From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ye Bin <yebin10@huawei.com>,
Jan Kara <jack@suse.cz>, Theodore Tso <tytso@mit.edu>,
stable@kernel.org
Subject: [PATCH 6.18 02/29] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Date: Wed, 10 Dec 2025 16:30:12 +0900 [thread overview]
Message-ID: <20251210072944.435115763@linuxfoundation.org> (raw)
In-Reply-To: <20251210072944.363788552@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 986835bf4d11032bba4ab8414d18fce038c61bb4 upstream.
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1284,14 +1284,23 @@ int jbd2_journal_get_create_access(handl
* committing transaction's lists, but it HAS to be in Forget state in
* that case: the transaction must have deleted the buffer for it to be
* reused here.
+ * In the case of file system data inconsistency, for example, if the
+ * block bitmap of a referenced block is not set, it can lead to the
+ * situation where a block being committed is allocated and used again.
+ * As a result, the following condition will not be satisfied, so here
+ * we directly trigger a JBD abort instead of immediately invoking
+ * bugon.
*/
spin_lock(&jh->b_state_lock);
- J_ASSERT_JH(jh, (jh->b_transaction == transaction ||
- jh->b_transaction == NULL ||
- (jh->b_transaction == journal->j_committing_transaction &&
- jh->b_jlist == BJ_Forget)));
+ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL ||
+ (jh->b_transaction == journal->j_committing_transaction &&
+ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) {
+ err = -EROFS;
+ spin_unlock(&jh->b_state_lock);
+ jbd2_journal_abort(journal, err);
+ goto out;
+ }
- J_ASSERT_JH(jh, jh->b_next_transaction == NULL);
J_ASSERT_JH(jh, buffer_locked(jh2bh(jh)));
if (jh->b_transaction == NULL) {
next prev parent reply other threads:[~2025-12-10 7:35 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 7:30 [PATCH 6.18 00/29] 6.18.1-rc1 review Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 01/29] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:30 ` Greg Kroah-Hartman [this message]
2025-12-10 7:30 ` [PATCH 6.18 03/29] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 04/29] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 05/29] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 06/29] crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 07/29] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 08/29] rust_binder: fix race condition on death_list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 09/29] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 10/29] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 11/29] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 12/29] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 13/29] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 14/29] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 15/29] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 16/29] dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 17/29] serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 18/29] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 19/29] USB: serial: kobil_sct: " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 20/29] Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 21/29] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 22/29] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 23/29] iio: adc: ad4080: fix chip identification Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 24/29] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 25/29] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 26/29] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 27/29] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 28/29] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 29/29] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.18 00/29] 6.18.1-rc1 review Brett A C Sheffield
2025-12-10 12:17 ` Takeshi Ogasawara
2025-12-10 13:18 ` Jeffrin Thalakkottoor
2025-12-10 14:01 ` Achill Gilgenast
2025-12-10 14:32 ` Peter Schneider
2025-12-10 19:42 ` Florian Fainelli
2025-12-10 21:02 ` Dileep malepu
2025-12-10 21:49 ` Ronald Warsow
2025-12-10 20:43 ` Hardik Garg
2025-12-10 21:54 ` Ron Economos
2025-12-11 6:44 ` Naresh Kamboju
2025-12-11 9:02 ` Mark Brown
2025-12-12 9:25 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251210072944.435115763@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).