In our fault-injection testing, bio_alloc() may fail with low memory and return NULL. In this case, the variable "bio" in xfs_buf_ioapply_map() would be NULL and then it is dereferenced by the next instruction "bio->bi_iter.bi_sector". The failure log is listed as follows: [ 11.929658] BUG: kernel NULL pointer dereference, address: 0000000000000015 ... [ 11.932963] RIP: 0010:xfs_buf_ioapply_map+0x2cc/0x6f0 [xfs] ... [ 11.940043] Call Trace: [ 11.940247] <TASK> [ 11.940416] ? _raw_spin_unlock_irqrestore+0x3c/0x70 [ 11.940827] _xfs_buf_ioapply+0x134/0x4d0 [xfs] [ 11.941256] __xfs_buf_submit+0x585/0x7a0 [xfs] [ 11.941684] ? _xfs_buf_read+0xb7/0x120 [xfs] [ 11.942127] _xfs_buf_read+0xb7/0x120 [xfs] [ 11.942535] xfs_buf_read_map+0x1ba/0x650 [xfs] [ 11.942981] ? xfs_read_agf+0x163/0x260 [xfs] [ 11.943394] xfs_trans_read_buf_map+0x37c/0x850 [xfs] [ 11.943883] ? xfs_read_agf+0x163/0x260 [xfs] [ 11.944306] ? xfs_read_agf+0x163/0x260 [xfs] [ 11.944725] xfs_read_agf+0x163/0x260 [xfs] [ 11.945141] xfs_alloc_read_agf+0xc5/0x480 [xfs] [ 11.945574] xfs_alloc_pagf_init+0x89/0x150 [xfs] [ 11.946037] xfs_ag_resv_init+0x14b/0x5c0 [xfs] [ 11.946471] xfs_fs_reserve_ag_blocks+0xf3/0x290 [xfs] [ 11.946961] xfs_mountfs+0x2298/0x2440 [xfs] [ 11.947372] xfs_fs_fill_super+0x1eaa/0x21e0 [xfs] [ 11.947840] get_tree_bdev+0x3c3/0x5f0 [ 11.948136] ? xfs_fs_warn_deprecated+0x100/0x100 [xfs] [ 11.948633] xfs_fs_get_tree+0x68/0xb0 [xfs] [ 11.949056] vfs_get_tree+0x81/0x220 [ 11.949336] path_mount+0x1061/0x2340 [ 11.949619] ? kasan_quarantine_put+0x2c/0x1a0 [ 11.949991] ? slab_free_freelist_hook+0xde/0x160 [ 11.950360] ? mark_mounts_for_expiry+0x410/0x410 [ 11.950729] ? user_path_at_empty+0xf6/0x160 [ 11.951072] ? kmem_cache_free+0xb8/0x1a0 [ 11.951384] ? user_path_at_empty+0xf6/0x160 [ 11.951717] __se_sys_mount+0x217/0x2b0 [ 11.952001] ? __x64_sys_mount+0xd0/0xd0 [ 11.952277] ? exit_to_user_mode_prepare+0x32/0x130 [ 11.952664] do_syscall_64+0x41/0x90 [ 11.952960] entry_SYSCALL_64_after_hwframe+0x44/0xae ... [ 11.958483] </TASK> This patch adds a NULL check of "bio" and return immediately if it's NULL. Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx> Signed-off-by: Zixuan Fu <r33s3n6@xxxxxxxxx> --- fs/xfs/xfs_buf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index e1afb9e503e1..1be98503b538 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1447,6 +1447,9 @@ xfs_buf_ioapply_map( nr_pages = bio_max_segs(total_nr_pages); bio = bio_alloc(bp->b_target->bt_bdev, nr_pages, op, GFP_NOIO); + if (!bio) + return; + bio->bi_iter.bi_sector = sector; bio->bi_end_io = xfs_buf_bio_end_io; bio->bi_private = bp; -- 2.25.1
