diff options
author | Darrick J. Wong <darrick.wong@oracle.com> | 2013-08-28 15:35:27 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2013-08-28 15:35:27 -0400 |
commit | 48d9eb97dc74d2446bcc3630c8e51d2afc9b951d (patch) | |
tree | b955b6602c334ccac8a30b23f06a2a87631eacd0 | |
parent | 18a6ea1e5cc88ba36e66c193196da802b06d5cb0 (diff) |
ext4: error out if verifying the block bitmap fails
The block bitmap verification code assumes that calling ext4_error()
either panics the system or makes the fs readonly. However, this is
not always true: when 'errors=continue' is specified, an error is
printed but we don't return any indication of error to the caller,
which is (probably) the block allocator, which pretends that the crud
we read in off the disk is a usable bitmap. Yuck.
A block bitmap that fails the check should at least return no bitmap
to the caller. The block allocator should be told to go look in a
different group, but that's a separate issue.
The easiest way to reproduce this is to modify bg_block_bitmap (on a
^flex_bg fs) to point to a block outside the block group; or you can
create a metadata_csum filesystem and zero out the block bitmaps.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-rw-r--r-- | fs/ext4/balloc.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c index ddd715e42a5c..b430afe77f0c 100644 --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -445,7 +445,10 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) return bh; verify: ext4_validate_block_bitmap(sb, desc, block_group, bh); - return bh; + if (buffer_verified(bh)) + return bh; + put_bh(bh); + return NULL; } /* Returns 0 on success, 1 on error */ @@ -469,7 +472,8 @@ int ext4_wait_block_bitmap(struct super_block *sb, ext4_group_t block_group, clear_buffer_new(bh); /* Panic or remount fs read-only if block bitmap is invalid */ ext4_validate_block_bitmap(sb, desc, block_group, bh); - return 0; + /* ...but check for error just in case errors=continue. */ + return !buffer_verified(bh); } struct buffer_head * |