[PATCH 1/1] cachefiles: Fix oops with cachefiles_cull() due to NULL object

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When cachefiles_cull() calls cachefiles_bury_object(), it passes
a NULL object.  When this occurs, either trace_cachefiles_unlink()
or trace_cachefiles_rename() may oops due to the NULL object.
Check for NULL object in the tracepoint and if so, set debug_id
to MAX_UINT as was done in 2908f5e101e3.

The following oops was seen with xfstests generic/100.
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
RIP: 0010:trace_event_raw_event_cachefiles_unlink+0x4e/0xa0 [cachefiles]
...
 Call Trace:
   cachefiles_bury_object+0x242/0x430 [cachefiles]
   ? __vfs_removexattr_locked+0x10f/0x150
   ? vfs_removexattr+0x51/0xd0
   cachefiles_cull+0x84/0x120 [cachefiles]
   cachefiles_daemon_cull+0xd1/0x120 [cachefiles]
   cachefiles_daemon_write+0x158/0x190 [cachefiles]
   vfs_write+0xbc/0x260
   ksys_write+0x4f/0xc0
   do_syscall_64+0x3b/0x90

The following oops was seen with xfstests generic/290.
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
RIP: 0010:trace_event_raw_event_cachefiles_rename+0x54/0xa0 [cachefiles]
...
Call Trace:
  cachefiles_bury_object+0x35c/0x430 [cachefiles]
  cachefiles_cull+0x84/0x120 [cachefiles]
  cachefiles_daemon_cull+0xd1/0x120 [cachefiles]
  cachefiles_daemon_write+0x158/0x190 [cachefiles]
  vfs_write+0xbc/0x260
  ksys_write+0x4f/0xc0
  do_syscall_64+0x3b/0x90

Fixes: 2908f5e101e3 ("fscache: Add a cookie debug ID and use that in traces")
Signed-off-by: Dave Wysochanski <dwysocha@xxxxxxxxxx>
---
 include/trace/events/cachefiles.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/trace/events/cachefiles.h b/include/trace/events/cachefiles.h
index 695bfdbfdcad..920b6a303d60 100644
--- a/include/trace/events/cachefiles.h
+++ b/include/trace/events/cachefiles.h
@@ -178,7 +178,7 @@ enum cachefiles_obj_ref_trace {
 			     ),
 
 	    TP_fast_assign(
-		    __entry->obj	= obj->fscache.debug_id;
+		    __entry->obj	= obj ? obj->fscache.debug_id : UINT_MAX;
 		    __entry->de		= de;
 		    __entry->why	= why;
 			   ),
@@ -205,7 +205,7 @@ enum cachefiles_obj_ref_trace {
 			     ),
 
 	    TP_fast_assign(
-		    __entry->obj	= obj->fscache.debug_id;
+		    __entry->obj	= obj ? obj->fscache.debug_id : UINT_MAX;
 		    __entry->de		= de;
 		    __entry->to		= to;
 		    __entry->why	= why;
-- 
1.8.3.1

--
Linux-cachefs mailing list
Linux-cachefs@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/linux-cachefs




[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]
  Powered by Linux