lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250509145224.471782-1-richard120310@gmail.com> Date: Fri, 9 May 2025 22:52:24 +0800 From: I Hsin Cheng <richard120310@...il.com> To: syzbot+b75d75f957975f3d40e3@...kaller.appspotmail.com Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, skhan@...uxfoundation.org, linux-kernel-mentees@...ts.linux.dev, jserv@...s.ncku.edu.tw, I Hsin Cheng <richard120310@...il.com> Subject: [RFC PATCH] ext4: Prevent to write when SB_FREEZE_COMPLETE When superblock is still in state of SB_FREEZE_COMPLETE, prevent to emit actual write operation. Wait until it's unfrozen. Reported-by: syzbot+b75d75f957975f3d40e3@...kaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b75d75f957975f3d40e3 Fixes: 0a1b2f5ea987 ("ext4: add ext4_emergency_state() helper function") Signed-off-by: I Hsin Cheng <richard120310@...il.com> --- syzbot reported the following issue. [1] Write pages got emitted with fs superblock state still SB_FREEZE_COMPLETE. Take an early prevention to stop actually emit any write operation and return an EIO. The patch fix the issue and tested against syzbot, however there might be deeper cause of this issue, maybe ext4_writepages() shouldn't even be called when the state of superblock is SB_FREE_COMPLETE ? if that's the case maybe there's memory corruption or something else, I'll be happy to help to look into it. Just let me know what is expected and maybe more tests should be done ? [1]: WARNING: CPU: 1 PID: 2903 at fs/ext4/ext4_jbd2.c:76 ext4_journal_check_start+0x1f8/0x250 fs/ext4/ext4_jbd2.c:76 Modules linked in: CPU: 1 UID: 0 PID: 2903 Comm: kworker/u8:6 Not tainted 6.12.0-rc3-syzkaller-00087-gc964ced77262 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: writeback wb_workfn (flush-7:2) RIP: 0010:ext4_journal_check_start+0x1f8/0x250 fs/ext4/ext4_jbd2.c:76 Code: 5c 41 5d 41 5e 41 5f e9 c1 ca 97 09 e8 01 71 3c ff 41 bf fb ff ff ff eb e2 e8 f4 70 3c ff 90 0f 0b 90 eb d1 e8 e9 70 3c ff 90 <0f> 0b 90 43 80 7c 25 00 00 0f 85 03 ff ff ff e9 06 ff ff ff 89 d9 RSP: 0018:ffffc90009d46c40 EFLAGS: 00010293 RAX: ffffffff82587667 RBX: 0000000000000004 RCX: ffff88802f5a5a00 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004 RBP: 0000000000000001 R08: ffffffff82587564 R09: 1ffff1100f968870 R10: dffffc0000000000 R11: ffffed100f968871 R12: dffffc0000000000 R13: 1ffff1100f9684c7 R14: ffff88807cb42000 R15: ffff88807cb42638 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f60253c26c0 CR3: 000000007ba9e000 CR4: 0000000000350ef0 Call Trace: <TASK> __ext4_journal_start_sb+0x181/0x600 fs/ext4/ext4_jbd2.c:105 __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline] ext4_do_writepages+0x112c/0x3d20 fs/ext4/inode.c:2707 ext4_writepages+0x213/0x3c0 fs/ext4/inode.c:2813 do_writepages+0x35f/0x870 mm/page-writeback.c:2683 __writeback_single_inode+0x14f/0x10d0 fs/fs-writeback.c:1658 writeback_sb_inodes+0x80c/0x1370 fs/fs-writeback.c:1954 wb_writeback+0x41b/0xbd0 fs/fs-writeback.c:2134 wb_do_writeback fs/fs-writeback.c:2281 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2321 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Best regards, I Hsin Cheng. --- fs/ext4/ext4.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 5a20e9cd7184..4ccb417f55b4 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -2257,7 +2257,7 @@ static inline int ext4_emergency_ro(struct super_block *sb) static inline int ext4_emergency_state(struct super_block *sb) { - if (unlikely(ext4_forced_shutdown(sb))) + if (unlikely(ext4_forced_shutdown(sb)) || sb->s_writers.frozen == SB_FREEZE_COMPLETE) return -EIO; if (unlikely(ext4_emergency_ro(sb))) return -EROFS; -- 2.43.0
Powered by blists - more mailing lists