summaryrefslogtreecommitdiffstats
path: root/fs/jbd2
diff options
context:
space:
mode:
authorZhang Yi <yi.zhang@huawei.com>2023-06-16 09:55:47 +0800
committerTheodore Ts'o <tytso@mit.edu>2023-06-26 19:36:45 -0400
commit31464ab01fff910cb88376384e2b6824f7bf713f (patch)
tree8ff3aadc1976d5683364096e36bb04ee9d0bbded /fs/jbd2
parentc4d13222afd8a64bf11bc7ec68645496ee8b54b9 (diff)
downloadlinux-stable-31464ab01fff910cb88376384e2b6824f7bf713f.tar.gz
linux-stable-31464ab01fff910cb88376384e2b6824f7bf713f.tar.bz2
linux-stable-31464ab01fff910cb88376384e2b6824f7bf713f.zip
jbd2: skip reading super block if it has been verified
We got a NULL pointer dereference issue below while running generic/475 I/O failure pressure test. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 PID: 15600 Comm: fsstress Not tainted 6.4.0-rc5-xfstests-00055-gd3ab1bca26b4 #190 RIP: 0010:jbd2_journal_set_features+0x13d/0x430 ... Call Trace: <TASK> ? __die+0x23/0x60 ? page_fault_oops+0xa4/0x170 ? exc_page_fault+0x67/0x170 ? asm_exc_page_fault+0x26/0x30 ? jbd2_journal_set_features+0x13d/0x430 jbd2_journal_revoke+0x47/0x1e0 __ext4_forget+0xc3/0x1b0 ext4_free_blocks+0x214/0x2f0 ext4_free_branches+0xeb/0x270 ext4_ind_truncate+0x2bf/0x320 ext4_truncate+0x1e4/0x490 ext4_handle_inode_extension+0x1bd/0x2a0 ? iomap_dio_complete+0xaf/0x1d0 The root cause is the journal super block had been failed to write out due to I/O fault injection, it's uptodate bit was cleared by end_buffer_write_sync() and didn't reset yet in jbd2_write_superblock(). And it raced by journal_get_superblock()->bh_read(), unfortunately, the read IO is also failed, so the error handling in journal_fail_superblock() unexpectedly clear the journal->j_sb_buffer, finally lead to above NULL pointer dereference issue. If the journal super block had been read and verified, there is no need to call bh_read() read it again even if it has been failed to written out. So the fix could be simply move buffer_verified(bh) in front of bh_read(). Also remove a stale comment left in jbd2_journal_check_used_features(). Fixes: 51bacdba23d8 ("jbd2: factor out journal initialization from journal_get_superblock()") Reported-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20230616015547.3155195-1-yi.zhang@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'fs/jbd2')
-rw-r--r--fs/jbd2/journal.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index b5e57735ab3f..559242df0f9a 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1919,6 +1919,9 @@ static int journal_get_superblock(journal_t *journal)
bh = journal->j_sb_buffer;
J_ASSERT(bh != NULL);
+ if (buffer_verified(bh))
+ return 0;
+
err = bh_read(bh, 0);
if (err < 0) {
printk(KERN_ERR
@@ -1926,9 +1929,6 @@ static int journal_get_superblock(journal_t *journal)
goto out;
}
- if (buffer_verified(bh))
- return 0;
-
sb = journal->j_superblock;
err = -EINVAL;
@@ -2229,7 +2229,6 @@ int jbd2_journal_check_used_features(journal_t *journal, unsigned long compat,
if (!compat && !ro && !incompat)
return 1;
- /* Load journal superblock if it is not loaded yet. */
if (journal_get_superblock(journal))
return 0;
if (!jbd2_format_support_feature(journal))