[PATCH v3] ext4: Make block validity check resistent to sb bh corruption

From: Ojaswin Mujoo
Date: Fri Mar 28 2025 - 02:25:23 EST

Next message: Yu Kuai: "[PATCH RFC v2 07/14] md/md-llbitmap: implement hidden disk to manage bitmap IO"
Previous message: Dev Jain: "[PATCH] arm64: pageattr: Explicitly bail out when changing permissions for vmalloc_huge mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Block validity checks need to be skipped in case they are called
for journal blocks since they are part of system's protected
zone.

Currently, this is done by checking inode->ino against
sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb
buffer head. If someone modifies this underneath us then the
s_journal_inum field might get corrupted. To prevent against this,
change the check to directly compare the inode with journal->j_inode.

**Slight change in behavior**: During journal init path,
check_block_validity etc might be called for journal inode when
sbi->s_journal is not set yet. In this case we now proceed with
ext4_inode_block_valid() instead of returning early. Since systems zones
have not been set yet, it is okay to proceed so we can perform basic
checks on the blocks.

Suggested-by: Baokun Li <libaokun1@xxxxxxxxxx>
Reviewed-by: Baokun Li <libaokun1@xxxxxxxxxx>
Reviewed-by: Jan Kara <jack@xxxxxxx>
Reviewed-by: Zhang Yi <yi.zhang@xxxxxxxxxx>
Signed-off-by: Ojaswin Mujoo <ojaswin@xxxxxxxxxxxxx>
---

** Changes since v1 [2] **
- minor indentation fix
- RVBs from Yi, Baokun & Jan (Thanks!)

[2] https://lore.kernel.org/linux-ext4/c434eb50ee5161e23036d58a6166a7e216f6d6a0.1743097281.git.ojaswin@xxxxxxxxxxxxx/

** Changes since v1 [1] **

- instead of using an sbi field direction check against jorunal->j_inode
- let block validity perform basic checks on journal blocks as well
during init path
- kvm-xfstests quick tests are passing
- commit header changed

[1] https://lore.kernel.org/linux-ext4/d1a9328a41029f6210a1924b192a59afcd3c5cee.1741952406.git.ojaswin@xxxxxxxxxxxxx/

fs/ext4/block_validity.c | 5 ++---
fs/ext4/inode.c | 7 ++++---
2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
index 87ee3a17bd29..e8c5525afc67 100644
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -351,10 +351,9 @@ int ext4_check_blockref(const char *function, unsigned int line,
{
__le32 *bref = p;
unsigned int blk;
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;

- if (ext4_has_feature_journal(inode->i_sb) &&
- (inode->i_ino ==
- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ if (journal && inode == journal->j_inode)
return 0;

while (bref < p+max) {
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 365d31004bd0..67429c50e5a0 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -384,10 +384,11 @@ static int __check_block_validity(struct inode *inode, const char *func,
unsigned int line,
struct ext4_map_blocks *map)
{
- if (ext4_has_feature_journal(inode->i_sb) &&
- (inode->i_ino ==
- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+
+ if (journal && inode == journal->j_inode)
return 0;
+
if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) {
ext4_error_inode(inode, func, line, map->m_pblk,
"lblock %lu mapped to illegal pblock %llu "
--
2.48.1

Next message: Yu Kuai: "[PATCH RFC v2 07/14] md/md-llbitmap: implement hidden disk to manage bitmap IO"
Previous message: Dev Jain: "[PATCH] arm64: pageattr: Explicitly bail out when changing permissions for vmalloc_huge mappings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]