches ext4_ind_truncate_ensure_credits ext4_journal_ensure_credits_fn ext4_journal_restart handle->h_transaction = NULL; mount -o remount,abort /mnt -> trigger JBD abort start_this_handle -> will return failed ext4_xattr_delete_inode ext4_journal_ensure_credits ext4_journal_ensure_credits_fn __ext4_journal_ensure_credits jbd2_handle_buffer_credits journal = handle->h_transaction->t_journal; ->null-ptr-deref Now, indirect truncate process didn't handle error. To solve this issue maybe simply add check handle is abort in '__ext4_journal_ensure_credits' is enough, and i also think this is necessary. Cc: stable@kernel.org Signed-off-by: Ye Bin <yebin10@huawei.com> Link: https://lore.kernel.org/r/20211224100341.3299128-1-yebin10@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>
393 lines
10 KiB
C
393 lines
10 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Interface between ext4 and JBD
|
|
*/
|
|
|
|
#include "ext4_jbd2.h"
|
|
|
|
#include <trace/events/ext4.h>
|
|
|
|
int ext4_inode_journal_mode(struct inode *inode)
|
|
{
|
|
if (EXT4_JOURNAL(inode) == NULL)
|
|
return EXT4_INODE_WRITEBACK_DATA_MODE; /* writeback */
|
|
/* We do not support data journalling with delayed allocation */
|
|
if (!S_ISREG(inode->i_mode) ||
|
|
ext4_test_inode_flag(inode, EXT4_INODE_EA_INODE) ||
|
|
test_opt(inode->i_sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA ||
|
|
(ext4_test_inode_flag(inode, EXT4_INODE_JOURNAL_DATA) &&
|
|
!test_opt(inode->i_sb, DELALLOC))) {
|
|
/* We do not support data journalling for encrypted data */
|
|
if (S_ISREG(inode->i_mode) && IS_ENCRYPTED(inode))
|
|
return EXT4_INODE_ORDERED_DATA_MODE; /* ordered */
|
|
return EXT4_INODE_JOURNAL_DATA_MODE; /* journal data */
|
|
}
|
|
if (test_opt(inode->i_sb, DATA_FLAGS) == EXT4_MOUNT_ORDERED_DATA)
|
|
return EXT4_INODE_ORDERED_DATA_MODE; /* ordered */
|
|
if (test_opt(inode->i_sb, DATA_FLAGS) == EXT4_MOUNT_WRITEBACK_DATA)
|
|
return EXT4_INODE_WRITEBACK_DATA_MODE; /* writeback */
|
|
BUG();
|
|
}
|
|
|
|
/* Just increment the non-pointer handle value */
|
|
static handle_t *ext4_get_nojournal(void)
|
|
{
|
|
handle_t *handle = current->journal_info;
|
|
unsigned long ref_cnt = (unsigned long)handle;
|
|
|
|
BUG_ON(ref_cnt >= EXT4_NOJOURNAL_MAX_REF_COUNT);
|
|
|
|
ref_cnt++;
|
|
handle = (handle_t *)ref_cnt;
|
|
|
|
current->journal_info = handle;
|
|
return handle;
|
|
}
|
|
|
|
|
|
/* Decrement the non-pointer handle value */
|
|
static void ext4_put_nojournal(handle_t *handle)
|
|
{
|
|
unsigned long ref_cnt = (unsigned long)handle;
|
|
|
|
BUG_ON(ref_cnt == 0);
|
|
|
|
ref_cnt--;
|
|
handle = (handle_t *)ref_cnt;
|
|
|
|
current->journal_info = handle;
|
|
}
|
|
|
|
/*
|
|
* Wrappers for jbd2_journal_start/end.
|
|
*/
|
|
static int ext4_journal_check_start(struct super_block *sb)
|
|
{
|
|
journal_t *journal;
|
|
|
|
might_sleep();
|
|
|
|
if (unlikely(ext4_forced_shutdown(EXT4_SB(sb))))
|
|
return -EIO;
|
|
|
|
if (sb_rdonly(sb))
|
|
return -EROFS;
|
|
WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);
|
|
journal = EXT4_SB(sb)->s_journal;
|
|
/*
|
|
* Special case here: if the journal has aborted behind our
|
|
* backs (eg. EIO in the commit thread), then we still need to
|
|
* take the FS itself readonly cleanly.
|
|
*/
|
|
if (journal && is_journal_aborted(journal)) {
|
|
ext4_abort(sb, -journal->j_errno, "Detected aborted journal");
|
|
return -EROFS;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
handle_t *__ext4_journal_start_sb(struct super_block *sb, unsigned int line,
|
|
int type, int blocks, int rsv_blocks,
|
|
int revoke_creds)
|
|
{
|
|
journal_t *journal;
|
|
int err;
|
|
|
|
trace_ext4_journal_start(sb, blocks, rsv_blocks, revoke_creds,
|
|
_RET_IP_);
|
|
err = ext4_journal_check_start(sb);
|
|
if (err < 0)
|
|
return ERR_PTR(err);
|
|
|
|
journal = EXT4_SB(sb)->s_journal;
|
|
if (!journal || (EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY))
|
|
return ext4_get_nojournal();
|
|
return jbd2__journal_start(journal, blocks, rsv_blocks, revoke_creds,
|
|
GFP_NOFS, type, line);
|
|
}
|
|
|
|
int __ext4_journal_stop(const char *where, unsigned int line, handle_t *handle)
|
|
{
|
|
struct super_block *sb;
|
|
int err;
|
|
int rc;
|
|
|
|
if (!ext4_handle_valid(handle)) {
|
|
ext4_put_nojournal(handle);
|
|
return 0;
|
|
}
|
|
|
|
err = handle->h_err;
|
|
if (!handle->h_transaction) {
|
|
rc = jbd2_journal_stop(handle);
|
|
return err ? err : rc;
|
|
}
|
|
|
|
sb = handle->h_transaction->t_journal->j_private;
|
|
rc = jbd2_journal_stop(handle);
|
|
|
|
if (!err)
|
|
err = rc;
|
|
if (err)
|
|
__ext4_std_error(sb, where, line, err);
|
|
return err;
|
|
}
|
|
|
|
handle_t *__ext4_journal_start_reserved(handle_t *handle, unsigned int line,
|
|
int type)
|
|
{
|
|
struct super_block *sb;
|
|
int err;
|
|
|
|
if (!ext4_handle_valid(handle))
|
|
return ext4_get_nojournal();
|
|
|
|
sb = handle->h_journal->j_private;
|
|
trace_ext4_journal_start_reserved(sb,
|
|
jbd2_handle_buffer_credits(handle), _RET_IP_);
|
|
err = ext4_journal_check_start(sb);
|
|
if (err < 0) {
|
|
jbd2_journal_free_reserved(handle);
|
|
return ERR_PTR(err);
|
|
}
|
|
|
|
err = jbd2_journal_start_reserved(handle, type, line);
|
|
if (err < 0)
|
|
return ERR_PTR(err);
|
|
return handle;
|
|
}
|
|
|
|
int __ext4_journal_ensure_credits(handle_t *handle, int check_cred,
|
|
int extend_cred, int revoke_cred)
|
|
{
|
|
if (!ext4_handle_valid(handle))
|
|
return 0;
|
|
if (is_handle_aborted(handle))
|
|
return -EROFS;
|
|
if (jbd2_handle_buffer_credits(handle) >= check_cred &&
|
|
handle->h_revoke_credits >= revoke_cred)
|
|
return 0;
|
|
extend_cred = max(0, extend_cred - jbd2_handle_buffer_credits(handle));
|
|
revoke_cred = max(0, revoke_cred - handle->h_revoke_credits);
|
|
return ext4_journal_extend(handle, extend_cred, revoke_cred);
|
|
}
|
|
|
|
static void ext4_journal_abort_handle(const char *caller, unsigned int line,
|
|
const char *err_fn,
|
|
struct buffer_head *bh,
|
|
handle_t *handle, int err)
|
|
{
|
|
char nbuf[16];
|
|
const char *errstr = ext4_decode_error(NULL, err, nbuf);
|
|
|
|
BUG_ON(!ext4_handle_valid(handle));
|
|
|
|
if (bh)
|
|
BUFFER_TRACE(bh, "abort");
|
|
|
|
if (!handle->h_err)
|
|
handle->h_err = err;
|
|
|
|
if (is_handle_aborted(handle))
|
|
return;
|
|
|
|
printk(KERN_ERR "EXT4-fs: %s:%d: aborting transaction: %s in %s\n",
|
|
caller, line, errstr, err_fn);
|
|
|
|
jbd2_journal_abort_handle(handle);
|
|
}
|
|
|
|
static void ext4_check_bdev_write_error(struct super_block *sb)
|
|
{
|
|
struct address_space *mapping = sb->s_bdev->bd_inode->i_mapping;
|
|
struct ext4_sb_info *sbi = EXT4_SB(sb);
|
|
int err;
|
|
|
|
/*
|
|
* If the block device has write error flag, it may have failed to
|
|
* async write out metadata buffers in the background. In this case,
|
|
* we could read old data from disk and write it out again, which
|
|
* may lead to on-disk filesystem inconsistency.
|
|
*/
|
|
if (errseq_check(&mapping->wb_err, READ_ONCE(sbi->s_bdev_wb_err))) {
|
|
spin_lock(&sbi->s_bdev_wb_lock);
|
|
err = errseq_check_and_advance(&mapping->wb_err, &sbi->s_bdev_wb_err);
|
|
spin_unlock(&sbi->s_bdev_wb_lock);
|
|
if (err)
|
|
ext4_error_err(sb, -err,
|
|
"Error while async write back metadata");
|
|
}
|
|
}
|
|
|
|
int __ext4_journal_get_write_access(const char *where, unsigned int line,
|
|
handle_t *handle, struct super_block *sb,
|
|
struct buffer_head *bh,
|
|
enum ext4_journal_trigger_type trigger_type)
|
|
{
|
|
int err;
|
|
|
|
might_sleep();
|
|
|
|
if (bh->b_bdev->bd_super)
|
|
ext4_check_bdev_write_error(bh->b_bdev->bd_super);
|
|
|
|
if (ext4_handle_valid(handle)) {
|
|
err = jbd2_journal_get_write_access(handle, bh);
|
|
if (err) {
|
|
ext4_journal_abort_handle(where, line, __func__, bh,
|
|
handle, err);
|
|
return err;
|
|
}
|
|
}
|
|
if (trigger_type == EXT4_JTR_NONE || !ext4_has_metadata_csum(sb))
|
|
return 0;
|
|
BUG_ON(trigger_type >= EXT4_JOURNAL_TRIGGER_COUNT);
|
|
jbd2_journal_set_triggers(bh,
|
|
&EXT4_SB(sb)->s_journal_triggers[trigger_type].tr_triggers);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* The ext4 forget function must perform a revoke if we are freeing data
|
|
* which has been journaled. Metadata (eg. indirect blocks) must be
|
|
* revoked in all cases.
|
|
*
|
|
* "bh" may be NULL: a metadata block may have been freed from memory
|
|
* but there may still be a record of it in the journal, and that record
|
|
* still needs to be revoked.
|
|
*/
|
|
int __ext4_forget(const char *where, unsigned int line, handle_t *handle,
|
|
int is_metadata, struct inode *inode,
|
|
struct buffer_head *bh, ext4_fsblk_t blocknr)
|
|
{
|
|
int err;
|
|
|
|
might_sleep();
|
|
|
|
trace_ext4_forget(inode, is_metadata, blocknr);
|
|
BUFFER_TRACE(bh, "enter");
|
|
|
|
jbd_debug(4, "forgetting bh %p: is_metadata = %d, mode %o, "
|
|
"data mode %x\n",
|
|
bh, is_metadata, inode->i_mode,
|
|
test_opt(inode->i_sb, DATA_FLAGS));
|
|
|
|
/* In the no journal case, we can just do a bforget and return */
|
|
if (!ext4_handle_valid(handle)) {
|
|
bforget(bh);
|
|
return 0;
|
|
}
|
|
|
|
/* Never use the revoke function if we are doing full data
|
|
* journaling: there is no need to, and a V1 superblock won't
|
|
* support it. Otherwise, only skip the revoke on un-journaled
|
|
* data blocks. */
|
|
|
|
if (test_opt(inode->i_sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA ||
|
|
(!is_metadata && !ext4_should_journal_data(inode))) {
|
|
if (bh) {
|
|
BUFFER_TRACE(bh, "call jbd2_journal_forget");
|
|
err = jbd2_journal_forget(handle, bh);
|
|
if (err)
|
|
ext4_journal_abort_handle(where, line, __func__,
|
|
bh, handle, err);
|
|
return err;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* data!=journal && (is_metadata || should_journal_data(inode))
|
|
*/
|
|
BUFFER_TRACE(bh, "call jbd2_journal_revoke");
|
|
err = jbd2_journal_revoke(handle, blocknr, bh);
|
|
if (err) {
|
|
ext4_journal_abort_handle(where, line, __func__,
|
|
bh, handle, err);
|
|
__ext4_error(inode->i_sb, where, line, true, -err, 0,
|
|
"error %d when attempting revoke", err);
|
|
}
|
|
BUFFER_TRACE(bh, "exit");
|
|
return err;
|
|
}
|
|
|
|
int __ext4_journal_get_create_access(const char *where, unsigned int line,
|
|
handle_t *handle, struct super_block *sb,
|
|
struct buffer_head *bh,
|
|
enum ext4_journal_trigger_type trigger_type)
|
|
{
|
|
int err;
|
|
|
|
if (!ext4_handle_valid(handle))
|
|
return 0;
|
|
|
|
err = jbd2_journal_get_create_access(handle, bh);
|
|
if (err) {
|
|
ext4_journal_abort_handle(where, line, __func__, bh, handle,
|
|
err);
|
|
return err;
|
|
}
|
|
if (trigger_type == EXT4_JTR_NONE || !ext4_has_metadata_csum(sb))
|
|
return 0;
|
|
BUG_ON(trigger_type >= EXT4_JOURNAL_TRIGGER_COUNT);
|
|
jbd2_journal_set_triggers(bh,
|
|
&EXT4_SB(sb)->s_journal_triggers[trigger_type].tr_triggers);
|
|
return 0;
|
|
}
|
|
|
|
int __ext4_handle_dirty_metadata(const char *where, unsigned int line,
|
|
handle_t *handle, struct inode *inode,
|
|
struct buffer_head *bh)
|
|
{
|
|
int err = 0;
|
|
|
|
might_sleep();
|
|
|
|
set_buffer_meta(bh);
|
|
set_buffer_prio(bh);
|
|
set_buffer_uptodate(bh);
|
|
if (ext4_handle_valid(handle)) {
|
|
err = jbd2_journal_dirty_metadata(handle, bh);
|
|
/* Errors can only happen due to aborted journal or a nasty bug */
|
|
if (!is_handle_aborted(handle) && WARN_ON_ONCE(err)) {
|
|
ext4_journal_abort_handle(where, line, __func__, bh,
|
|
handle, err);
|
|
if (inode == NULL) {
|
|
pr_err("EXT4: jbd2_journal_dirty_metadata "
|
|
"failed: handle type %u started at "
|
|
"line %u, credits %u/%u, errcode %d",
|
|
handle->h_type,
|
|
handle->h_line_no,
|
|
handle->h_requested_credits,
|
|
jbd2_handle_buffer_credits(handle), err);
|
|
return err;
|
|
}
|
|
ext4_error_inode(inode, where, line,
|
|
bh->b_blocknr,
|
|
"journal_dirty_metadata failed: "
|
|
"handle type %u started at line %u, "
|
|
"credits %u/%u, errcode %d",
|
|
handle->h_type,
|
|
handle->h_line_no,
|
|
handle->h_requested_credits,
|
|
jbd2_handle_buffer_credits(handle),
|
|
err);
|
|
}
|
|
} else {
|
|
if (inode)
|
|
mark_buffer_dirty_inode(bh, inode);
|
|
else
|
|
mark_buffer_dirty(bh);
|
|
if (inode && inode_needs_sync(inode)) {
|
|
sync_dirty_buffer(bh);
|
|
if (buffer_req(bh) && !buffer_uptodate(bh)) {
|
|
ext4_error_inode_err(inode, where, line,
|
|
bh->b_blocknr, EIO,
|
|
"IO error syncing itable block");
|
|
err = -EIO;
|
|
}
|
|
}
|
|
}
|
|
return err;
|
|
}
|