From nobody Tue Dec 30 16:39:20 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B22B1C4332F for ; Tue, 14 Nov 2023 07:07:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232155AbjKNHHL (ORCPT ); Tue, 14 Nov 2023 02:07:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232099AbjKNHHK (ORCPT ); Tue, 14 Nov 2023 02:07:10 -0500 Received: from out30-99.freemail.mail.aliyun.com (out30-99.freemail.mail.aliyun.com [115.124.30.99]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C22D194 for ; Mon, 13 Nov 2023 23:07:07 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R411e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046050;MF=jefflexu@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0VwOdhoI_1699945624; Received: from localhost(mailfrom:jefflexu@linux.alibaba.com fp:SMTPD_---0VwOdhoI_1699945624) by smtp.aliyun-inc.com; Tue, 14 Nov 2023 15:07:05 +0800 From: Jingbo Xu To: xiang@kernel.org, chao@kernel.org, linux-erofs@lists.ozlabs.org Cc: huyue2@coolpad.com, linux-kernel@vger.kernel.org Subject: [PATCH] erofs: fix NULL dereference of dif->bdev_handle in fscache mode Date: Tue, 14 Nov 2023 15:07:04 +0800 Message-Id: <20231114070704.23398-1-jefflexu@linux.alibaba.com> X-Mailer: git-send-email 2.19.1.6.gb485710b MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Avoid NULL dereference of dif->bdev_handle, as dif->bdev_handle is NULL in fscache mode. BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:erofs_map_dev+0xbd/0x1c0 Call Trace: erofs_fscache_data_read_slice+0xa7/0x340 erofs_fscache_data_read+0x11/0x30 erofs_fscache_readahead+0xd9/0x100 read_pages+0x47/0x1f0 page_cache_ra_order+0x1e5/0x270 filemap_get_pages+0xf2/0x5f0 filemap_read+0xb8/0x2e0 vfs_read+0x18d/0x2b0 ksys_read+0x53/0xd0 do_syscall_64+0x42/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Reported-by: Yiqun Leng Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=3D7245 Fixes: 49845720080d ("erofs: Convert to use bdev_open_by_path()") Signed-off-by: Jingbo Xu Reviewed-by: Chao Yu Reviewed-by: Gao Xiang Reviewed-by: Yue Hu --- fs/erofs/data.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/erofs/data.c b/fs/erofs/data.c index 029c761670bf..c98aeda8abb2 100644 --- a/fs/erofs/data.c +++ b/fs/erofs/data.c @@ -220,7 +220,7 @@ int erofs_map_dev(struct super_block *sb, struct erofs_= map_dev *map) up_read(&devs->rwsem); return 0; } - map->m_bdev =3D dif->bdev_handle->bdev; + map->m_bdev =3D dif->bdev_handle ? dif->bdev_handle->bdev : NULL; map->m_daxdev =3D dif->dax_dev; map->m_dax_part_off =3D dif->dax_part_off; map->m_fscache =3D dif->fscache; @@ -238,7 +238,8 @@ int erofs_map_dev(struct super_block *sb, struct erofs_= map_dev *map) if (map->m_pa >=3D startoff && map->m_pa < startoff + length) { map->m_pa -=3D startoff; - map->m_bdev =3D dif->bdev_handle->bdev; + map->m_bdev =3D dif->bdev_handle ? + dif->bdev_handle->bdev : NULL; map->m_daxdev =3D dif->dax_dev; map->m_dax_part_off =3D dif->dax_part_off; map->m_fscache =3D dif->fscache; --=20 2.19.1.6.gb485710b