Patch "f2fs: fix NULL pointer dereference in f2fs_submit_page_write()" has been added to the 6.7-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    f2fs: fix NULL pointer dereference in f2fs_submit_page_write()

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     f2fs-fix-null-pointer-dereference-in-f2fs_submit_pag.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f9d185c491f5ca24e8f61f88ba7dfdab479ff139
Author: Wenjie Qi <qwjhust@xxxxxxxxx>
Date:   Tue Jan 16 22:11:38 2024 +0800

    f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
    
    [ Upstream commit c2034ef6192a65a986a45c2aa2ed05824fdc0e9f ]
    
    BUG: kernel NULL pointer dereference, address: 0000000000000014
    RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs]
    Call Trace:
    <TASK>
    ? show_regs+0x6e/0x80
    ? __die+0x29/0x70
    ? page_fault_oops+0x154/0x4a0
    ? prb_read_valid+0x20/0x30
    ? __irq_work_queue_local+0x39/0xd0
    ? irq_work_queue+0x36/0x70
    ? do_user_addr_fault+0x314/0x6c0
    ? exc_page_fault+0x7d/0x190
    ? asm_exc_page_fault+0x2b/0x30
    ? f2fs_submit_page_write+0x6cf/0x780 [f2fs]
    ? f2fs_submit_page_write+0x736/0x780 [f2fs]
    do_write_page+0x50/0x170 [f2fs]
    f2fs_outplace_write_data+0x61/0xb0 [f2fs]
    f2fs_do_write_data_page+0x3f8/0x660 [f2fs]
    f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs]
    f2fs_write_cache_pages+0x3da/0xbe0 [f2fs]
    ...
    It is possible that other threads have added this fio to io->bio
    and submitted the io->bio before entering f2fs_submit_page_write().
    At this point io->bio = NULL.
    If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true,
    then an NULL pointer dereference error occurs at bio_get(io->bio).
    The original code for determining zone end was after "out:",
    which would have missed some fio who is zone end. I've moved
     this code before "skip:" to make sure it's done for each fio.
    
    Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices")
    Signed-off-by: Wenjie Qi <qwjhust@xxxxxxxxx>
    Reviewed-by: Chao Yu <chao@xxxxxxxxxx>
    Signed-off-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index cd9f1c6039c49..d71683039b961 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -1080,10 +1080,6 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio)
 	io->last_block_in_bio = fio->new_blkaddr;
 
 	trace_f2fs_submit_page_write(fio->page, fio);
-skip:
-	if (fio->in_list)
-		goto next;
-out:
 #ifdef CONFIG_BLK_DEV_ZONED
 	if (f2fs_sb_has_blkzoned(sbi) && btype < META &&
 			is_end_zone_blkaddr(sbi, fio->new_blkaddr)) {
@@ -1096,6 +1092,10 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio)
 		__submit_merged_bio(io);
 	}
 #endif
+skip:
+	if (fio->in_list)
+		goto next;
+out:
 	if (is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN) ||
 				!f2fs_is_checkpoint_ready(sbi))
 		__submit_merged_bio(io);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux