release/5.2.46/nilfs2-fix-null-pointer-dereference-at-nilfs_segctor.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 0f7d77a58e0b9d9a861aa02fdb74111663a85a62 Mon Sep 17 00:00:00 2001
 From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
 Date: Wed, 10 Jun 2020 18:41:35 -0700
 Subject: [PATCH] nilfs2: fix null pointer dereference at
  nilfs_segctor_do_construct()

 commit 8301c719a2bd131436438e49130ee381d30933f5 upstream.

 After commit c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if
 mapping has no dirty pages"), the following null pointer dereference has
 been reported on nilfs2:

   BUG: kernel NULL pointer dereference, address: 00000000000000a8
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD 0 P4D 0
   Oops: 0000 [#1] SMP PTI
   ...
   RIP: 0010:percpu_counter_add_batch+0xa/0x60
   ...
   Call Trace:
     __test_set_page_writeback+0x2d3/0x330
     nilfs_segctor_do_construct+0x10d3/0x2110 [nilfs2]
     nilfs_segctor_construct+0x168/0x260 [nilfs2]
     nilfs_segctor_thread+0x127/0x3b0 [nilfs2]
     kthread+0xf8/0x130
     ...

 This crash turned out to be caused by set_page_writeback() call for
 segment summary buffers at nilfs_segctor_prepare_write().

 set_page_writeback() can call inc_wb_stat(inode_to_wb(inode),
 WB_WRITEBACK) where inode_to_wb(inode) is NULL if the inode of
 underlying block device does not have an associated wb.

 This fixes the issue by calling inode_attach_wb() in advance to ensure
 to associate the bdev inode with its wb.

 Fixes: c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping has no dirty pages")
 Reported-by: Walton Hoops <me@waltonhoops.com>
 Reported-by: Tomas Hlavaty <tom@logand.com>
 Reported-by: ARAI Shun-ichi <hermes@ceres.dti.ne.jp>
 Reported-by: Hideki EIRAKU <hdk1983@gmail.com>
 Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
 Cc: <stable@vger.kernel.org>	[5.4+]
 Link: http://lkml.kernel.org/r/20200608.011819.1399059588922299158.konishi.ryusuke@gmail.com
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
 index 445eef41bfaf..91b58c897f92 100644
 --- a/fs/nilfs2/segment.c
 +++ b/fs/nilfs2/segment.c
 @@ -2780,6 +2780,8 @@ int nilfs_attach_log_writer(struct super_block *sb, struct nilfs_root *root)
  	if (!nilfs->ns_writer)
  		return -ENOMEM;

 +	inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL);
 +
  	err = nilfs_segctor_start_thread(nilfs->ns_writer);
  	if (err) {
  		kfree(nilfs->ns_writer);
 --
 2.7.4
	From 0f7d77a58e0b9d9a861aa02fdb74111663a85a62 Mon Sep 17 00:00:00 2001
	From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
	Date: Wed, 10 Jun 2020 18:41:35 -0700
	Subject: [PATCH] nilfs2: fix null pointer dereference at
	nilfs_segctor_do_construct()

	commit 8301c719a2bd131436438e49130ee381d30933f5 upstream.

	After commit c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if
	mapping has no dirty pages"), the following null pointer dereference has
	been reported on nilfs2:

	BUG: kernel NULL pointer dereference, address: 00000000000000a8
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: 0000 [#1] SMP PTI
	...
	RIP: 0010:percpu_counter_add_batch+0xa/0x60
	...
	Call Trace:
	__test_set_page_writeback+0x2d3/0x330
	nilfs_segctor_do_construct+0x10d3/0x2110 [nilfs2]
	nilfs_segctor_construct+0x168/0x260 [nilfs2]
	nilfs_segctor_thread+0x127/0x3b0 [nilfs2]
	kthread+0xf8/0x130
	...

	This crash turned out to be caused by set_page_writeback() call for
	segment summary buffers at nilfs_segctor_prepare_write().

	set_page_writeback() can call inc_wb_stat(inode_to_wb(inode),
	WB_WRITEBACK) where inode_to_wb(inode) is NULL if the inode of
	underlying block device does not have an associated wb.

	This fixes the issue by calling inode_attach_wb() in advance to ensure
	to associate the bdev inode with its wb.

	Fixes: c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping has no dirty pages")
	Reported-by: Walton Hoops <me@waltonhoops.com>
	Reported-by: Tomas Hlavaty <tom@logand.com>
	Reported-by: ARAI Shun-ichi <hermes@ceres.dti.ne.jp>
	Reported-by: Hideki EIRAKU <hdk1983@gmail.com>
	Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
	Cc: <stable@vger.kernel.org> [5.4+]
	Link: http://lkml.kernel.org/r/20200608.011819.1399059588922299158.konishi.ryusuke@gmail.com
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
	index 445eef41bfaf..91b58c897f92 100644
	--- a/fs/nilfs2/segment.c
	+++ b/fs/nilfs2/segment.c
	@@ -2780,6 +2780,8 @@ int nilfs_attach_log_writer(struct super_block sb, struct nilfs_root root)
	if (!nilfs->ns_writer)
	return -ENOMEM;

	+ inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL);
	+
	err = nilfs_segctor_start_thread(nilfs->ns_writer);
	if (err) {
	kfree(nilfs->ns_writer);
	--
	2.7.4