[f2fs-dev] f2fs: fix NULL pointer dereference in f2fs_submit_page_write()

Commit Message

Wenjie Qi Jan. 7, 2024, 1:12 p.m. UTC

From: Wenjie Qi <qwjhust@gmail.com>

BUG: kernel NULL pointer dereference, address: 0000000000000014
RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]
Call Trace:
<TASK>
? show_regs+0x6e/0x80
? __die+0x29/0x70
? page_fault_oops+0x154/0x4a0
? prb_read_valid+0x20/0x30
? __irq_work_queue_local+0x39/0xd0
? irq_work_queue+0x36/0x70
? do_user_addr_fault+0x314/0x6c0
? exc_page_fault+0x7d/0x190
? asm_exc_page_fault+0x2b/0x30
? f2fs_submit_page_write+0x6cf/0x780 [f2fs]
? f2fs_submit_page_write+0x736/0x780 [f2fs]
do_write_page+0x50/0x170 [f2fs]
f2fs_outplace_write_data+0x61/0xb0 [f2fs]
f2fs_do_write_data_page+0x3f8/0x660 [f2fs]
f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]
f2fs_write_cache_pages+0x3da/0xbe0 [f2fs]
...

It is possible that other threads have added this fio to io->bio
and submitted the io->bio before entering f2fs_submit_page_write().
At this point io->bio = NULL.
If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,
then an NULL pointer dereference error occurs at bio_get(io->bio).
In this case, the code to determine the zone end can simply be skipped.

Signed-off-by: Wenjie Qi <qwjhust@gmail.com>
---
 fs/f2fs/data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Wenjie Qi Jan. 9, 2024, 7:08 a.m. UTC | #1

This patch has been merged into the new patch.

[PATCH v2] f2fs: fix max open zone constraints
https://lore.kernel.org/linux-f2fs-devel/20240109035804.642-1-qwjhust@gmail.com/


Wenjie <qwjhust@gmail.com> 于2024年1月7日周日 21:12写道：
>
> From: Wenjie Qi <qwjhust@gmail.com>
>
> BUG: kernel NULL pointer dereference, address: 0000000000000014
> RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]
> Call Trace:
> <TASK>
> ? show_regs+0x6e/0x80
> ? __die+0x29/0x70
> ? page_fault_oops+0x154/0x4a0
> ? prb_read_valid+0x20/0x30
> ? __irq_work_queue_local+0x39/0xd0
> ? irq_work_queue+0x36/0x70
> ? do_user_addr_fault+0x314/0x6c0
> ? exc_page_fault+0x7d/0x190
> ? asm_exc_page_fault+0x2b/0x30
> ? f2fs_submit_page_write+0x6cf/0x780 [f2fs]
> ? f2fs_submit_page_write+0x736/0x780 [f2fs]
> do_write_page+0x50/0x170 [f2fs]
> f2fs_outplace_write_data+0x61/0xb0 [f2fs]
> f2fs_do_write_data_page+0x3f8/0x660 [f2fs]
> f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]
> f2fs_write_cache_pages+0x3da/0xbe0 [f2fs]
> ...
>
> It is possible that other threads have added this fio to io->bio
> and submitted the io->bio before entering f2fs_submit_page_write().
> At this point io->bio = NULL.
> If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,
> then an NULL pointer dereference error occurs at bio_get(io->bio).
> In this case, the code to determine the zone end can simply be skipped.
>
> Signed-off-by: Wenjie Qi <qwjhust@gmail.com>
> ---
>  fs/f2fs/data.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
> index 1896928cae77..d08e92bb2621 100644
> --- a/fs/f2fs/data.c
> +++ b/fs/f2fs/data.c
> @@ -1100,7 +1100,7 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio)
>                 goto next;
>  out:
>  #ifdef CONFIG_BLK_DEV_ZONED
> -       if (f2fs_sb_has_blkzoned(sbi) && btype < META &&
> +       if (io->bio && f2fs_sb_has_blkzoned(sbi) && btype < META &&
>                         is_end_zone_blkaddr(sbi, fio->new_blkaddr)) {
>                 spin_lock_bh(&sbi->available_active_zones_lock);
>                 if (sbi->available_active_zones > 0) {
> --
> 2.34.1
>

Patch

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 1896928cae77..d08e92bb2621 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1100,7 +1100,7 @@  void f2fs_submit_page_write(struct f2fs_io_info *fio)
 		goto next;
 out:
 #ifdef CONFIG_BLK_DEV_ZONED
-	if (f2fs_sb_has_blkzoned(sbi) && btype < META &&
+	if (io->bio && f2fs_sb_has_blkzoned(sbi) && btype < META &&
 			is_end_zone_blkaddr(sbi, fio->new_blkaddr)) {
 		spin_lock_bh(&sbi->available_active_zones_lock);
 		if (sbi->available_active_zones > 0) {