| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jan 2020 17:50:33 +0800
From: Chao Yu <yuchao0@...wei.com>
To: <jaegeuk@...nel.org>
CC: <linux-f2fs-devel@...ts.sourceforge.net>,
<linux-kernel@...r.kernel.org>, <chao@...nel.org>,
Chao Yu <yuchao0@...wei.com>
Subject: [PATCH] f2fs: compress: fix NULL pointer dereference
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 11 PID: 70359 Comm: kworker/u256:4 Tainted: G OE 5.5.0-rc1 #36
Hardware name: Xen HVM domU, BIOS 4.1.2_115-908.790. 06/05/2017
Workqueue: writeback wb_workfn (flush-251:0)
RIP: 0010:f2fs_write_single_data_page+0x4f/0x700 [f2fs]
Call Trace:
? __next_timer_interrupt+0xc0/0xc0
? finish_wait+0x32/0x70
? congestion_wait+0xa5/0x120
f2fs_write_multi_pages+0xc7/0x810 [f2fs]
f2fs_write_cache_pages+0x6c0/0x790 [f2fs]
? select_task_rq_fair+0x584/0x800
? atomic_notifier_chain_unregister+0x30/0x70
? __set_page_dirty_nobuffers+0x101/0x150
f2fs_write_data_pages+0x2cd/0x320 [f2fs]
? f2fs_update_inode+0x9c/0x4f0 [f2fs]
? do_writepages+0x1a/0x60
do_writepages+0x1a/0x60
__writeback_single_inode+0x3d/0x340
writeback_sb_inodes+0x225/0x4a0
wb_writeback+0xf7/0x320
? wb_workfn+0xa8/0x450
? _raw_spin_unlock_bh+0xa/0x20
wb_workfn+0xa8/0x450
? finish_task_switch+0x75/0x2a0
process_one_work+0x15e/0x3e0
worker_thread+0x4c/0x440
? rescuer_thread+0x350/0x350
kthread+0xf8/0x130
? kthread_unpark+0x70/0x70
ret_from_fork+0x35/0x40
In scenario of truncate vs writeback, we need to check page's mapping
before access it during writeback.
Signed-off-by: Chao Yu <yuchao0@...wei.com>
---
fs/f2fs/compress.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index fa67ffd9d79d..9e8fba78db4d 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -932,6 +932,7 @@ static int f2fs_write_raw_pages(struct compress_ctx *cc,
enum iostat_type io_type,
bool compressed)
{
+ struct address_space *mapping = cc->inode->i_mapping;
int i, _submitted;
int ret, err = 0;
@@ -939,6 +940,11 @@ static int f2fs_write_raw_pages(struct compress_ctx *cc,
if (!cc->rpages[i])
continue;
retry_write:
+ if (cc->rpages[i]->mapping != mapping) {
+ unlock_page(cc->rpages[i]);
+ continue;
+ }
+
BUG_ON(!PageLocked(cc->rpages[i]));
ret = f2fs_write_single_data_page(cc->rpages[i], &_submitted,
--
2.18.0.rc1
Powered by blists - more mailing lists