lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <81d572c2-8c30-481e-86ca-9b99eeba2025@huaweicloud.com>
Date: Thu, 30 Oct 2025 10:13:31 +0800
From: Zhang Yi <yi.zhang@...weicloud.com>
To: "Darrick J. Wong" <djwong@...nel.org>, Ye Bin <yebin@...weicloud.com>
Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
 jack@...e.cz
Subject: Re: [PATCH] jbd2: fix the inconsistency between checksum and data in
 memory for journal sb

On 10/29/2025 10:55 PM, Darrick J. Wong wrote:
> On Tue, Oct 28, 2025 at 02:47:28PM +0800, Ye Bin wrote:
>> From: Ye Bin <yebin10@...wei.com>
>>
>> Copying the file system while it is mounted as read-only results in
>> a mount failure:
>> [~]# mkfs.ext4 -F /dev/sdc
>> [~]# mount /dev/sdc -o ro /mnt/test
>> [~]# dd if=/dev/sdc of=/dev/sda bs=1M
>> [~]# mount /dev/sda /mnt/test1
>> [ 1094.849826] JBD2: journal checksum error
>> [ 1094.850927] EXT4-fs (sda): Could not load journal inode
>> mount: mount /dev/sda on /mnt/test1 failed: Bad message
> 
> I was about to say "Well don't do that, freeze the fs first..."
> 

Yeah, this step is indeed necessary! However, it does not work for
the current case because there is a check for read-only mode in
freeze_super(), which assumes that no modifications to the file
system will occur in read-only mode, thus skipping the freezing of
the file system.

Thanks,
Yi.

>> Above issue may happen as follows:
>> ext4_fill_super
>>  set_journal_csum_feature_set(sb)
>>   if (ext4_has_metadata_csum(sb))
>>    incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3;
>>   if (test_opt(sb, JOURNAL_CHECKSUM)
>>    jbd2_journal_set_features(sbi->s_journal, compat, 0, incompat);
>>     lock_buffer(journal->j_sb_buffer);
>>     sb->s_feature_incompat  |= cpu_to_be32(incompat);
>>     //The data in the journal sb was modified, but the checksum was not
>>       updated, so the data remaining in memory has a mismatch between the
>>       data and the checksum.
>>     unlock_buffer(journal->j_sb_buffer);
>>
>> In this case, the journal sb copied over is in a state where the checksum
>> and data are inconsistent, so mounting fails.
>> To solve the above issue, update the checksum in memory after modifying
>> the journal sb.
> 
> ...but I think the actual change is correct because (a) we shouldn't
> unlock the bh with an incorrect checksum because userspace can see that;
> and (b) if the bh ever gets marked dirty, then writeback can push the
> inconsistent buffer to disk at any time.
> 
> I think it's the case that j_sb_buffer is only ever written out
> explicitly with submit_bh rather than going through the dirty -> flush
> machinery, but I guess syzbot could read and write the same value from
> userspace to dirty the buffer and flush it out while racing to shut down
> the journal, and now the ondisk journal is inconsistent.
> 
> Anyway, the "set csum before unlock_buffer" paradigm is all over the
> ext4 code so
> 
> Reviewed-by: "Darrick J. Wong" <djwong@...nel.org>
> 
> --D
> 
>> Fixes: 4fd5ea43bc11 ("jbd2: checksum journal superblock")
>> Signed-off-by: Ye Bin <yebin10@...wei.com>
>> ---
>>  fs/jbd2/journal.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
>> index d480b94117cd..5b6e8c1a5e6a 100644
>> --- a/fs/jbd2/journal.c
>> +++ b/fs/jbd2/journal.c
>> @@ -2349,6 +2349,8 @@ int jbd2_journal_set_features(journal_t *journal, unsigned long compat,
>>  	sb->s_feature_compat    |= cpu_to_be32(compat);
>>  	sb->s_feature_ro_compat |= cpu_to_be32(ro);
>>  	sb->s_feature_incompat  |= cpu_to_be32(incompat);
>> +	if (jbd2_journal_has_csum_v2or3(journal))
>> +		sb->s_checksum = jbd2_superblock_csum(sb);
>>  	unlock_buffer(journal->j_sb_buffer);
>>  	jbd2_journal_init_transaction_limits(journal);
>>  
>> @@ -2378,9 +2380,13 @@ void jbd2_journal_clear_features(journal_t *journal, unsigned long compat,
>>  
>>  	sb = journal->j_superblock;
>>  
>> +	lock_buffer(journal->j_sb_buffer);
>>  	sb->s_feature_compat    &= ~cpu_to_be32(compat);
>>  	sb->s_feature_ro_compat &= ~cpu_to_be32(ro);
>>  	sb->s_feature_incompat  &= ~cpu_to_be32(incompat);
>> +	if (jbd2_journal_has_csum_v2or3(journal))
>> +		sb->s_checksum = jbd2_superblock_csum(sb);
>> +	unlock_buffer(journal->j_sb_buffer);
>>  	jbd2_journal_init_transaction_limits(journal);
>>  }
>>  EXPORT_SYMBOL(jbd2_journal_clear_features);
>> -- 
>> 2.34.1
>>
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ