fs/jbd2/transaction.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
From: Baolin Liu <liubaolin@kylinos.cn>
When a transaction enters T_FLUSH or later states,
handle->h_transaction may still point to it.
If jbd2_journal_stop() or jbd2__journal_restart() is called,
stop_this_handle() checks t_updates > 0, but t_updates is
already 0 for these states, causing a kernel BUG.
Fix by checking transaction->t_state in jbd2_journal_stop()
and jbd2__journal_restart() before calling stop_this_handle().
If the transaction is not in T_RUNNING or T_LOCKED state,
clear handle->h_transaction and skip stop_this_handle().
Crash stack:
Call trace:
stop_this_handle+0x148/0x158
jbd2_journal_stop+0x198/0x388
__ext4_journal_stop+0x70/0xf0
ext4_create+0x12c/0x188
lookup_open+0x214/0x6d8
do_last+0x364/0x878
path_openat+0x6c/0x280
do_filp_open+0x70/0xe8
do_sys_open+0x178/0x200
sys_openat+0x3c/0x50
el0_svc_naked+0x44/0x48
Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
---
fs/jbd2/transaction.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index dca4b5d8aaaa..3779382dbb80 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -772,14 +772,25 @@ int jbd2__journal_restart(handle_t *handle, int nblocks, int revoke_records,
journal = transaction->t_journal;
tid = transaction->t_tid;
+ jbd2_debug(2, "restarting handle %p\n", handle);
+
+ /* Check if transaction is in invalid state */
+ if (transaction->t_state != T_RUNNING &&
+ transaction->t_state != T_LOCKED) {
+ if (current->journal_info == handle)
+ current->journal_info = NULL;
+ handle->h_transaction = NULL;
+ memalloc_nofs_restore(handle->saved_alloc_context);
+ goto skip_stop;
+ }
+
/*
* First unlink the handle from its current transaction, and start the
* commit on that.
*/
- jbd2_debug(2, "restarting handle %p\n", handle);
stop_this_handle(handle);
handle->h_transaction = NULL;
-
+skip_stop:
/*
* TODO: If we use READ_ONCE / WRITE_ONCE for j_commit_request we can
* get rid of pointless j_state_lock traffic like this.
@@ -1856,6 +1867,16 @@ int jbd2_journal_stop(handle_t *handle)
memalloc_nofs_restore(handle->saved_alloc_context);
goto free_and_exit;
}
+ /* Check if transaction is in invalid state */
+ if (transaction->t_state != T_RUNNING &&
+ transaction->t_state != T_LOCKED) {
+ if (current->journal_info == handle)
+ current->journal_info = NULL;
+ handle->h_transaction = NULL;
+ memalloc_nofs_restore(handle->saved_alloc_context);
+ goto free_and_exit;
+ }
+
journal = transaction->t_journal;
tid = transaction->t_tid;
--
2.39.2© 2016 - 2026 Red Hat, Inc.