lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200103095033.8024-1-yuchao0@huawei.com>
Date:   Fri, 3 Jan 2020 17:50:33 +0800
From:   Chao Yu <yuchao0@...wei.com>
To:     <jaegeuk@...nel.org>
CC:     <linux-f2fs-devel@...ts.sourceforge.net>,
        <linux-kernel@...r.kernel.org>, <chao@...nel.org>,
        Chao Yu <yuchao0@...wei.com>
Subject: [PATCH] f2fs: compress: fix NULL pointer dereference

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] SMP PTI
 CPU: 11 PID: 70359 Comm: kworker/u256:4 Tainted: G           OE     5.5.0-rc1 #36
 Hardware name: Xen HVM domU, BIOS 4.1.2_115-908.790. 06/05/2017
 Workqueue: writeback wb_workfn (flush-251:0)
 RIP: 0010:f2fs_write_single_data_page+0x4f/0x700 [f2fs]
 Call Trace:
  ? __next_timer_interrupt+0xc0/0xc0
  ? finish_wait+0x32/0x70
  ? congestion_wait+0xa5/0x120
  f2fs_write_multi_pages+0xc7/0x810 [f2fs]
  f2fs_write_cache_pages+0x6c0/0x790 [f2fs]
  ? select_task_rq_fair+0x584/0x800
  ? atomic_notifier_chain_unregister+0x30/0x70
  ? __set_page_dirty_nobuffers+0x101/0x150
  f2fs_write_data_pages+0x2cd/0x320 [f2fs]
  ? f2fs_update_inode+0x9c/0x4f0 [f2fs]
  ? do_writepages+0x1a/0x60
  do_writepages+0x1a/0x60
  __writeback_single_inode+0x3d/0x340
  writeback_sb_inodes+0x225/0x4a0
  wb_writeback+0xf7/0x320
  ? wb_workfn+0xa8/0x450
  ? _raw_spin_unlock_bh+0xa/0x20
  wb_workfn+0xa8/0x450
  ? finish_task_switch+0x75/0x2a0
  process_one_work+0x15e/0x3e0
  worker_thread+0x4c/0x440
  ? rescuer_thread+0x350/0x350
  kthread+0xf8/0x130
  ? kthread_unpark+0x70/0x70
  ret_from_fork+0x35/0x40

In scenario of truncate vs writeback, we need to check page's mapping
before access it during writeback.

Signed-off-by: Chao Yu <yuchao0@...wei.com>
---
 fs/f2fs/compress.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index fa67ffd9d79d..9e8fba78db4d 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -932,6 +932,7 @@ static int f2fs_write_raw_pages(struct compress_ctx *cc,
 					enum iostat_type io_type,
 					bool compressed)
 {
+	struct address_space *mapping = cc->inode->i_mapping;
 	int i, _submitted;
 	int ret, err = 0;
 
@@ -939,6 +940,11 @@ static int f2fs_write_raw_pages(struct compress_ctx *cc,
 		if (!cc->rpages[i])
 			continue;
 retry_write:
+		if (cc->rpages[i]->mapping != mapping) {
+			unlock_page(cc->rpages[i]);
+			continue;
+		}
+
 		BUG_ON(!PageLocked(cc->rpages[i]));
 
 		ret = f2fs_write_single_data_page(cc->rpages[i], &_submitted,
-- 
2.18.0.rc1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ