From: Al Viro <viro@zeniv.linux.org.uk>
To: Monthero Ronald <rhmcruiser@gmail.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH] fs: buffer: Check to avoid NULL pointer dereference of returned buffer_head for a private page
Date: Sun, 18 Aug 2019 05:31:08 +0100 [thread overview]
Message-ID: <20190818043108.GZ1131@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1565795351-10543-1-git-send-email-rhmcruiser@gmail.com>
On Thu, Aug 15, 2019 at 01:09:11AM +1000, Monthero Ronald wrote:
> The patch checks for this condition of NULL pointer for the buffer_head returned from page_buffers()
> and also a check placed within the list traversal loop for next buffer_head structs.
>
> crash scenario:
> The buffer_head returned from page_buffers() is not checked in block_invalidatepage_range function.
> The struct buffer_head* pointer returned by page_buffers(page) was 0x0, although this page had its
> private flag PG_private bit set and was expected to have buffer_head structs attached.The NULL pointer
> buffer_head was dereferenced in block_invalidatepage_range function at bh->b_size, where bh returned by
> page_buffers(page) was 0x0.
>
> The stack frames were truncate_inode_page() => do_invalidatepage_range() => xfs_vm_invalidatepage() =>
> [exception RIP: block_invalidatepage_range+132]
>
> The inode for truncate in this case was valid and had proper inode.i_state = 0x20 - FREEING and had
> a valid mapped address space to xfs. And the struct page in context of block_invalidatepage_range()
> had its page flag PG_private set but the page.private was 0x0. So page_buffers(page) returned 0x0
> and hence the crash.
> This patch performs NULL pointer check for returned buffer_head. Applies to 3.16 and later kernels.
... and adds BUG_ON() for that. The only real difference from an oops is
that it's a bit easier to recognize. Which may or may not be a good
debugging strategy, but what's the point of having it in -stable? Or
anywhere other than the build on the boxen you are testing on...
It doesn't fix the underlying bug. It doesn't tell where the problem
is. It's definitely *not* a way to fix any bugs. And while we
are at it, the stuff in -stable ought to be backports from mainline.
Can you reproduce your crashes on mainline?
next prev parent reply other threads:[~2019-08-18 4:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-14 15:09 [PATCH] fs: buffer: Check to avoid NULL pointer dereference of returned buffer_head for a private page Monthero Ronald
2019-08-14 16:02 ` Greg KH
2019-08-18 4:27 ` Ron Enfield
2019-08-18 5:10 ` Greg KH
2019-08-18 4:31 ` Al Viro [this message]
2019-08-18 4:57 ` Ron Enfield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190818043108.GZ1131@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=rhmcruiser@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.