[PATCH] writeback: expired dirty inodes can lead to a NULL dereference kernel panic issue in 'move_expired_inodes' function

Paran Lee <p4ranlee@xxxxxxxxx> · Fri, 8 Apr 2022 21:00:01 +0900

While tracing the null dereference kernel panic issue 

during the stress-ng(stress-ng-proc) test,

I found the inode code block that could cause 

a null dereference kernel panic. 

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008

inode stack variable not initialized and not check on this code block. 

but find entry in delaying_queue. then, there was something suspicious 

temp inode loop that could cause a kernel panic in below code block.

Signed-off-by: Paran Lee <p4ranlee@xxxxxxxxx>
---
 fs/fs-writeback.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 591fe9cf1659..23a7a567e443 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1357,12 +1357,14 @@ static int move_expired_inodes(struct list_head *delaying_queue,
 	LIST_HEAD(tmp);
 	struct list_head *pos, *node;
 	struct super_block *sb = NULL;
-	struct inode *inode;
+	struct inode *inode = NULL;
 	int do_sb_sort = 0;
 	int moved = 0;
 
 	while (!list_empty(delaying_queue)) {
 		inode = wb_inode(delaying_queue->prev);
+		if (!inode)
+			continue;
 		if (inode_dirtied_after(inode, dirtied_before))
 			break;
 		list_move(&inode->i_io_list, &tmp);
@@ -1385,7 +1387,12 @@ static int move_expired_inodes(struct list_head *delaying_queue,
 
 	/* Move inodes from one superblock together */
 	while (!list_empty(&tmp)) {
-		sb = wb_inode(tmp.prev)->i_sb;
+		inode = wb_inode(tmp.prev);
+		if (!inode)
+			continue;
+		sb = inode->i_sb;
+		if (!sb)
+			continue;
 		list_for_each_prev_safe(pos, node, &tmp) {
 			inode = wb_inode(pos);
 			if (inode->i_sb == sb)
-- 
2.25.1







