| Message ID | 20181012233725.27290-1-fdmanana@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] Btrfs: fix null pointer dereference on compressed write path error | expand |
On Fri, Oct 12, 2018 at 4:38 PM <fdmanana@kernel.org> wrote: > > From: Filipe Manana <fdmanana@suse.com> > > At inode.c:compress_file_range(), under the "free_pages_out" label, we can > end up dereferencing the "pages" pointer when it has a NULL value. This > case happens when "start" has a value of 0 and we fail to allocate memory > for the "pages" pointer. When that happens we jump to the "cont" label and > then enter the "if (start == 0)" branch where we immediately call the > cow_file_range_inline() function. If that function returns 0 (success > creating an inline extent) or an error (like -ENOMEM for example) we jump > to the "free_pages_out" label and then access "pages[i]" leading to a NULL > pointer dereference, since "nr_pages" has a value greater than zero at > that point. > > Fix this by setting "nr_pages" to 0 when we fail to allocate memory for > the "pages" pointer. > Looks good. Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com> thanks, liubo > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119 > Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads") > Signed-off-by: Filipe Manana <fdmanana@suse.com> > --- > > V2: Updated changelog. > > fs/btrfs/inode.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 66c6c4103d2f..d6b61b1facdd 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -503,6 +503,7 @@ static noinline void compress_file_range(struct inode *inode, > pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS); > if (!pages) { > /* just bail out to the uncompressed code */ > + nr_pages = 0; > goto cont; > } > > -- > 2.11.0 >
On Sat, Oct 13, 2018 at 12:37:25AM +0100, fdmanana@kernel.org wrote: > From: Filipe Manana <fdmanana@suse.com> > > At inode.c:compress_file_range(), under the "free_pages_out" label, we can > end up dereferencing the "pages" pointer when it has a NULL value. This > case happens when "start" has a value of 0 and we fail to allocate memory > for the "pages" pointer. When that happens we jump to the "cont" label and > then enter the "if (start == 0)" branch where we immediately call the > cow_file_range_inline() function. If that function returns 0 (success > creating an inline extent) or an error (like -ENOMEM for example) we jump > to the "free_pages_out" label and then access "pages[i]" leading to a NULL > pointer dereference, since "nr_pages" has a value greater than zero at > that point. > > Fix this by setting "nr_pages" to 0 when we fail to allocate memory for > the "pages" pointer. > > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119 > Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads") > Signed-off-by: Filipe Manana <fdmanana@suse.com> Added to misc-next, thanks.
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 66c6c4103d2f..d6b61b1facdd 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -503,6 +503,7 @@ static noinline void compress_file_range(struct inode *inode, pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS); if (!pages) { /* just bail out to the uncompressed code */ + nr_pages = 0; goto cont; }