LinuxLists.cc - 2.6.32-rc8: pohmelfs: NULL pointer dereference

2009-12-02 01:11:48

Subject: 2.6.32-rc8: pohmelfs: NULL pointer dereference

Hi

BUG: unable to handle kernel NULL pointer dereference at 000000b8
IP: [<c10a96f9>] bdi_queue_work+0x9/0xa0

[<c10a97e6>] ? sync_inodes_sb+0x46/0x120
[<c13cbafd>] ? printk+0x18/0x1b
[<f840d8cb>] ? pohmelfs_kill_super+0xb/0x20 [pohmelfs]
[<c1090b8a>] ? deactivate_locked_super+0x4a/0x70
[<c1090ccf>] ? get_sb_nodev+0x6f/0x80
[<f840d8fc>] ? pohmelfs_get_sb+0x1c/0x20 [pohmelfs]
[<f840e120>] ? pohmelfs_fill_super+0x0/0x530 [pohmelfs]
[<c108fe50>] ? vfs_kern_mount+0x40/0xd0

The problem is that pohmelfs_fill_super() does not set sb->s_bdi.
Behavior was changed by
b6e51316da writeback: separate starting of sync vs opportunistic writeback
d8a8559cd7 writeback: get rid of generic_sync_sb_inodes() export

2009-12-02 22:23:20

by Evgeniy Polyakov

[permalink] [raw]

Subject: Re: 2.6.32-rc8: pohmelfs: NULL pointer dereference

Hi Alexander.

Thanks a lot for you report and analysis!

On Wed, Dec 02, 2009 at 04:11:52AM +0300, Alexander Beregalov ([email protected]) wrote:
> BUG: unable to handle kernel NULL pointer dereference at 000000b8
> IP: [<c10a96f9>] bdi_queue_work+0x9/0xa0
>
> [<c10a97e6>] ? sync_inodes_sb+0x46/0x120
> [<c13cbafd>] ? printk+0x18/0x1b
> [<f840d8cb>] ? pohmelfs_kill_super+0xb/0x20 [pohmelfs]
> [<c1090b8a>] ? deactivate_locked_super+0x4a/0x70
> [<c1090ccf>] ? get_sb_nodev+0x6f/0x80
> [<f840d8fc>] ? pohmelfs_get_sb+0x1c/0x20 [pohmelfs]
> [<f840e120>] ? pohmelfs_fill_super+0x0/0x530 [pohmelfs]
> [<c108fe50>] ? vfs_kern_mount+0x40/0xd0
>
>
> The problem is that pohmelfs_fill_super() does not set sb->s_bdi.
> Behavior was changed by
> b6e51316da writeback: separate starting of sync vs opportunistic writeback
> d8a8559cd7 writeback: get rid of generic_sync_sb_inodes() export

Looks like this change broke things:

-long sync_inodes_sb(struct super_block *sb)
+void sync_inodes_sb(struct super_block *sb)
{
- struct writeback_control wbc = {
- .sb = sb,
- .bdi = sb->s_bdi,
- .sync_mode = WB_SYNC_ALL,
- .range_start = 0,
- .range_end = LLONG_MAX,
- };
- long nr_to_write = LONG_MAX; /* doesn't actually matter */
-
- wbc.nr_to_write = nr_to_write;
- bdi_start_writeback(&wbc);
- wait_sb_inodes(&wbc);
- return nr_to_write - wbc.nr_to_write;
+ bdi_sync_writeback(sb->s_bdi, sb);
+ wait_sb_inodes(sb);

POHMELFS does not set sb->s_bdi, so it will be dereferenced in
bdi_queue_work() and crash. Jens, should it check whether bdi is NULL in
bdi_sync_writeback()?

--
Evgeniy Polyakov