From patchwork Wed Apr 18 15:49:46 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Theodore Ts'o X-Patchwork-Id: 900230 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-ext4-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=thunk.org header.i=@thunk.org header.b="iX1ecsTC"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40R64y6zJyz9s1v for ; Thu, 19 Apr 2018 01:49:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753351AbeDRPty (ORCPT ); Wed, 18 Apr 2018 11:49:54 -0400 Received: from imap.thunk.org ([74.207.234.97]:56344 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753211AbeDRPtx (ORCPT ); Wed, 18 Apr 2018 11:49:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nO2A5eZMLJ6iCIH7oKL2v7aDVI/PbSPd/Ipg8h/Khgc=; b=iX1ecsTCOcIpUcS60Hg2+QtIe+ WuiETtbC+HH2x7qZkDmXQdr6/7HsI95TaXvI3Q9iqPuGILusOMrsIFw0iD/XIITHeFXkykMgDHCa/ 8sYY/RphQcIl9afi+Wu6bieRGUPetPd9QlOL6O4S3XQ+WnBpb04zdNIKSNiSpTiTzr4c=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1f8pLC-0001q9-TI; Wed, 18 Apr 2018 15:49:50 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 3CD867A0221; Wed, 18 Apr 2018 11:49:49 -0400 (EDT) From: Theodore Ts'o To: Ext4 Developers List Cc: Theodore Ts'o , Jan Kara , stable@kernel.org Subject: [PATCH] ext4: set h_journal if there is a failure starting a reserved handle Date: Wed, 18 Apr 2018 11:49:46 -0400 Message-Id: <20180418154946.32006-1-tytso@mit.edu> X-Mailer: git-send-email 2.16.1.72.g5be1f00a9a X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org If ext4 tries to start a reserved handle via jbd2_journal_start_reserved(), and the journal has been aborted, this can result in a NULL pointer dereference. This is because the fields h_journal and h_transaction in the handle structure share the same meory, via a union, so jbd2_journal_start_reserved() will clear h_journal before calling start_this_handle(). If this function fails due to an aborted handle, h_journal will still be NULL, and the call to jbd2_journal_free_reserved() will pass a NULL journal to sub_reserve_credits(). This can be reproduced by running "kvm-xfstests -c dioread_nolock generic/475". Fixes: 8f7d89f36829b ("jbd2: transaction reservation support") Signed-off-by: Theodore Ts'o Cc: Jan Kara Cc: stable@kernel.org # 3.11 Reviewed-by: Andreas Dilger Reviewed-by: Jan Kara --- fs/jbd2/transaction.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index ac311037d7a5..8aa453784402 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -532,6 +532,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type, */ ret = start_this_handle(journal, handle, GFP_NOFS); if (ret < 0) { + handle->h_journal = journal; jbd2_journal_free_reserved(handle); return ret; }