From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chao Yu <yuchao0@huawei.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-f2fs-devel@lists.sourceforge.net
Subject: [PATCH AUTOSEL 5.4 64/84] f2fs: fix NULL pointer dereference in f2fs_write_begin()
Date: Wed, 15 Apr 2020 07:44:21 -0400 [thread overview]
Message-ID: <20200415114442.14166-64-sashal@kernel.org> (raw)
In-Reply-To: <20200415114442.14166-1-sashal@kernel.org>
From: Chao Yu <yuchao0@huawei.com>
[ Upstream commit 62f63eea291b50a5677ae7503ac128803174698a ]
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:f2fs_write_begin+0x823/0xb90 [f2fs]
Call Trace:
f2fs_quota_write+0x139/0x1d0 [f2fs]
write_blk+0x36/0x80 [quota_tree]
get_free_dqblk+0x42/0xa0 [quota_tree]
do_insert_tree+0x235/0x4a0 [quota_tree]
do_insert_tree+0x26e/0x4a0 [quota_tree]
do_insert_tree+0x26e/0x4a0 [quota_tree]
do_insert_tree+0x26e/0x4a0 [quota_tree]
qtree_write_dquot+0x70/0x190 [quota_tree]
v2_write_dquot+0x43/0x90 [quota_v2]
dquot_acquire+0x77/0x100
f2fs_dquot_acquire+0x2f/0x60 [f2fs]
dqget+0x310/0x450
dquot_transfer+0x7e/0x120
f2fs_setattr+0x11a/0x4a0 [f2fs]
notify_change+0x349/0x480
chown_common+0x168/0x1c0
do_fchownat+0xbc/0xf0
__x64_sys_fchownat+0x20/0x30
do_syscall_64+0x5f/0x220
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Passing fsdata parameter to .write_{begin,end} in f2fs_quota_write(),
so that if quota file is compressed one, we can avoid above NULL
pointer dereference when updating quota content.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index 94caf26901e0b..5e1d4d9243a95 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1826,6 +1826,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type,
int offset = off & (sb->s_blocksize - 1);
size_t towrite = len;
struct page *page;
+ void *fsdata = NULL;
char *kaddr;
int err = 0;
int tocopy;
@@ -1835,7 +1836,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type,
towrite);
retry:
err = a_ops->write_begin(NULL, mapping, off, tocopy, 0,
- &page, NULL);
+ &page, &fsdata);
if (unlikely(err)) {
if (err == -ENOMEM) {
congestion_wait(BLK_RW_ASYNC, HZ/50);
@@ -1851,7 +1852,7 @@ static ssize_t f2fs_quota_write(struct super_block *sb, int type,
flush_dcache_page(page);
a_ops->write_end(NULL, mapping, off, tocopy, tocopy,
- page, NULL);
+ page, fsdata);
offset = 0;
towrite -= tocopy;
off += tocopy;
--
2.20.1
next prev parent reply other threads:[~2020-04-15 12:20 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-15 11:43 [PATCH AUTOSEL 5.4 01/84] drm/ttm: flush the fence on the bo after we individualize the reservation object Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 02/84] clk: Don't cache errors from clk_ops::get_phase() Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 03/84] clk: at91: usb: continue if clk_hw_round_rate() return zero Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 04/84] net/mlx5e: Enforce setting of a single FEC mode Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 05/84] f2fs: fix the panic in do_checkpoint() Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 06/84] arm64: dts: librem5-devkit: add a vbus supply to usb0 Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 07/84] ARM: dts: rockchip: fix vqmmc-supply property name for rk3188-bqedison2qc Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 08/84] arm64: dts: allwinner: a64: Fix display clock register range Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 09/84] power: supply: bq27xxx_battery: Silence deferred-probe error Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 10/84] clk: tegra: Fix Tegra PMC clock out parents Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 11/84] arm64: tegra: Add PCIe endpoint controllers nodes for Tegra194 Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 12/84] arm64: tegra: Fix Tegra194 PCIe compatible string Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 13/84] arm64: dts: clearfog-gt-8k: set gigabit PHY reset deassert delay Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 14/84] soc: imx: gpc: fix power up sequencing Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 15/84] dma-coherent: fix integer overflow in the reserved-memory dma allocation Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 16/84] rtc: 88pm860x: fix possible race condition Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 17/84] NFS: alloc_nfs_open_context() must use the file cred when available Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 18/84] NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 19/84] NFSv4.2: error out when relink swapfile Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 20/84] ARM: dts: rockchip: fix lvds-encoder ports subnode for rk3188-bqedison2qc Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 21/84] KVM: PPC: Book3S HV: Fix H_CEDE return code for nested guests Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 22/84] f2fs: fix to show norecovery mount option Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 23/84] phy: uniphier-usb3ss: Add Pro5 support Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 24/84] NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 25/84] f2fs: Fix mount failure due to SPO after a successful online resize FS Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 26/84] f2fs: Add a new CP flag to help fsck fix resize SPO issues Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 27/84] s390/cpuinfo: fix wrong output when CPU0 is offline Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 28/84] hibernate: Allow uswsusp to write to swap Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 29/84] btrfs: handle NULL roots in btrfs_put/btrfs_grab_fs_root Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 30/84] btrfs: add RCU locks around block group initialization Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 31/84] powerpc/prom_init: Pass the "os-term" message to hypervisor Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 32/84] powerpc/maple: Fix declaration made after definition Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 33/84] s390/cpum_sf: Fix wrong page count in error message Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 34/84] ext4: do not commit super on read-only bdev Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 35/84] ext4: fix incorrect group count in ext4_fill_super error message Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 36/84] ext4: fix incorrect inodes per group in " Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 37/84] um: ubd: Prevent buffer overrun on command completion Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 38/84] cifs: Allocate encryption header through kmalloc Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 39/84] cxgb4: fix MPS index overwrite when setting MAC address Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 40/84] slcan: Don't transmit uninitialized stack data in padding Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 41/84] net: qualcomm: rmnet: Allow configuration updates to existing devices Sasha Levin
2020-04-15 11:43 ` [PATCH AUTOSEL 5.4 42/84] mm/hugetlb: fix build failure with HUGETLB_PAGE but not HUGEBTLBFS Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 43/84] net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 44/84] net: dsa: mt7530: fix null pointer dereferencing in port5 setup Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 45/84] tun: Don't put_page() for all negative return values from XDP program Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 46/84] mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 47/84] net: dsa: bcm_sf2: Do not register slave MDIO bus with OF Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 48/84] drm/nouveau/svm: check for SVM initialized before migrating Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 49/84] drm/nouveau/svm: fix vma range check for migration Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 50/84] include/linux/swapops.h: correct guards for non_swap_entry() Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 51/84] percpu_counter: fix a data race at vm_committed_as Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 52/84] linux/bits.h: add compile time sanity check of GENMASK inputs Sasha Levin
2020-04-15 19:40 ` Rikard Falkeborn
2020-04-22 0:57 ` Sasha Levin
2020-04-23 21:40 ` Rikard Falkeborn
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 53/84] compiler.h: fix error in BUILD_BUG_ON() reporting Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 54/84] KVM: s390: vsie: Fix possible race when shadowing region 3 tables Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 55/84] drm/nouveau: workaround runpm fail by disabling PCI power management on certain intel bridges Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 56/84] leds: core: Fix warning message when init_data Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 57/84] net: dsa: bcm_sf2: Ensure correct sub-node is parsed Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 58/84] x86: ACPI: fix CPU hotplug deadlock Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 59/84] net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 60/84] csky: Fixup cpu speculative execution to IO area Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 61/84] drm/amdkfd: kfree the wrong pointer Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 62/84] NFS: Fix memory leaks in nfs_pageio_stop_mirroring() Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 63/84] csky: Fixup get wrong psr value from phyical reg Sasha Levin
2020-04-15 11:44 ` Sasha Levin [this message]
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 65/84] ACPICA: Fixes for acpiExec namespace init file Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 66/84] mfd: dln2: Fix sanity checking for endpoints Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 67/84] um: falloc.h needs to be directly included for older libc Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 68/84] drm/vc4: Fix HDMI mode validation Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 69/84] iommu/virtio: Fix freeing of incomplete domains Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 70/84] iommu/vt-d: Fix mm reference leak Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 71/84] SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 72/84] ext2: fix empty body warnings when -Wextra is used Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 73/84] iommu/vt-d: Silence RCU-list debugging warning in dmar_find_atsr() Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 74/84] iommu/vt-d: Fix page request descriptor size Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 75/84] ovl: fix value of i_ino for lower hardlink corner case Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 76/84] ext2: fix debug reference to ext2_xattr_cache Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 77/84] sunrpc: Fix gss_unwrap_resp_integ() again Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 78/84] csky: Fixup init_fpu compile warning with __init Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 79/84] power: supply: axp288_fuel_gauge: Broaden vendor check for Intel Compute Sticks Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 80/84] platform/chrome: cros_ec_rpmsg: Fix race with host event Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 81/84] libnvdimm: Out of bounds read in __nd_ioctl() Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 82/84] acpi/nfit: improve bounds checking for 'func' Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 83/84] iommu/amd: Fix the configuration of GCR3 table root pointer Sasha Levin
2020-04-15 11:44 ` [PATCH AUTOSEL 5.4 84/84] f2fs: fix to wait all node page writeback Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200415114442.14166-64-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).