ext4: handle deleting corrupted indirect blocks

While freeing indirect blocks we attach a journal head to the parent buffer
head, free the blocks, then journal the parent. If the indirect block list
is corrupted and points to the parent the journal head will be detached
when the block is cleared, causing an OOPS.

Check for that explicitly and handle it gracefully.

This patch fixes the third case (image hdb.20000057.nullderef.gz)
reported in http://bugzilla.kernel.org/show_bug.cgi?id=10882.

Signed-off-by: Duane Griffin <duaneg@dghda.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

1 files changed, 15 insertions, 1 deletions

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 269763b66361..7cce96a6935e 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2179,7 +2179,21 @@ static void ext4_free_data(handle_t *handle, struct inode *inode,
 
         if (this_bh) {
                 BUFFER_TRACE(this_bh, "call ext4_journal_dirty_metadata");
-                ext4_journal_dirty_metadata(handle, this_bh);
+
+                /*
+                 * The buffer head should have an attached journal head at this
+                 * point. However, if the data is corrupted and an indirect
+                 * block pointed to itself, it would have been detached when
+                 * the block was cleared. Check for this instead of OOPSing.
+                 */
+                if (bh2jh(this_bh))
+                        ext4_journal_dirty_metadata(handle, this_bh);
+                else
+                        ext4_error(inode->i_sb, __func__,
+                                   "circular indirect block detected, "
+                                   "inode=%lu, block=%llu",
+                                   inode->i_ino,
+                                   (unsigned long long) this_bh->b_blocknr);
         }
 }