From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-ext4 <linux-ext4@vger.kernel.org>
Subject: [PATCH] ext4: Prevent massive fs corruption if verifying the block bitmap fails
Date: Tue, 16 Jul 2013 19:02:09 -0700 [thread overview]
Message-ID: <20130717020209.GB5785@blackbox.djwong.org> (raw)
The block bitmap verification code assumes that calling ext4_error() either
panics the system or makes the fs readonly. However, this is not always true:
when 'errors=continue' is specified, an error is printed but we don't return
any indication of error to the caller, which is (probably) the block allocator,
which pretends that the crud we read in off the disk is a usable bitmap. Yuck.
A block bitmap that fails the check should at least return no bitmap to the
caller. The block allocator should be told to go look in a different group,
but that's a separate issue.
The easiest way to reproduce this is to modify bg_block_bitmap (on a ^flex_bg
fs) to point to a block outside the block group; or you can create a
metadata_csum filesystem and zero out the block bitmaps after copying files.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
fs/ext4/balloc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index ddd715e..b430afe 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -445,7 +445,10 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
return bh;
verify:
ext4_validate_block_bitmap(sb, desc, block_group, bh);
- return bh;
+ if (buffer_verified(bh))
+ return bh;
+ put_bh(bh);
+ return NULL;
}
/* Returns 0 on success, 1 on error */
@@ -469,7 +472,8 @@ int ext4_wait_block_bitmap(struct super_block *sb, ext4_group_t block_group,
clear_buffer_new(bh);
/* Panic or remount fs read-only if block bitmap is invalid */
ext4_validate_block_bitmap(sb, desc, block_group, bh);
- return 0;
+ /* ...but check for error just in case errors=continue. */
+ return !buffer_verified(bh);
}
struct buffer_head *
next reply other threads:[~2013-07-17 2:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-17 2:02 Darrick J. Wong [this message]
2013-07-17 3:08 ` [PATCH] ext4: Prevent massive fs corruption if verifying the block bitmap fails Theodore Ts'o
2013-07-17 7:09 ` Darrick J. Wong
2013-07-17 13:19 ` Theodore Ts'o
2013-07-17 19:43 ` Darrick J. Wong
2013-07-17 19:55 ` Theodore Ts'o
2013-07-18 0:13 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130717020209.GB5785@blackbox.djwong.org \
--to=darrick.wong@oracle.com \
--cc=linux-ext4@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).