Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp29291imm; Fri, 21 Sep 2018 17:25:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV61FenaDzOwWkQsGt1TSJuPRgjil5VJ99nv0m49ZJJ9E+fE3JEM4pdBkvq3jWfXCgWsdZ7mU X-Received: by 2002:a17:902:3081:: with SMTP id v1-v6mr141451plb.58.1537575912287; Fri, 21 Sep 2018 17:25:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575912; cv=none; d=google.com; s=arc-20160816; b=S84dQlbT/eayEYbf98w2TaBjWYGjSAcDUbeUN56HfwMnvCsFsSM+g3Ubbn0LJyvcKF EPS7BUknE77Zb7ZbRdx6K7y1HXm2MCVJT9kkdaG8gjdfzf97x6g6sHVpa4T26ICpc5AP D/1YySEOm54r/8DBvBmPtCuRX/WDZxHFo2LrBxolM8Z7KAIesG2qRCABMa6FaVDytCHK HkaeKayw4DYRnPFucVv7wUtZdSCOdWNzK8vVcM3oiBQDnNv3exYf0q7sztmEmEbreRsH dQI81gLAshKiC37lUiinha5lMQpiBvQHgehMFKwPJtNqxbGqstU2Cmx/mdfdYnVfg8Ux EDpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=u599d+s8x+Dzu++1WcOfDmlIcOt3OkdciIuIhRewDoU=; b=QaXWXy5Z2r7NNeqe9gKOkviHT8a4TMBh3WEFrWG6KitPpwWRMZi0DEV81PTfb+INl0 vD6PfzU3+UtIg3Ih9Gl6PmJYR4vrubQCPVrtH705jVjbUw3O2YHjcL5iyZIaX5QoDois AHEXsBQ2SgKXaMBV+n4oWGGAlUoh/ZZUyjWSE0TIkKG0ATGu6qSIfA4lMSFHI65DzjEB y476IsBjf9JKKkWPEyg1OloxFZlWS43ZyMVAKVC609He9qGVmIcVDbyH8VFFi8HK1lE+ ZFyTOds7KA6EY1Tjhq8+/FK4bKOutfwHA1F8lynzyKpHY4L2SgJMByDpq8cb+lzVvAIQ BqLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a27-v6si30955380pfh.164.2018.09.21.17.24.55; Fri, 21 Sep 2018 17:25:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392132AbeIVGPY (ORCPT + 99 others); Sat, 22 Sep 2018 02:15:24 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44170 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391938AbeIVGKq (ORCPT ); Sat, 22 Sep 2018 02:10:46 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdv-0008BX-Bc; Sat, 22 Sep 2018 01:19:27 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000td-R6; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Qu Wenruo" , "David Sterba" , "Gu Jinxiang" , "Xu Wen" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 49/63] btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Qu Wenruo commit 389305b2aa68723c754f88d9dbd268a400e10664 upstream. Invalid reloc tree can cause kernel NULL pointer dereference when btrfs does some cleanup of the reloc roots. It turns out that fs_info::reloc_ctl can be NULL in btrfs_recover_relocation() as we allocate relocation control after all reloc roots have been verified. So when we hit: note, we haven't called set_reloc_control() thus fs_info::reloc_ctl is still NULL. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833 Reported-by: Xu Wen Signed-off-by: Qu Wenruo Tested-by: Gu Jinxiang Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Ben Hutchings --- fs/btrfs/relocation.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -1311,18 +1311,19 @@ static void __del_reloc_root(struct btrf struct mapping_node *node = NULL; struct reloc_control *rc = root->fs_info->reloc_ctl; - spin_lock(&rc->reloc_root_tree.lock); - rb_node = tree_search(&rc->reloc_root_tree.rb_root, - root->node->start); - if (rb_node) { - node = rb_entry(rb_node, struct mapping_node, rb_node); - rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); + if (rc) { + spin_lock(&rc->reloc_root_tree.lock); + rb_node = tree_search(&rc->reloc_root_tree.rb_root, + root->node->start); + if (rb_node) { + node = rb_entry(rb_node, struct mapping_node, rb_node); + rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); + } + spin_unlock(&rc->reloc_root_tree.lock); + if (!node) + return; + BUG_ON((struct btrfs_root *)node->data != root); } - spin_unlock(&rc->reloc_root_tree.lock); - - if (!node) - return; - BUG_ON((struct btrfs_root *)node->data != root); spin_lock(&root->fs_info->trans_lock); list_del_init(&root->root_list);