From patchwork Wed Sep 14 10:28:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chandan Rajendra X-Patchwork-Id: 9331161 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D222260231 for ; Wed, 14 Sep 2016 10:29:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2B9B29C29 for ; Wed, 14 Sep 2016 10:29:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B708C29C3B; Wed, 14 Sep 2016 10:29:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B2A229C29 for ; Wed, 14 Sep 2016 10:29:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761191AbcINK3C (ORCPT ); Wed, 14 Sep 2016 06:29:02 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43158 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756012AbcINK3B (ORCPT ); Wed, 14 Sep 2016 06:29:01 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u8EAS7fH109166 for ; Wed, 14 Sep 2016 06:29:00 -0400 Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152]) by mx0b-001b2d01.pphosted.com with ESMTP id 25exbyhkgu-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 14 Sep 2016 06:28:59 -0400 Received: from localhost by e34.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 14 Sep 2016 04:28:58 -0600 Received: from d03dlp03.boulder.ibm.com (9.17.202.179) by e34.co.us.ibm.com (192.168.1.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 14 Sep 2016 04:28:56 -0600 X-IBM-Helo: d03dlp03.boulder.ibm.com X-IBM-MailFrom: chandan@linux.vnet.ibm.com Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 96F2A19D8040; Wed, 14 Sep 2016 04:28:25 -0600 (MDT) Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u8EASv7P19333488; Wed, 14 Sep 2016 10:28:58 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F0CCAC040; Wed, 14 Sep 2016 06:28:55 -0400 (EDT) Received: from localhost.localdomain.in.ibm.com (unknown [9.124.35.83]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP id 706F1AC051; Wed, 14 Sep 2016 06:28:54 -0400 (EDT) From: Chandan Rajendra To: linux-btrfs@vger.kernel.org Cc: Chandan Rajendra , jbacik@fb.com Subject: [PATCH] Btrfs: Free fs_info->eb_info only when it holds a valid pointer Date: Wed, 14 Sep 2016 15:58:37 +0530 X-Mailer: git-send-email 2.5.5 X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16091410-0016-0000-0000-000004A96F59 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00005758; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000185; SDB=6.00757564; UDB=6.00359300; IPR=6.00531032; BA=6.00004723; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00012667; XFM=3.00000011; UTC=2016-09-14 10:28:57 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16091410-0017-0000-0000-000032E97054 Message-Id: <1473848917-25442-1-git-send-email-chandan@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-14_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609020000 definitions=main-1609140143 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The following command line sequence causes a NULL pointer dereference, mount /dev/loop0 /mnt/dir1 mount /dev/loop0 /mnt/dir2 [ 159.964194] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 [ 159.965147] IP: [] list_lru_destroy+0x8/0x20 [ 159.965147] PGD 0 [ 159.965147] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 159.965147] Modules linked in: [ 159.965147] CPU: 2 PID: 3043 Comm: mount Not tainted 4.7.0-ge96efee1-dirty #5 [ 159.965147] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 159.965147] task: ffff8818b511a400 task.stack: ffff8818a5108000 [ 159.965147] RIP: 0010:[] [] list_lru_destroy+0x8/0x20 [ 159.965147] RSP: 0018:ffff8818a510bbd8 EFLAGS: 00010246 [ 159.965147] RAX: 0000000000000000 RBX: 0000000000000070 RCX: 00000000c0000100 [ 159.965147] RDX: ffffffff82041b78 RSI: ffff8818b511a400 RDI: 0000000000000070 [ 159.965147] RBP: ffff8818a510bbe0 R08: ffff8818a5108000 R09: ffff8818a50a6000 [ 159.965147] R10: 0000000000000000 R11: 000000253e9b4bd4 R12: ffffffff82098f80 [ 159.965147] R13: ffff8818b266e000 R14: ffff8818a4760000 R15: ffff8818b5449b50 [ 159.965147] FS: 00007f29f0ab0840(0000) GS:ffff881933480000(0000) knlGS:0000000000000000 [ 159.965147] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 159.965147] CR2: 0000000000000070 CR3: 00000018a5239000 CR4: 00000000000006e0 [ 159.965147] Stack: [ 159.965147] 0000000000000000 ffff8818a510bcb8 ffffffff813464e5 0000000fa510bc00 [ 159.965147] 000000200100243e ffff8818a4004d18 0000000800000046 ffff8818a510bc20 [ 159.965147] ffffffff8148243e ffff8818a510bc50 ffff8818b5449b30 0000000000000008 [ 159.965147] Call Trace: [ 159.965147] [] btrfs_mount+0xad5/0xee0 [ 159.965147] [] ? find_next_zero_bit+0x1e/0x20 [ 159.965147] [] mount_fs+0x34/0x160 [ 159.965147] [] ? __alloc_percpu+0x10/0x20 [ 159.965147] [] vfs_kern_mount+0x62/0x100 [ 159.965147] [] btrfs_mount+0x186/0xee0 [ 159.965147] [] ? find_next_zero_bit+0x1e/0x20 [ 159.965147] [] mount_fs+0x34/0x160 [ 159.965147] [] ? __alloc_percpu+0x10/0x20 [ 159.965147] [] vfs_kern_mount+0x62/0x100 [ 159.965147] [] do_mount+0x1b6/0xc40 [ 159.965147] [] ? memdup_user+0x3d/0x70 [ 159.965147] [] SyS_mount+0x7e/0xd0 [ 159.965147] [] entry_SYSCALL_64_fastpath+0x13/0x8f [ 159.965147] Code: 89 08 48 89 e5 48 8b 02 48 89 70 08 48 89 06 48 89 56 08 48 89 32 5d 48 83 6f 10 01 c3 66 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb <48> 8b 3f 48 85 ff 74 0c e8 9b 99 02 00 48 c7 03 00 00 00 00 5b [ 159.965147] RIP [] list_lru_destroy+0x8/0x20 [ 159.965147] RSP [ 159.965147] CR2: 0000000000000070 [ 159.999634] ---[ end trace 04bad43e08a10198 ]--- When servicing the second mount command, btrfs_mount() invokes free_fs_info() because super_block->s_root is already set. At this instance we would not have initialized btrfs_fs_info->eb_info to a valid memory address. Hence the statement, list_lru_destroy(&fs_info->eb_info->lru_list); causes a NULL pointer dereference. Signed-off-by: Chandan Rajendra --- fs/btrfs/ctree.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index ee6956c..33ce069 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -2882,8 +2882,11 @@ static inline int btrfs_need_cleaner_sleep(struct btrfs_root *root) static inline void free_fs_info(struct btrfs_fs_info *fs_info) { - list_lru_destroy(&fs_info->eb_info->lru_list); - kfree(fs_info->eb_info); + if (fs_info->eb_info) { + list_lru_destroy(&fs_info->eb_info->lru_list); + kfree(fs_info->eb_info); + } + kfree(fs_info->balance_ctl); kfree(fs_info->delayed_root); kfree(fs_info->extent_root);