Re: [PATCH] fs-writeback: fix NULL pointer dereference in __mark_inode_dirty

Sergey Senozhatsky <sergey.senozhatsky@xxxxxxxxx> · Mon, 28 Feb 2011 17:43:14 +0200

On (02/28/11 16:25), Andreas Bießmann wrote:
> This patch fixes a kernel NULL pointer dereference as mentioned in this log:
> 
> ---8<---
> [   43.044000] mmc0: card c556 removed
> [   43.059000] mmcblk0: error -123 sending status comand
> [   43.064000] mmcblk0: error -123 sending read/write command, response 0x0, card status 0x0
> [   43.089000] mmcblk0: error -123 requesting status
> [   43.096000] end_request: I/O error, dev mmcblk0, sector 1667989
> <snip repeated error>
> [   43.830000] end_request: I/O error, dev mmcblk0, sector 1667988
> [   44.679000] Unable to handle kernel NULL pointer dereference at virtual address 00000010
> [   44.688000] ptbr = 93ec0000 pgd = 93ebf000
> [   44.692000] Oops: Kernel access of bad area, sig: 11 [#1]
> [   44.692000] FRAME_POINTER chip: 0x01f:0x1e82 rev 2
> [   44.692000] Modules linked in:
> [   44.692000] PC is at __mark_inode_dirty+0x8a/0x11c
> [   44.692000] LR is at __mark_inode_dirty+0x7c/0x11c
> <snip stack trace>
> [   44.692000] Call trace:
> [   44.692000]  [<900780a4>] file_update_time+0x96/0xaa
> [   44.692000]  [<9005439a>] __generic_file_aio_write+0x212/0x330
> [   44.692000]  [<900544f4>] generic_file_aio_write+0x3c/0x74
> [   44.692000]  [<9006b82c>] do_sync_readv_writev+0x68/0x90
> [   44.692000]  [<9006b8c0>] do_readv_writev+0x6c/0x108
> [   44.692000]  [<9006b98a>] vfs_writev+0x2e/0x34
> [   44.692000]  [<9006be60>] sys_writev+0x2c/0x4c
> [   44.692000]  [<90023132>] syscall_return+0x0/0x12
> [   44.692000]
> --->8---
> 
> The reference to sb->s_bdi may be deleted from mmc_blk_remove() ->
> del_gendisk() -> unlink_gendisk() -> bdi_unregister() -> bdi_prune_sb() while
> another instance try to write some data to the device.
> 
> Signed-off-by: Andreas Bießmann <biessmann@xxxxxxxxxxxxx>
> ---
>  fs/fs-writeback.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
> index cdbf7ac..96b4b25 100644
> --- a/fs/fs-writeback.c
> +++ b/fs/fs-writeback.c
> @@ -1047,6 +1047,9 @@ void __mark_inode_dirty(struct inode *inode, int flags)
>  		if (!was_dirty) {
>  			bdi = inode_to_bdi(inode);
>  
> +			if (!bdi)
> +				goto out;
> +
>  			if (bdi_cap_writeback_dirty(bdi)) {
>  				WARN(!test_bit(BDI_registered, &bdi->state),
>  				     "bdi-%s not registered\n", bdi->name);

Hello,
I had something very similar to this some time ago
https://lkml.org/lkml/2010/12/9/436

However, I'm not sure that this check is sufficient.

	Sergey
Attachment:
pgpCHcnLoIhmZ.pgp

Description: PGP signature