jbd2: gate checksum calculations on crc driver presence, not sb flags
diff mbox

Message ID 20150930174708.GJ10391@birch.djwong.org
State New
Headers show

Commit Message

Darrick J. Wong Sept. 30, 2015, 5:47 p.m. UTC
Change the journal's checksum functions to gate on whether or not the
crc32c driver is loaded, and gate the loading on the superblock bits.
This prevents a journal crash if someone loads a journal in no-csum
mode and then randomizes the superblock, thus flipping on the feature
bits.

Reported-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 fs/jbd2/journal.c    |   12 +++++++++---
 include/linux/jbd2.h |   10 ++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Andreas Dilger Oct. 1, 2015, 6:35 a.m. UTC | #1
On Sep 30, 2015, at 11:47 AM, Darrick J. Wong <darrick.wong@oracle.com> wrote:
> 
> Change the journal's checksum functions to gate on whether or not the
> crc32c driver is loaded, and gate the loading on the superblock bits.
> This prevents a journal crash if someone loads a journal in no-csum
> mode and then randomizes the superblock, thus flipping on the feature
> bits.
> 
> Reported-by: Nikolay Borisov <kernel@kyup.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> ---
> fs/jbd2/journal.c    |   12 +++++++++---
> include/linux/jbd2.h |   10 ++++++----
> 2 files changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index 8270fe9..16e3a46 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -122,9 +122,15 @@ EXPORT_SYMBOL(__jbd2_debug);
> #endif
> 
> /* Checksumming functions */
> +static bool journal_has_csum_v2or3_feature(journal_t *j)
> +{
> +	return JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> +	       JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V3);
> +}
> +
> static int jbd2_verify_csum_type(journal_t *j, journal_superblock_t *sb)
> {
> -	if (!jbd2_journal_has_csum_v2or3(j))
> +	if (!journal_has_csum_v2or3_feature(j))
> 		return 1;
> 
> 	return sb->s_checksum_type == JBD2_CRC32C_CHKSUM;
> @@ -1531,7 +1537,7 @@ static int journal_get_superblock(journal_t *journal)
> 		goto out;
> 	}
> 
> -	if (jbd2_journal_has_csum_v2or3(journal) &&
> +	if (journal_has_csum_v2or3_feature(journal) &&
> 	    JBD2_HAS_COMPAT_FEATURE(journal, JBD2_FEATURE_COMPAT_CHECKSUM)) {
> 		/* Can't have checksum v1 and v2 on at the same time! */
> 		printk(KERN_ERR "JBD2: Can't enable checksumming v1 and v2/3 "
> @@ -1545,7 +1551,7 @@ static int journal_get_superblock(journal_t *journal)
> 	}
> 
> 	/* Load the checksum driver */
> -	if (jbd2_journal_has_csum_v2or3(journal)) {
> +	if (journal_has_csum_v2or3_feature(journal)) {
> 		journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0);
> 		if (IS_ERR(journal->j_chksum_driver)) {
> 			printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n");
> diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
> index df07e78..c74c786 100644
> --- a/include/linux/jbd2.h
> +++ b/include/linux/jbd2.h
> @@ -1340,11 +1340,13 @@ extern size_t journal_tag_bytes(journal_t *journal);
> 
> static inline int jbd2_journal_has_csum_v2or3(journal_t *journal)
> {
> -	if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> -	    JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V3))
> -		return 1;
> +	WARN_ON_ONCE((JBD2_HAS_INCOMPAT_FEATURE(journal,
> +				JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> +		 JBD2_HAS_INCOMPAT_FEATURE(journal,
> +				JBD2_FEATURE_INCOMPAT_CSUM_V3)) &&
> +		     journal->j_chksum_driver == NULL);
> 
> -	return 0;
> +	return journal->j_chksum_driver != NULL;
> }

Why not use:

	WARN_ON_ONCE(journal_has_csum_v2orv3_feature() &&
		     journal->j_chksum_driver == NULL);

rather than open-coding it?  Yes, you would have to move that function
to the header and give it a better name.

As a side note, I've long thought about changing the macros to be shorter:

#define JBD2_HAS_INCOMPAT_FEATURE(j, name)				\
	((j)->j_format_version >= 2 &&					\
	 ((j)->j_superblock->s_feature_incompat &			\
	  cpu_to_be32((JBD2_HAS_INCOMPAT_FEATURE_ ## name))))

so they can be used like:

static bool jbd2_journal_has_csum_v2or3_feature(journal_t *journal)
{
	return JBD2_HAS_INCOMPAT_FEATURE(journal, CSUM_V2) ||
	       JBD2_HAS_INCOMPAT_FEATURE(journal, CSUM_V3);
}

This not only makes the code much shorter and more readable, it also
avoids potentially hard-to-spot bugs like the following:

	JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_COMPAT_CHECKSUM)

The same would be useful for the equivalent ext4 macros as well.

Cheers, Andreas





--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
kernel@kyup.com Oct. 1, 2015, 3:16 p.m. UTC | #2
On 09/30/2015 08:47 PM, Darrick J. Wong wrote:
> Change the journal's checksum functions to gate on whether or not the
> crc32c driver is loaded, and gate the loading on the superblock bits.
> This prevents a journal crash if someone loads a journal in no-csum
> mode and then randomizes the superblock, thus flipping on the feature
> bits.
> 
> Reported-by: Nikolay Borisov <kernel@kyup.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> ---
>  fs/jbd2/journal.c    |   12 +++++++++---
>  include/linux/jbd2.h |   10 ++++++----
>  2 files changed, 15 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index 8270fe9..16e3a46 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -122,9 +122,15 @@ EXPORT_SYMBOL(__jbd2_debug);
>  #endif
>  
>  /* Checksumming functions */
> +static bool journal_has_csum_v2or3_feature(journal_t *j)
> +{
> +	return JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> +	       JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V3);
> +}
> +
>  static int jbd2_verify_csum_type(journal_t *j, journal_superblock_t *sb)
>  {
> -	if (!jbd2_journal_has_csum_v2or3(j))
> +	if (!journal_has_csum_v2or3_feature(j))
>  		return 1;
>  
>  	return sb->s_checksum_type == JBD2_CRC32C_CHKSUM;
> @@ -1531,7 +1537,7 @@ static int journal_get_superblock(journal_t *journal)
>  		goto out;
>  	}
>  
> -	if (jbd2_journal_has_csum_v2or3(journal) &&
> +	if (journal_has_csum_v2or3_feature(journal) &&
>  	    JBD2_HAS_COMPAT_FEATURE(journal, JBD2_FEATURE_COMPAT_CHECKSUM)) {
>  		/* Can't have checksum v1 and v2 on at the same time! */
>  		printk(KERN_ERR "JBD2: Can't enable checksumming v1 and v2/3 "
> @@ -1545,7 +1551,7 @@ static int journal_get_superblock(journal_t *journal)
>  	}
>  
>  	/* Load the checksum driver */
> -	if (jbd2_journal_has_csum_v2or3(journal)) {
> +	if (journal_has_csum_v2or3_feature(journal)) {
>  		journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0);
>  		if (IS_ERR(journal->j_chksum_driver)) {
>  			printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n");
> diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
> index df07e78..c74c786 100644
> --- a/include/linux/jbd2.h
> +++ b/include/linux/jbd2.h
> @@ -1340,11 +1340,13 @@ extern size_t journal_tag_bytes(journal_t *journal);
>  
>  static inline int jbd2_journal_has_csum_v2or3(journal_t *journal)
>  {
> -	if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> -	    JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V3))
> -		return 1;
> +	WARN_ON_ONCE((JBD2_HAS_INCOMPAT_FEATURE(journal,
> +				JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> +		 JBD2_HAS_INCOMPAT_FEATURE(journal,
> +				JBD2_FEATURE_INCOMPAT_CSUM_V3)) &&
> +		     journal->j_chksum_driver == NULL);
>  
> -	return 0;
> +	return journal->j_chksum_driver != NULL;
>  }
>  
>  /*

Tested-By: Nikolay Borisov <kernel@kyup.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Darrick J. Wong Oct. 1, 2015, 6:18 p.m. UTC | #3
On Thu, Oct 01, 2015 at 12:35:12AM -0600, Andreas Dilger wrote:
> On Sep 30, 2015, at 11:47 AM, Darrick J. Wong <darrick.wong@oracle.com> wrote:
> > 
> > Change the journal's checksum functions to gate on whether or not the
> > crc32c driver is loaded, and gate the loading on the superblock bits.
> > This prevents a journal crash if someone loads a journal in no-csum
> > mode and then randomizes the superblock, thus flipping on the feature
> > bits.
> > 
> > Reported-by: Nikolay Borisov <kernel@kyup.com>
> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > ---
> > fs/jbd2/journal.c    |   12 +++++++++---
> > include/linux/jbd2.h |   10 ++++++----
> > 2 files changed, 15 insertions(+), 7 deletions(-)
> > 
> > diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> > index 8270fe9..16e3a46 100644
> > --- a/fs/jbd2/journal.c
> > +++ b/fs/jbd2/journal.c
> > @@ -122,9 +122,15 @@ EXPORT_SYMBOL(__jbd2_debug);
> > #endif
> > 
> > /* Checksumming functions */
> > +static bool journal_has_csum_v2or3_feature(journal_t *j)
> > +{
> > +	return JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> > +	       JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V3);
> > +}
> > +
> > static int jbd2_verify_csum_type(journal_t *j, journal_superblock_t *sb)
> > {
> > -	if (!jbd2_journal_has_csum_v2or3(j))
> > +	if (!journal_has_csum_v2or3_feature(j))
> > 		return 1;
> > 
> > 	return sb->s_checksum_type == JBD2_CRC32C_CHKSUM;
> > @@ -1531,7 +1537,7 @@ static int journal_get_superblock(journal_t *journal)
> > 		goto out;
> > 	}
> > 
> > -	if (jbd2_journal_has_csum_v2or3(journal) &&
> > +	if (journal_has_csum_v2or3_feature(journal) &&
> > 	    JBD2_HAS_COMPAT_FEATURE(journal, JBD2_FEATURE_COMPAT_CHECKSUM)) {
> > 		/* Can't have checksum v1 and v2 on at the same time! */
> > 		printk(KERN_ERR "JBD2: Can't enable checksumming v1 and v2/3 "
> > @@ -1545,7 +1551,7 @@ static int journal_get_superblock(journal_t *journal)
> > 	}
> > 
> > 	/* Load the checksum driver */
> > -	if (jbd2_journal_has_csum_v2or3(journal)) {
> > +	if (journal_has_csum_v2or3_feature(journal)) {
> > 		journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0);
> > 		if (IS_ERR(journal->j_chksum_driver)) {
> > 			printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n");
> > diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
> > index df07e78..c74c786 100644
> > --- a/include/linux/jbd2.h
> > +++ b/include/linux/jbd2.h
> > @@ -1340,11 +1340,13 @@ extern size_t journal_tag_bytes(journal_t *journal);
> > 
> > static inline int jbd2_journal_has_csum_v2or3(journal_t *journal)
> > {
> > -	if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> > -	    JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V3))
> > -		return 1;
> > +	WARN_ON_ONCE((JBD2_HAS_INCOMPAT_FEATURE(journal,
> > +				JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
> > +		 JBD2_HAS_INCOMPAT_FEATURE(journal,
> > +				JBD2_FEATURE_INCOMPAT_CSUM_V3)) &&
> > +		     journal->j_chksum_driver == NULL);
> > 
> > -	return 0;
> > +	return journal->j_chksum_driver != NULL;
> > }
> 
> Why not use:
> 
> 	WARN_ON_ONCE(journal_has_csum_v2orv3_feature() &&
> 		     journal->j_chksum_driver == NULL);
> 
> rather than open-coding it?  Yes, you would have to move that function
> to the header and give it a better name.

Sounds like a good idea, thanks.

> 
> As a side note, I've long thought about changing the macros to be shorter:
> 
> #define JBD2_HAS_INCOMPAT_FEATURE(j, name)				\
> 	((j)->j_format_version >= 2 &&					\
> 	 ((j)->j_superblock->s_feature_incompat &			\
> 	  cpu_to_be32((JBD2_HAS_INCOMPAT_FEATURE_ ## name))))
> 
> so they can be used like:
> 
> static bool jbd2_journal_has_csum_v2or3_feature(journal_t *journal)
> {
> 	return JBD2_HAS_INCOMPAT_FEATURE(journal, CSUM_V2) ||
> 	       JBD2_HAS_INCOMPAT_FEATURE(journal, CSUM_V3);
> }
> 
> This not only makes the code much shorter and more readable, it also
> avoids potentially hard-to-spot bugs like the following:
> 
> 	JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_COMPAT_CHECKSUM)
> 
> The same would be useful for the equivalent ext4 macros as well.

Yes it will... as a separate patch.  Shorter lines and fewer opportunities
to screw things up. :)

--D

> 
> Cheers, Andreas
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 8270fe9..16e3a46 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -122,9 +122,15 @@  EXPORT_SYMBOL(__jbd2_debug);
 #endif
 
 /* Checksumming functions */
+static bool journal_has_csum_v2or3_feature(journal_t *j)
+{
+	return JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
+	       JBD2_HAS_INCOMPAT_FEATURE(j, JBD2_FEATURE_INCOMPAT_CSUM_V3);
+}
+
 static int jbd2_verify_csum_type(journal_t *j, journal_superblock_t *sb)
 {
-	if (!jbd2_journal_has_csum_v2or3(j))
+	if (!journal_has_csum_v2or3_feature(j))
 		return 1;
 
 	return sb->s_checksum_type == JBD2_CRC32C_CHKSUM;
@@ -1531,7 +1537,7 @@  static int journal_get_superblock(journal_t *journal)
 		goto out;
 	}
 
-	if (jbd2_journal_has_csum_v2or3(journal) &&
+	if (journal_has_csum_v2or3_feature(journal) &&
 	    JBD2_HAS_COMPAT_FEATURE(journal, JBD2_FEATURE_COMPAT_CHECKSUM)) {
 		/* Can't have checksum v1 and v2 on at the same time! */
 		printk(KERN_ERR "JBD2: Can't enable checksumming v1 and v2/3 "
@@ -1545,7 +1551,7 @@  static int journal_get_superblock(journal_t *journal)
 	}
 
 	/* Load the checksum driver */
-	if (jbd2_journal_has_csum_v2or3(journal)) {
+	if (journal_has_csum_v2or3_feature(journal)) {
 		journal->j_chksum_driver = crypto_alloc_shash("crc32c", 0, 0);
 		if (IS_ERR(journal->j_chksum_driver)) {
 			printk(KERN_ERR "JBD2: Cannot load crc32c driver.\n");
diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
index df07e78..c74c786 100644
--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1340,11 +1340,13 @@  extern size_t journal_tag_bytes(journal_t *journal);
 
 static inline int jbd2_journal_has_csum_v2or3(journal_t *journal)
 {
-	if (JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
-	    JBD2_HAS_INCOMPAT_FEATURE(journal, JBD2_FEATURE_INCOMPAT_CSUM_V3))
-		return 1;
+	WARN_ON_ONCE((JBD2_HAS_INCOMPAT_FEATURE(journal,
+				JBD2_FEATURE_INCOMPAT_CSUM_V2) ||
+		 JBD2_HAS_INCOMPAT_FEATURE(journal,
+				JBD2_FEATURE_INCOMPAT_CSUM_V3)) &&
+		     journal->j_chksum_driver == NULL);
 
-	return 0;
+	return journal->j_chksum_driver != NULL;
 }
 
 /*