[PATCH] fs: xfs: fix possible NULL pointer dereference in xfs_buf_ioapply_map()

From: Zixuan Fu
Date: Mon Apr 11 2022 - 07:33:14 EST

Next message: Rex-BC Chen: "Re: [PATCH V2 06/15] cpufreq: mediatek: Record previous target vproc value"
Previous message: Andy Shevchenko: "Re: [PATCH v3 5/5] tty: Use flow-control char function on closing path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In our fault-injection testing, bio_alloc() may fail with low memory and
return NULL. In this case, the variable "bio" in xfs_buf_ioapply_map()
would be NULL and then it is dereferenced by the next instruction
"bio->bi_iter.bi_sector".

The failure log is listed as follows:

[ 11.929658] BUG: kernel NULL pointer dereference, address: 0000000000000015
...
[ 11.932963] RIP: 0010:xfs_buf_ioapply_map+0x2cc/0x6f0 [xfs]
...
[ 11.940043] Call Trace:
[ 11.940247] <TASK>
[ 11.940416] ? _raw_spin_unlock_irqrestore+0x3c/0x70
[ 11.940827] _xfs_buf_ioapply+0x134/0x4d0 [xfs]
[ 11.941256] __xfs_buf_submit+0x585/0x7a0 [xfs]
[ 11.941684] ? _xfs_buf_read+0xb7/0x120 [xfs]
[ 11.942127] _xfs_buf_read+0xb7/0x120 [xfs]
[ 11.942535] xfs_buf_read_map+0x1ba/0x650 [xfs]
[ 11.942981] ? xfs_read_agf+0x163/0x260 [xfs]
[ 11.943394] xfs_trans_read_buf_map+0x37c/0x850 [xfs]
[ 11.943883] ? xfs_read_agf+0x163/0x260 [xfs]
[ 11.944306] ? xfs_read_agf+0x163/0x260 [xfs]
[ 11.944725] xfs_read_agf+0x163/0x260 [xfs]
[ 11.945141] xfs_alloc_read_agf+0xc5/0x480 [xfs]
[ 11.945574] xfs_alloc_pagf_init+0x89/0x150 [xfs]
[ 11.946037] xfs_ag_resv_init+0x14b/0x5c0 [xfs]
[ 11.946471] xfs_fs_reserve_ag_blocks+0xf3/0x290 [xfs]
[ 11.946961] xfs_mountfs+0x2298/0x2440 [xfs]
[ 11.947372] xfs_fs_fill_super+0x1eaa/0x21e0 [xfs]
[ 11.947840] get_tree_bdev+0x3c3/0x5f0
[ 11.948136] ? xfs_fs_warn_deprecated+0x100/0x100 [xfs]
[ 11.948633] xfs_fs_get_tree+0x68/0xb0 [xfs]
[ 11.949056] vfs_get_tree+0x81/0x220
[ 11.949336] path_mount+0x1061/0x2340
[ 11.949619] ? kasan_quarantine_put+0x2c/0x1a0
[ 11.949991] ? slab_free_freelist_hook+0xde/0x160
[ 11.950360] ? mark_mounts_for_expiry+0x410/0x410
[ 11.950729] ? user_path_at_empty+0xf6/0x160
[ 11.951072] ? kmem_cache_free+0xb8/0x1a0
[ 11.951384] ? user_path_at_empty+0xf6/0x160
[ 11.951717] __se_sys_mount+0x217/0x2b0
[ 11.952001] ? __x64_sys_mount+0xd0/0xd0
[ 11.952277] ? exit_to_user_mode_prepare+0x32/0x130
[ 11.952664] do_syscall_64+0x41/0x90
[ 11.952960] entry_SYSCALL_64_after_hwframe+0x44/0xae
...
[ 11.958483] </TASK>

This patch adds a NULL check of "bio" and return immediately if it's NULL.

Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
Signed-off-by: Zixuan Fu <r33s3n6@xxxxxxxxx>
---
fs/xfs/xfs_buf.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index e1afb9e503e1..1be98503b538 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -1447,6 +1447,9 @@ xfs_buf_ioapply_map(
nr_pages = bio_max_segs(total_nr_pages);

bio = bio_alloc(bp->b_target->bt_bdev, nr_pages, op, GFP_NOIO);
+ if (!bio)
+ return;
+
bio->bi_iter.bi_sector = sector;
bio->bi_end_io = xfs_buf_bio_end_io;
bio->bi_private = bp;
--
2.25.1

Next message: Rex-BC Chen: "Re: [PATCH V2 06/15] cpufreq: mediatek: Record previous target vproc value"
Previous message: Andy Shevchenko: "Re: [PATCH v3 5/5] tty: Use flow-control char function on closing path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]