From: Valentin Vidic via Ocfs2-devel <ocfs2-devel@oss.oracle.com> To: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Valentin Vidic <vvidic@valentin-vidic.from.hr>, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Tuo Li <islituo@gmail.com>, Dayvison <sathlerds@gmail.com>, ocfs2-devel@oss.oracle.com Subject: [Ocfs2-devel] [PATCH] ocfs2: quota_local: fix mount crash of filesystems with quota enabled Date: Tue, 22 Mar 2022 04:12:15 +0100 [thread overview] Message-ID: <20220322031215.1449435-1-vvidic@valentin-vidic.from.hr> (raw) ocfs2_qinfo_lock_res_init is called too early while oinfo->dqi_gi.dqi_sb is still a NULL pointer causing a crash on mount when quotas are enabled. Restore ocfs2_qinfo_lock_res_init original call location in ocfs2_global_read_info after the value of oinfo->dqi_gi.dqi_sb is set. [ 389.111864] ocfs2: Mounting device (254,16) on (node 2, slot 0) with ordered data mode. [ 389.160182] BUG: kernel NULL pointer dereference, address: 0000000000000398 [ 389.160295] #PF: supervisor read access in kernel mode [ 389.160343] #PF: error_code(0x0000) - not-present page [ 389.160390] PGD 0 P4D 0 [ 389.160432] Oops: 0000 [#1] PREEMPT SMP PTI [ 389.160477] CPU: 0 PID: 836 Comm: mount.ocfs2 Not tainted 5.16.0-4-amd64 #1 Debian 5.16.12-1 [ 389.160591] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 [ 389.160714] RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2] [ 389.161290] Code: 00 00 00 48 63 b3 b8 01 00 00 e8 87 bb ff ff 49 89 d8 48 89 ee ba 08 00 00 00 48 8b 83 b0 01 00 00 48 c7 c1 a0 e0 dc c0 5b 5d <48> 8b b8 98 03 00 00 e9 70 c4 ff ff 0f 1f 44 00 00 41 56 41 89 ce [ 389.161460] RSP: 0018:ffffb2c0c0047be8 EFLAGS: 00010282 [ 389.161510] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0dce0a0 [ 389.161619] RDX: 0000000000000008 RSI: ffff8b685c343c30 RDI: ffffb2c0c0047bb8 [ 389.161747] RBP: ffff8b685c343c00 R08: ffff8b685c343c00 R09: 0000000000000000 [ 389.161809] R10: ffffb2c0c0047bb0 R11: ffffffffc0d8f030 R12: ffff8b685c343c18 [ 389.161868] R13: ffff8b68462d3ec8 R14: 0000000000000000 R15: ffff8b6848fb6800 [ 389.161929] FS: 00007f7956901c00(0000) GS:ffff8b687ec00000(0000) knlGS:0000000000000000 [ 389.162009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.162060] CR2: 0000000000000398 CR3: 000000000554a004 CR4: 0000000000370ef0 [ 389.162129] Call Trace: [ 389.162184] <TASK> [ 389.162211] ocfs2_local_read_info+0xb9/0x6f0 [ocfs2] [ 389.162479] ? ocfs2_local_check_quota_file+0x197/0x390 [ocfs2] [ 389.162774] dquot_load_quota_sb+0x216/0x470 [ 389.162849] ? preempt_count_add+0x68/0xa0 [ 389.162895] dquot_load_quota_inode+0x85/0x100 [ 389.162943] ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2] [ 389.163151] ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2] [ 389.163374] mount_bdev+0x185/0x1b0 [ 389.163431] ? ocfs2_initialize_super.isra.0+0xf40/0xf40 [ocfs2] [ 389.163673] legacy_get_tree+0x27/0x40 [ 389.163726] vfs_get_tree+0x25/0xb0 [ 389.163764] path_mount+0x465/0xac0 [ 389.163804] __x64_sys_mount+0x103/0x140 [ 389.163844] do_syscall_64+0x3b/0xc0 [ 389.163919] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 389.164016] RIP: 0033:0x7f7956e0258a [ 389.164057] Code: 48 8b 0d e9 28 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b6 28 0d 00 f7 d8 64 89 01 48 [ 389.164206] RSP: 002b:00007fff9be78718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 389.164273] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7956e0258a [ 389.164334] RDX: 000055bffbe230ae RSI: 000055bffc7ec370 RDI: 000055bffc7f33f0 [ 389.164395] RBP: 00007fff9be788d0 R08: 000055bffc7f3390 R09: 00007fff9be76110 [ 389.164454] R10: 0000000000000000 R11: 0000000000000246 R12: 000055bffbe230ae [ 389.164514] R13: 000055bffc7ec301 R14: 00007fff9be787c0 R15: 00007fff9be78740 [ 389.166469] </TASK> [ 389.168355] Modules linked in: ocfs2 quota_tree ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue sctp ip6_udp_tunnel udp_tunnel libcrc32c intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core kvm_intel kvm irqbypass ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi aesni_intel crypto_simd qxl snd_hda_codec cryptd drm_ttm_helper rapl snd_hda_core ttm snd_hwdep snd_pcm serio_raw snd_timer iTCO_wdt pcspkr intel_pmc_bxt iTCO_vendor_support drm_kms_helper snd virtio_rng rng_core soundcore virtio_balloon virtio_console cec evdev joydev i6300esb rc_core watchdog qemu_fw_cfg button auth_rpcgss sunrpc drm fuse configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid virtio_net net_failover failover virtio_blk ahci xhci_pci libahci libata xhci_hcd crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel virtio_pci virtio_pci_legacy_dev virtio_pci_modern _dev [ 389.168645] virtio psmouse usbcore scsi_mod i2c_i801 i2c_smbus scsi_common lpc_ich usb_common virtio_ring [ 389.187016] CR2: 0000000000000398 [ 389.188963] ---[ end trace 571e3ca036b59855 ]--- Fixes: 6c85c2c72819 ("ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info()") Reported-by: Dayvison <sathlerds@gmail.com> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007141 Cc: stable@vger.kernel.org Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr> --- fs/ocfs2/quota_global.c | 1 + fs/ocfs2/quota_local.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index f033de733adb..eda83487c9ec 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -357,6 +357,7 @@ int ocfs2_global_read_info(struct super_block *sb, int type) } oinfo->dqi_gi.dqi_sb = sb; oinfo->dqi_gi.dqi_type = type; + ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk); oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops; oinfo->dqi_gqi_bh = NULL; diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 0e4b16d4c037..e6037e4a1641 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -703,7 +703,6 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) oinfo->dqi_type = type; INIT_LIST_HEAD(&oinfo->dqi_chunk); oinfo->dqi_gqinode = NULL; - ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); oinfo->dqi_rec = NULL; oinfo->dqi_lqi_bh = NULL; oinfo->dqi_libh = NULL; -- 2.30.2 _______________________________________________ Ocfs2-devel mailing list Ocfs2-devel@oss.oracle.com https://oss.oracle.com/mailman/listinfo/ocfs2-devel
WARNING: multiple messages have this Message-ID (diff)
From: Valentin Vidic <vvidic@valentin-vidic.from.hr> To: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Tuo Li <islituo@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org, Valentin Vidic <vvidic@valentin-vidic.from.hr>, Dayvison <sathlerds@gmail.com>, stable@vger.kernel.org Subject: [PATCH] ocfs2: quota_local: fix mount crash of filesystems with quota enabled Date: Tue, 22 Mar 2022 04:12:15 +0100 [thread overview] Message-ID: <20220322031215.1449435-1-vvidic@valentin-vidic.from.hr> (raw) ocfs2_qinfo_lock_res_init is called too early while oinfo->dqi_gi.dqi_sb is still a NULL pointer causing a crash on mount when quotas are enabled. Restore ocfs2_qinfo_lock_res_init original call location in ocfs2_global_read_info after the value of oinfo->dqi_gi.dqi_sb is set. [ 389.111864] ocfs2: Mounting device (254,16) on (node 2, slot 0) with ordered data mode. [ 389.160182] BUG: kernel NULL pointer dereference, address: 0000000000000398 [ 389.160295] #PF: supervisor read access in kernel mode [ 389.160343] #PF: error_code(0x0000) - not-present page [ 389.160390] PGD 0 P4D 0 [ 389.160432] Oops: 0000 [#1] PREEMPT SMP PTI [ 389.160477] CPU: 0 PID: 836 Comm: mount.ocfs2 Not tainted 5.16.0-4-amd64 #1 Debian 5.16.12-1 [ 389.160591] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 [ 389.160714] RIP: 0010:ocfs2_qinfo_lock_res_init+0x44/0x50 [ocfs2] [ 389.161290] Code: 00 00 00 48 63 b3 b8 01 00 00 e8 87 bb ff ff 49 89 d8 48 89 ee ba 08 00 00 00 48 8b 83 b0 01 00 00 48 c7 c1 a0 e0 dc c0 5b 5d <48> 8b b8 98 03 00 00 e9 70 c4 ff ff 0f 1f 44 00 00 41 56 41 89 ce [ 389.161460] RSP: 0018:ffffb2c0c0047be8 EFLAGS: 00010282 [ 389.161510] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0dce0a0 [ 389.161619] RDX: 0000000000000008 RSI: ffff8b685c343c30 RDI: ffffb2c0c0047bb8 [ 389.161747] RBP: ffff8b685c343c00 R08: ffff8b685c343c00 R09: 0000000000000000 [ 389.161809] R10: ffffb2c0c0047bb0 R11: ffffffffc0d8f030 R12: ffff8b685c343c18 [ 389.161868] R13: ffff8b68462d3ec8 R14: 0000000000000000 R15: ffff8b6848fb6800 [ 389.161929] FS: 00007f7956901c00(0000) GS:ffff8b687ec00000(0000) knlGS:0000000000000000 [ 389.162009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 389.162060] CR2: 0000000000000398 CR3: 000000000554a004 CR4: 0000000000370ef0 [ 389.162129] Call Trace: [ 389.162184] <TASK> [ 389.162211] ocfs2_local_read_info+0xb9/0x6f0 [ocfs2] [ 389.162479] ? ocfs2_local_check_quota_file+0x197/0x390 [ocfs2] [ 389.162774] dquot_load_quota_sb+0x216/0x470 [ 389.162849] ? preempt_count_add+0x68/0xa0 [ 389.162895] dquot_load_quota_inode+0x85/0x100 [ 389.162943] ocfs2_enable_quotas+0xa0/0x1c0 [ocfs2] [ 389.163151] ocfs2_fill_super.cold+0xc8/0x1bf [ocfs2] [ 389.163374] mount_bdev+0x185/0x1b0 [ 389.163431] ? ocfs2_initialize_super.isra.0+0xf40/0xf40 [ocfs2] [ 389.163673] legacy_get_tree+0x27/0x40 [ 389.163726] vfs_get_tree+0x25/0xb0 [ 389.163764] path_mount+0x465/0xac0 [ 389.163804] __x64_sys_mount+0x103/0x140 [ 389.163844] do_syscall_64+0x3b/0xc0 [ 389.163919] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 389.164016] RIP: 0033:0x7f7956e0258a [ 389.164057] Code: 48 8b 0d e9 28 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b6 28 0d 00 f7 d8 64 89 01 48 [ 389.164206] RSP: 002b:00007fff9be78718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 389.164273] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7956e0258a [ 389.164334] RDX: 000055bffbe230ae RSI: 000055bffc7ec370 RDI: 000055bffc7f33f0 [ 389.164395] RBP: 00007fff9be788d0 R08: 000055bffc7f3390 R09: 00007fff9be76110 [ 389.164454] R10: 0000000000000000 R11: 0000000000000246 R12: 000055bffbe230ae [ 389.164514] R13: 000055bffc7ec301 R14: 00007fff9be787c0 R15: 00007fff9be78740 [ 389.166469] </TASK> [ 389.168355] Modules linked in: ocfs2 quota_tree ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue sctp ip6_udp_tunnel udp_tunnel libcrc32c intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core kvm_intel kvm irqbypass ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi aesni_intel crypto_simd qxl snd_hda_codec cryptd drm_ttm_helper rapl snd_hda_core ttm snd_hwdep snd_pcm serio_raw snd_timer iTCO_wdt pcspkr intel_pmc_bxt iTCO_vendor_support drm_kms_helper snd virtio_rng rng_core soundcore virtio_balloon virtio_console cec evdev joydev i6300esb rc_core watchdog qemu_fw_cfg button auth_rpcgss sunrpc drm fuse configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid virtio_net net_failover failover virtio_blk ahci xhci_pci libahci libata xhci_hcd crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel virtio_pci virtio_pci_legacy_dev virtio_pci_modern _dev [ 389.168645] virtio psmouse usbcore scsi_mod i2c_i801 i2c_smbus scsi_common lpc_ich usb_common virtio_ring [ 389.187016] CR2: 0000000000000398 [ 389.188963] ---[ end trace 571e3ca036b59855 ]--- Fixes: 6c85c2c72819 ("ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info()") Reported-by: Dayvison <sathlerds@gmail.com> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007141 Cc: stable@vger.kernel.org Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr> --- fs/ocfs2/quota_global.c | 1 + fs/ocfs2/quota_local.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index f033de733adb..eda83487c9ec 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -357,6 +357,7 @@ int ocfs2_global_read_info(struct super_block *sb, int type) } oinfo->dqi_gi.dqi_sb = sb; oinfo->dqi_gi.dqi_type = type; + ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); oinfo->dqi_gi.dqi_entry_size = sizeof(struct ocfs2_global_disk_dqblk); oinfo->dqi_gi.dqi_ops = &ocfs2_global_ops; oinfo->dqi_gqi_bh = NULL; diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index 0e4b16d4c037..e6037e4a1641 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -703,7 +703,6 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) oinfo->dqi_type = type; INIT_LIST_HEAD(&oinfo->dqi_chunk); oinfo->dqi_gqinode = NULL; - ocfs2_qinfo_lock_res_init(&oinfo->dqi_gqlock, oinfo); oinfo->dqi_rec = NULL; oinfo->dqi_lqi_bh = NULL; oinfo->dqi_libh = NULL; -- 2.30.2
next reply other threads:[~2022-03-22 3:13 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-03-22 3:12 Valentin Vidic via Ocfs2-devel [this message] 2022-03-22 3:12 ` [PATCH] ocfs2: quota_local: fix mount crash of filesystems with quota enabled Valentin Vidic 2022-03-22 7:32 ` [Ocfs2-devel] " Joseph Qi 2022-03-22 7:32 ` Joseph Qi via Ocfs2-devel 2022-03-22 20:35 ` Valentin Vidić 2022-03-22 20:35 ` Valentin Vidić via Ocfs2-devel
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220322031215.1449435-1-vvidic@valentin-vidic.from.hr \ --to=ocfs2-devel@oss.oracle.com \ --cc=islituo@gmail.com \ --cc=jlbec@evilplan.org \ --cc=joseph.qi@linux.alibaba.com \ --cc=linux-kernel@vger.kernel.org \ --cc=mark@fasheh.com \ --cc=sathlerds@gmail.com \ --cc=stable@vger.kernel.org \ --cc=vvidic@valentin-vidic.from.hr \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.