When releasing the perag in xfs_free_perag(), the assertion that the perag in readix tree is correct in most cases. However, there is one corner case where the assertion is not true. During log recovery, the AGs become visible(that is included in mp->m_sb.sb_agcount) first, and then the perag is initialized. If the initialization of the perag fails, the assertion will be triggered. Worse yet, null pointer dereferencing can occur. Signed-off-by: Long Li <leo.lilong@xxxxxxxxxx> --- fs/xfs/libxfs/xfs_ag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_ag.c b/fs/xfs/libxfs/xfs_ag.c index cc10a3ca052f..11ed048c350c 100644 --- a/fs/xfs/libxfs/xfs_ag.c +++ b/fs/xfs/libxfs/xfs_ag.c @@ -258,7 +258,8 @@ xfs_free_perag( spin_lock(&mp->m_perag_lock); pag = radix_tree_delete(&mp->m_perag_tree, agno); spin_unlock(&mp->m_perag_lock); - ASSERT(pag); + if (!pag) + break; XFS_IS_CORRUPT(pag->pag_mount, atomic_read(&pag->pag_ref) != 0); xfs_defer_drain_free(&pag->pag_intents_drain); -- 2.31.1
