Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp416636ybb;
        Wed, 25 Mar 2020 02:19:48 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvf7NEh4mDffUbTByn88t5bAWL5quJxRWRfrD5Ylm1/uUKMNUsr/EsWzZCoOV2yGmhskGAk
X-Received: by 2002:a05:6830:2415:: with SMTP id j21mr1756041ots.93.1585127988147;
        Wed, 25 Mar 2020 02:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585127988; cv=none;
        d=google.com; s=arc-20160816;
        b=kF0pwWrOmNibojZaLQ1jfGUDlKWIQ4Fn23ChQA1E6R8fI+4sm5WRDsdcggajHZQ/eg
         82XAXQMPB/LyYb0ZZlodfnNHRqTXTsYQHBJxtMA9bxGNCqv0TM/PUatXp3wCiTIAowoy
         utSNEbAvX1IPnQfID9P1bvtBESGYuAZqHLEEU3eN6QEZjWf8XY7dxSIyeEARRKQV0WXB
         +B6rcgzTI41/JPexeVfal8cb5do+JKJJAOKH1iZKmqMKpUjs6DOc14kKpsQ6jtacot3P
         mdYuUEZ++FkgJdJA/H5P5FhH0j/C5mF0uBAOqq1gGW3tShZSNULO675eIm6ho17kiv7v
         nV0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=1EhaVgNbSIrx2FjuHM+REZ2qRvWdblU1YnsAgIGlO9Q=;
        b=qqvlPEC9R/5/dJHduNX9P2r1IXJBFM+0LVdMwfklyIody2w2Orgf/IHeMvxAeEBxxx
         tgosO88h+OdishqooP9x49aa7Qaq6zHF4blns5nMs8f5s2WRr3+7QtP6axKklQolYzec
         R9hHKWYiPGsEZangL3gjTV9QSL/hiikHI7KMMpsDwWKlcniasriAvQAv2k17OOk9EchV
         knL9ln95XhIpVevC4WKaH3Ybz3XKFo01WWP0eRdzh4miliML5lsqpL4DdRyuFuzljAVi
         UUmm9tbiHh+uVUPA4X4v9GBDY6q4yGSdwgeafnFWW52tTXxv0YyzeVOeIz05rSR48VUV
         71bA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z9si2909366oih.157.2020.03.25.02.19.35;
        Wed, 25 Mar 2020 02:19:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726206AbgCYJSg (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Wed, 25 Mar 2020 05:18:36 -0400
Received: from szxga04-in.huawei.com ([45.249.212.190]:12126 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725907AbgCYJSf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 25 Mar 2020 05:18:35 -0400
Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.58])
        by Forcepoint Email with ESMTP id DF0359B4CF8D141A553E;
        Wed, 25 Mar 2020 17:18:31 +0800 (CST)
Received: from szvp000203569.huawei.com (10.120.216.130) by
 DGGEMS401-HUB.china.huawei.com (10.3.19.201) with Microsoft SMTP Server id
 14.3.487.0; Wed, 25 Mar 2020 17:18:24 +0800
From:   Chao Yu <yuchao0@huawei.com>
To:     <jaegeuk@kernel.org>
CC:     <linux-f2fs-devel@lists.sourceforge.net>,
        <linux-kernel@vger.kernel.org>, <chao@kernel.org>,
        Chao Yu <yuchao0@huawei.com>
Subject: [PATCH v2 3/5] f2fs: fix to avoid NULL pointer dereference
Date:   Wed, 25 Mar 2020 17:18:11 +0800
Message-ID: <20200325091811.60725-1-yuchao0@huawei.com>
X-Mailer: git-send-email 2.18.0.rc1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.120.216.130]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Unable to handle kernel NULL pointer dereference at virtual address 00000000
PC is at f2fs_free_dic+0x60/0x2c8
LR is at f2fs_decompress_pages+0x3c4/0x3e8
f2fs_free_dic+0x60/0x2c8
f2fs_decompress_pages+0x3c4/0x3e8
__read_end_io+0x78/0x19c
f2fs_post_read_work+0x6c/0x94
process_one_work+0x210/0x48c
worker_thread+0x2e8/0x44c
kthread+0x110/0x120
ret_from_fork+0x10/0x18

In f2fs_free_dic(), we can not use f2fs_put_page(,1) to release dic->tpages[i],
as the page's mapping is NULL.

Signed-off-by: Chao Yu <yuchao0@huawei.com>
---
v2:
- fix to skip release tpages[i] if it is NULL in error path.
 fs/f2fs/compress.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c
index ef7dd04312fe..6e10800729b6 100644
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -1137,7 +1137,10 @@ void f2fs_free_dic(struct decompress_io_ctx *dic)
 		for (i = 0; i < dic->cluster_size; i++) {
 			if (dic->rpages[i])
 				continue;
-			f2fs_put_page(dic->tpages[i], 1);
+			if (!dic->tpages[i])
+				continue;
+			unlock_page(dic->tpages[i]);
+			put_page(dic->tpages[i]);
 		}
 		kfree(dic->tpages);
 	}
-- 
2.18.0.rc1