Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1257210pxa; Thu, 20 Aug 2020 06:56:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJ+wiyt+/0MLi7RCc8iE1RlBrUvlPYh/gDHsAB7tWPsXCgvPZw9Ue/r88urZY7x2VP9nw0 X-Received: by 2002:a50:9fc9:: with SMTP id c67mr3028354edf.69.1597931793180; Thu, 20 Aug 2020 06:56:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597931793; cv=none; d=google.com; s=arc-20160816; b=H0Hp+2w73uvKk5L/Q+EJc0bcHrCQsgOMgP6Kh/S75OmmD3YUGUGEJ1doIOjaaZx19J bIUhrYK+rdGrDKoWZbqyKGxtCe4qrYOAko4YXLMsV8fh1b+qy5qv1zs3SpsbsqIn16bT I1bU4Ag2yDagyak4ERIkt5xD5jr/F3RG+L5MPINNIuNBjGQvu0VWfHPQs6OBSNFxy4Fd zUvPRtbnrUqCJAd8Wb57DHYaZCmF1e9snDalaZXsBTWqJ1xUeABAdsQH2HhDb5pIOZRt aiHLr/qNKAgw9RfbvitiUEPFGMfsYW0SiX3lJGyO2qo6n8rDz29oKOTwtImLUmuVrJMX QSGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ydl/4y48JKaPdmzywDK0N+XqdFFKKWxafcGsKiFqj3w=; b=h/WZx5p6kk4khn9drlumQ8HLHGa+N/lAcqCH8N1os/Bcde/zGt/odb/CmBxEUxBdPP UAbtBWTFJLriYiCyRem0S+QgKTN10b+g3k6mNjbb1PncpMl3v9ziVwgnLvyd+szXhMjm pYXmtsO/yHZa4xZHyeMUaP8HTRwBpWQf6f+E+anXKAGvfEN/WxOlfP1H/WkdV7+PO8++ 5y8Wzflkra0/93sOwGKHEyi67zezowDbIes4hciYv11yxeAyfvyNQGpFCt17ZyLt4cQr Xe/lzmRjNJtqw7+3Dmo3c/mZwayYFjeiYianmq1ILrzCwLD+o2DUeGGYHBU7liFIZxgT ubhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yZX3HePW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r5si1409499edx.458.2020.08.20.06.56.08; Thu, 20 Aug 2020 06:56:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yZX3HePW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727859AbgHTNzh (ORCPT + 99 others); Thu, 20 Aug 2020 09:55:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:35480 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727884AbgHTJ01 (ORCPT ); Thu, 20 Aug 2020 05:26:27 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F3A912224D; Thu, 20 Aug 2020 09:26:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597915586; bh=gyy4mqRPaLXTrrYs++HIfHK5fw84SdLNy01wdRVzCMo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yZX3HePWcgWXz6EFFPp3OXTPqLGLXSFjONGjjPAJMKIDn4ZXH0l1Cs+AiX28QFl0w RpL6gTI2NYHlOYwtXIJYkbUMYSqQlIlr3pAXUWephmj0VcCea8PV9HD9VOCtXFUxXS H2g0CkbfRN26UYZbv/pZbb7mXz8sRBiNZOYkfK+w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luciano Chavez , Qu Wenruo , David Sterba Subject: [PATCH 5.8 036/232] btrfs: inode: fix NULL pointer dereference if inode doesnt need compression Date: Thu, 20 Aug 2020 11:18:07 +0200 Message-Id: <20200820091614.520145024@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820091612.692383444@linuxfoundation.org> References: <20200820091612.692383444@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qu Wenruo commit 1e6e238c3002ea3611465ce5f32777ddd6a40126 upstream. [BUG] There is a bug report of NULL pointer dereference caused in compress_file_extent(): Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs] NIP [c008000006dd4d34] compress_file_range.constprop.41+0x75c/0x8a0 [btrfs] LR [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] Call Trace: [c000000c69093b00] [c008000006dd4d1c] compress_file_range.constprop.41+0x744/0x8a0 [btrfs] (unreliable) [c000000c69093bd0] [c008000006dd4ebc] async_cow_start+0x44/0xa0 [btrfs] [c000000c69093c10] [c008000006e14824] normal_work_helper+0xdc/0x598 [btrfs] [c000000c69093c80] [c0000000001608c0] process_one_work+0x2c0/0x5b0 [c000000c69093d10] [c000000000160c38] worker_thread+0x88/0x660 [c000000c69093db0] [c00000000016b55c] kthread+0x1ac/0x1c0 [c000000c69093e20] [c00000000000b660] ret_from_kernel_thread+0x5c/0x7c ---[ end trace f16954aa20d822f6 ]--- [CAUSE] For the following execution route of compress_file_range(), it's possible to hit NULL pointer dereference: compress_file_extent() |- pages = NULL; |- start = async_chunk->start = 0; |- end = async_chunk = 4095; |- nr_pages = 1; |- inode_need_compress() == false; <<< Possible, see later explanation | Now, we have nr_pages = 1, pages = NULL |- cont: |- ret = cow_file_range_inline(); |- if (ret <= 0) { |- for (i = 0; i < nr_pages; i++) { |- WARN_ON(pages[i]->mapping); <<< Crash To enter above call execution branch, we need the following race: Thread 1 (chattr) | Thread 2 (writeback) --------------------------+------------------------------ | btrfs_run_delalloc_range | |- inode_need_compress = true | |- cow_file_range_async() btrfs_ioctl_set_flag() | |- binode_flags |= | BTRFS_INODE_NOCOMPRESS | | compress_file_range() | |- inode_need_compress = false | |- nr_page = 1 while pages = NULL | | Then hit the crash [FIX] This patch will fix it by checking @pages before doing accessing it. This patch is only designed as a hot fix and easy to backport. More elegant fix may make btrfs only check inode_need_compress() once to avoid such race, but that would be another story. Reported-by: Luciano Chavez Fixes: 4d3a800ebb12 ("btrfs: merge nr_pages input and output parameter in compress_pages") CC: stable@vger.kernel.org # 4.14.x: cecc8d9038d16: btrfs: Move free_pages_out label in inline extent handling branch in compress_file_range CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/inode.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -650,12 +650,18 @@ cont: page_error_op | PAGE_END_WRITEBACK); - for (i = 0; i < nr_pages; i++) { - WARN_ON(pages[i]->mapping); - put_page(pages[i]); + /* + * Ensure we only free the compressed pages if we have + * them allocated, as we can still reach here with + * inode_need_compress() == false. + */ + if (pages) { + for (i = 0; i < nr_pages; i++) { + WARN_ON(pages[i]->mapping); + put_page(pages[i]); + } + kfree(pages); } - kfree(pages); - return 0; } }