From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B61337D123 for ; Wed, 4 Mar 2026 17:20:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772644826; cv=none; b=KAwcp+apctmkcwkTZpr0oR/RcOZepgbjbheuF63COjj6cBnq2H44fqQCwY3JdA5lBGh06aF1cihypdXyi/6RGbbC8moBnikC9zSWXyt1hcn/m8N5tXBIh/xZJDJX8xq0fRwVLwRGBANYgWoADjwppGXB2hxcq7jlWzRaQwNFC3k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772644826; c=relaxed/simple; bh=peJj7Q8NiQ8Grsrx3aJXrZaptm24iMlHWXSw8zPiwoo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ohDi5Ctho7gKatIfxJ2MW+qxgX+UZ6fdEm0j96qkzAHMjHwgJ8v7tB0ygAtjTYNgH4xUkv25RUv9XcJO0oYnbl3AOIh362ydTA6eg0Nz1zlC2p1zj9VhQUCfxaNPYBiDPqJHJFbs16P5DA5Xf2KIthK29P8mgN3aHMM9nU6QEu4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VN6ssZGW; arc=none smtp.client-ip=74.125.82.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VN6ssZGW" Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-2be1d9c356cso4728005eec.0 for ; Wed, 04 Mar 2026 09:20:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772644820; x=1773249620; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=l3EjPgnyNQ/RKAU/npHlRHCvzZZke+fnwSJ3S38yCtY=; b=VN6ssZGWaolGl+coyJQnIBwifv8C+ha3RlNMsvmmksUd1FZQA33XSK8rw0Ojcus+ew nyS/32/FxsdrOqv5ZPExIr4F6Wxltkxh+GzZ8BvOfVjSIyg7ZQu0NxADuOVBzpfcX7HD vfCMwsuAWpqae4OoHI1uxK4JbdD9FoNN9ChIMXtNZe6Y93EZPXKe/ql4bh9txjO5D92h U6EFwUAOeiy39UxPBekkCuX8KLmrqzX1wUzC5HpZQFNaZgTLLt75wBqyCSn4XEljIvQd PDKroo3u1hCVxmPOPFiiARwFeGu9cDKDtR8c4HRPw51Syq0RaRmZ3rvo5tI19glLIn8l GHZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772644820; x=1773249620; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=l3EjPgnyNQ/RKAU/npHlRHCvzZZke+fnwSJ3S38yCtY=; b=m1+L6w731Mw/RAF8sWBmy4g7l8m0/sT+igam/d1ytiwdRCyyFNJW2FpcgQc/neJDjv 1XdyC4aSej19jgw3X/LRBBj34GQpYcdQRq8DPXW4/1G56N/5QsXrbQIKnjAV4Wl5e/mI OH4vxRlTd5Ht+EEJpOW2R6Udng9emdjjWGmBHOqSWzc030NdkIDAdgGCGP7BQ5A01bXF PVMgcN+HmWpnJo0Epr/UtfPudb8OsePehyEtCOQvYUhltXZDe0zPk5Zz3R2QGtVNnp4t EWtWg6A/PAEiwKnWVApTsIIjExBVWtzyVw7USbPBvRQHPc3PZpFFRtMfipzFRf6rzG7r wfgA== X-Forwarded-Encrypted: i=1; AJvYcCWROGYXGzxedPjeh9But9NxM/ksB3LIOtE6BccSzSxiiY/qL/HIRme1uiW8yrwM/AuKGbT+AJ+8A3uCyZU=@vger.kernel.org X-Gm-Message-State: AOJu0YzrIflKbQhz+74voI51TzUz3fJAUyBjVI1G7NvcaqlexbCNV4ZK XddPeeDYlTJPvwOunO649aQr7OA4BXM3lrXtq79xwaq97FUbT9mfQ0lY X-Gm-Gg: ATEYQzzTfnAO85m2m1x2YqRoQd9BWxwgN3TA/9xyU21OQbi3jyI0+IowCs0Q6jBm7G+ p8VWpsfd8BX0puQoGH9VAA8NyfCYNR+tRuCteworAWYCvQY0bGTCJtPkuesjRcouRmj2ceoaoKw HUoBuawSGtqm1nV/0pYkd0KjMEJ6YU0YKQBe/q7MIil12wnD6R90uinjBL4zgxeLDGdzgSQITNS tozVTnSgZ50Qf6Jeuh4o1uEFj0xb/n7zRNzhmQuHglMpBAcjbIQ7H5+XdYY06cw3/s3AU0nytXn UpkQr4mhnYMfRxaa4ZgNa4w81wfjKY1jlSkPG16j2acaYtIh/MxzB8XotGcy+06fehBUBs6zMPp i9icF+Du3Ik77AadaxXUBk7WytQdZ0a/GnsWPZqHj9vqyxDoAVMJlsPJUltDFyJqtJVjBsmHp7U nfoN/zDXIyOrPo6DEaZbSKMHIpgJecTxCTGprj2jNLBJ5ywUlgPRDW+Ygp0kd+K78NkfNHbGuK4 qJLgnTZxv0OT80I6CjMNhAVNKqvsNYxKK1Z9AX9yF5BThm7qTQDJTgI6p0xpH8Vkmc66if7ldVo X-Received: by 2002:a05:7300:fd0e:b0:2ba:6458:b325 with SMTP id 5a478bee46e88-2be3108f17fmr1164311eec.23.1772644819815; Wed, 04 Mar 2026 09:20:19 -0800 (PST) Received: from arch.guest.box.net ([8.39.49.133]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2be2800c89asm2904789eec.31.2026.03.04.09.20.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 09:20:19 -0800 (PST) From: Milos Nikic To: jack@suse.cz Cc: tytso@mit.edu, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, Milos Nikic Subject: [PATCH v5 0/2] jbd2: audit and convert legacy J_ASSERT usage Date: Wed, 4 Mar 2026 09:20:14 -0800 Message-ID: <20260304172016.23525-1-nikic.milos@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Hello Jan and the ext4 team, This patch series follows up on the previous discussion regarding converting hard J_ASSERT panics into graceful journal aborts. In v1, we addressed a specific panic on unlock. Per Jan's suggestion, I have audited fs/jbd2/transaction.c for other low-hanging fruit where state machine invariants are enforced by J_ASSERT inside functions that natively support error returns. Changes in v5: Patch 2: Folded a redundant if check into the WARN_ON_ONCE block in jbd2_journal_dirty_metadata per Andreas's suggestion. Carried over Reviewed-by tags from Jan, Andreas and Zhang. Changes in v4: Patch 2: Fixed a build test WARNING by initializing a variable `journal` earlier in jbd2_journal_dirty_metadata(). Changes in v3: Patch 2: Added pr_err() statements inside the ambiguous WARN_ON_ONCE() blocks (where multiple conditions are checked via logical OR/AND) to explicitly dump the b_transaction, b_next_transaction, and j_committing_transaction pointers. This provides necessary context for debugging state machine corruptions from the dmesg stack trace. Changes in v2: Patch 1: Unmodified from v1. Collected Reviewed-by tags. Patch 2: New patch resulting from the broader audit. Systematically replaces J_ASSERTs with WARN_ON_ONCE and graceful -EINVAL returns across 6 core transaction lifecycle functions. Careful attention was paid to ensuring spinlocks are safely dropped before triggering jbd2_journal_abort(), and no memory is leaked on the error paths. Milos Nikic (2): jbd2: gracefully abort instead of panicking on unlocked buffer jbd2: gracefully abort on transaction state corruptions fs/jbd2/transaction.c | 121 ++++++++++++++++++++++++++++++++---------- 1 file changed, 92 insertions(+), 29 deletions(-) -- 2.53.0