]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c1fff97)
ocfs2: fix NULL h_transaction deref in ocfs2_assure_trans_credits
authorIan Bridges <icb@fastmail.org>
Thu, 11 Jun 2026 14:46:38 +0000 (09:46 -0500)
committerAndrew Morton <akpm@linux-foundation.org>
Wed, 17 Jun 2026 22:37:47 +0000 (15:37 -0700)
[BUG]
A direct write over unwritten extents can panic the kernel in
ocfs2_assure_trans_credits() when the journal aborts during DIO
completion. The crash is a general protection fault from a NULL pointer
dereference.

[CAUSE]
ocfs2_dio_end_io_write() loops over a direct write's unwritten extents,
marking each written under a single journal handle. If the journal
aborts (for example after an I/O error) while the extent tree is being
updated, the handle is left aborted with its transaction pointer
cleared. The extent merge treats that failure as not critical and
reports success, so the loop keeps using the handle.
ocfs2_assure_trans_credits() reads the handle's remaining credits
without first checking whether the handle is aborted, and that read
dereferences the cleared transaction pointer.

[FIX]
A journal abort is recorded in the handle itself, so callers are
expected to test the handle rather than rely on a returned error.
Make ocfs2_assure_trans_credits() do that, as the other ocfs2 journal
helpers already do, and return -EROFS when the handle is aborted.

Link: https://lore.kernel.org/airKTsM1fRVN-Wj7@dev
Fixes: be346c1a6eeb ("ocfs2: fix DIO failure due to insufficient transaction credits")
Signed-off-by: Ian Bridges <icb@fastmail.org>
Reported-by: syzbot+e9c15ff790cea6a0cfae@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e9c15ff790cea6a0cfae
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
fs/ocfs2/journal.c patch | blob | blame | history

diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index fc54cc798ce352558b4a0ae1b29efd1a0bc1ef14..d8afbc1a76bb8a9ce7f475f8057c7a666ca943b3 100644 (file)
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -473,8 +473,12 @@ bail:
  */
 int ocfs2_assure_trans_credits(handle_t *handle, int nblocks)
 {
-       int old_nblks = jbd2_handle_buffer_credits(handle);
+       int old_nblks;
 
+       if (is_handle_aborted(handle))
+               return -EROFS;
+
+       old_nblks = jbd2_handle_buffer_credits(handle);
        trace_ocfs2_assure_trans_credits(old_nblks);
        if (old_nblks >= nblocks)
                return 0;
A mirror of Linus' kernel repository