ext4: protect journal inode's blocks using block_validity

Message ID	20190410033859.5328-1-tytso@mit.edu
State	Accepted, archived
Headers	show Return-Path: <linux-ext4-owner@vger.kernel.org> From: "Theodore Ts'o" <tytso@mit.edu> To: Ext4 Developers List <linux-ext4@vger.kernel.org> Cc: "Theodore Ts'o" <tytso@mit.edu> Subject: [PATCH] ext4: protect journal inode's blocks using block_validity Date: Tue, 9 Apr 2019 23:38:59 -0400 Message-Id: <20190410033859.5328-1-tytso@mit.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk
Series	ext4: protect journal inode's blocks using block_validity \| expand ext4: protect journal inode's blocks using block_validity

Message ID

20190410033859.5328-1-tytso@mit.edu

State

Accepted, archived

Headers

From: "Theodore Ts'o" <tytso@mit.edu>
To: Ext4 Developers List <linux-ext4@vger.kernel.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>
Subject: [PATCH] ext4: protect journal inode's blocks using block_validity
Date: Tue,  9 Apr 2019 23:38:59 -0400
Message-Id: <20190410033859.5328-1-tytso@mit.edu>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk

Series

ext4: protect journal inode's blocks using block_validity | expand

Commit Message

Theodore Ts'o April 10, 2019, 3:38 a.m. UTC

Add the blocks which belong to the journal inode to block_validity's
system zone so attempts to deallocate or overwrite the journal due a
corrupted file system where the journal blocks are also claimed by
another inode.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202879
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 fs/ext4/block_validity.c | 48 ++++++++++++++++++++++++++++++++++++++++
 fs/ext4/inode.c          |  4 ++++
 2 files changed, 52 insertions(+)

Comments

Jan Kara April 18, 2019, 11:26 a.m. UTC | #1

On Tue 09-04-19 23:38:59, Theodore Ts'o wrote:
> Add the blocks which belong to the journal inode to block_validity's
> system zone so attempts to deallocate or overwrite the journal due a
> corrupted file system where the journal blocks are also claimed by
> another inode.
> 
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202879
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> ---
>  fs/ext4/block_validity.c | 48 ++++++++++++++++++++++++++++++++++++++++
>  fs/ext4/inode.c          |  4 ++++
>  2 files changed, 52 insertions(+)

The patch looks good to me just two suggestions:

...
> +	while (i < num) {
> +		map.m_lblk = i;
> +		map.m_len = num - i;
> +		n = ext4_map_blocks(NULL, inode, &map, 0);
> +		if (n < 0) {
> +			err = n;
> +			break;
> +		}
> +		if (n == 0) {
> +			i++;

map.m_len actually contains the hole length so you can do
			i += map.m_len;
to skip the whole hole at once.

> @@ -171,6 +213,12 @@ int ext4_setup_system_zone(struct super_block *sb)
>  		if (ret)
>  			return ret;
>  	}
> +	if (ext4_has_feature_journal(sb) && sbi->s_es->s_journal_inum) {
> +		ret = ext4_protect_reserved_inode(sb,
> +				le32_to_cpu(sbi->s_es->s_journal_inum));
> +		if (ret)
> +			return ret;
> +	}
>  

I guess we could protect resize inode the same way?

								Honza

diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
index 913061c0de1b..9409b1e11a22 100644
--- a/fs/ext4/block_validity.c
+++ b/fs/ext4/block_validity.c
@@ -137,6 +137,48 @@  static void debug_print_tree(struct ext4_sb_info *sbi)
 	printk(KERN_CONT "\n");
 }
 
+static int ext4_protect_reserved_inode(struct super_block *sb, u32 ino)
+{
+	struct inode *inode;
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
+	struct ext4_map_blocks map;
+	u32 i = 0, err = 0, num, n;
+
+	if ((ino < EXT4_ROOT_INO) ||
+	    (ino > le32_to_cpu(sbi->s_es->s_inodes_count)))
+		return -EINVAL;
+	inode = ext4_iget(sb, ino, EXT4_IGET_SPECIAL);
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
+	num = (inode->i_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits;
+	while (i < num) {
+		map.m_lblk = i;
+		map.m_len = num - i;
+		n = ext4_map_blocks(NULL, inode, &map, 0);
+		if (n < 0) {
+			err = n;
+			break;
+		}
+		if (n == 0) {
+			i++;
+		} else {
+			if (!ext4_data_block_valid(sbi, map.m_pblk, n)) {
+				ext4_error(sb, "blocks %llu-%llu from inode %u "
+					   "overlap system zone", map.m_pblk,
+					   map.m_pblk + map.m_len - 1, ino);
+				err = -EFSCORRUPTED;
+				break;
+			}
+			err = add_system_zone(sbi, map.m_pblk, n);
+			if (err < 0)
+				break;
+			i += n;
+		}
+	}
+	iput(inode);
+	return err;
+}
+
 int ext4_setup_system_zone(struct super_block *sb)
 {
 	ext4_group_t ngroups = ext4_get_groups_count(sb);
@@ -171,6 +213,12 @@  int ext4_setup_system_zone(struct super_block *sb)
 		if (ret)
 			return ret;
 	}
+	if (ext4_has_feature_journal(sb) && sbi->s_es->s_journal_inum) {
+		ret = ext4_protect_reserved_inode(sb,
+				le32_to_cpu(sbi->s_es->s_journal_inum));
+		if (ret)
+			return ret;
+	}
 
 	if (test_opt(sb, DEBUG))
 		debug_print_tree(sbi);
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 190f0478582a..609c8366d029 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -399,6 +399,10 @@  static int __check_block_validity(struct inode *inode, const char *func,
 				unsigned int line,
 				struct ext4_map_blocks *map)
 {
+	if (ext4_has_feature_journal(inode->i_sb) &&
+	    (inode->i_ino ==
+	     le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
+		return 0;
 	if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
 				   map->m_len)) {
 		ext4_error_inode(inode, func, line, map->m_pblk,

ext4: protect journal inode's blocks using block_validity

Commit Message

Comments

Patch