ocfs2: Fix null-ptr-deref in jbd2_journal_update_sb_log_tail

Commit Message

Edward Adam Davis Aug. 19, 2024, 1:36 p.m. UTC

Journal too short will cause ocfs2_check_volume failed, and will set
journal->j_sb_buffer to NULL in journal_fail_superblock before running
journal shutdown.

Reported-and-tested-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ocfs2/journal.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Julian Sun Aug. 19, 2024, 2:43 p.m. UTC | #1

Well,In my modest opinion, j_sb_buffer is an internal variable of
jbd2. Directly accessing internal variables from other modules can
degrade the maintainability of the code (for instance, this variable
might be removed at some point in the future). I have just sent
another patch to address this issue [1].

[1]: https://lore.kernel.org/ocfs2-devel/20240819131120.746077-1-sunjunchao2870@gmail.com/

Edward Adam Davis <eadavis@qq.com> 于2024年8月19日周一 21:41写道：
>
> Journal too short will cause ocfs2_check_volume failed, and will set
> journal->j_sb_buffer to NULL in journal_fail_superblock before running
> journal shutdown.
>
> Reported-and-tested-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  fs/ocfs2/journal.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
> index 530fba34f6d3..25821077b855 100644
> --- a/fs/ocfs2/journal.c
> +++ b/fs/ocfs2/journal.c
> @@ -1077,9 +1077,11 @@ void ocfs2_journal_shutdown(struct ocfs2_super *osb)
>         BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0);
>
>         if (ocfs2_mount_local(osb)) {
> -               jbd2_journal_lock_updates(journal->j_journal);
> -               status = jbd2_journal_flush(journal->j_journal, 0);
> -               jbd2_journal_unlock_updates(journal->j_journal);
> +               if (journal->j_journal->j_sb_buffer) {
> +                       jbd2_journal_lock_updates(journal->j_journal);
> +                       status = jbd2_journal_flush(journal->j_journal, 0);
> +                       jbd2_journal_unlock_updates(journal->j_journal);
> +               }
>                 if (status < 0)
>                         mlog_errno(status);
>         }
> --
> 2.43.0
>
>

Thanks,

Patch

diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index 530fba34f6d3..25821077b855 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -1077,9 +1077,11 @@  void ocfs2_journal_shutdown(struct ocfs2_super *osb)
 	BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0);
 
 	if (ocfs2_mount_local(osb)) {
-		jbd2_journal_lock_updates(journal->j_journal);
-		status = jbd2_journal_flush(journal->j_journal, 0);
-		jbd2_journal_unlock_updates(journal->j_journal);
+		if (journal->j_journal->j_sb_buffer) {
+			jbd2_journal_lock_updates(journal->j_journal);
+			status = jbd2_journal_flush(journal->j_journal, 0);
+			jbd2_journal_unlock_updates(journal->j_journal);
+		}
 		if (status < 0)
 			mlog_errno(status);
 	}