Btrfs: fix invalid dereference in btrfs_retry_endio

When doing directIO repair, we have this oops: [ 1458.532816] general protection fault: 0000 [#1] SMP ... [ 1458.536291] Workqueue: btrfs-endio-repair btrfs_endio_repair_helper [btrfs] [ 1458.536893] task: ffff88082a42d100 task.stack: ffffc90002b3c000 [ 1458.537499] RIP: 0010:btrfs_retry_endio+0x7e/0x1a0 [btrfs] ... [ 1458.543261] Call Trace: [ 1458.543958] ? rcu_read_lock_sched_held+0xc4/0xd0 [ 1458.544374] bio_endio+0xed/0x100 [ 1458.544750] end_workqueue_fn+0x3c/0x40 [btrfs] [ 1458.545257] normal_work_helper+0x9f/0x900 [btrfs] [ 1458.545762] btrfs_endio_repair_helper+0x12/0x20 [btrfs] [ 1458.546224] process_one_work+0x34d/0xb70 [ 1458.546570] ? process_one_work+0x29e/0xb70 [ 1458.546938] worker_thread+0x1cf/0x960 [ 1458.547263] ? process_one_work+0xb70/0xb70 [ 1458.547624] kthread+0x17d/0x180 [ 1458.547909] ? kthread_create_on_node+0x70/0x70 [ 1458.548300] ret_from_fork+0x31/0x40 It turns out that btrfs_retry_endio is trying to get inode from a directIO page. This fixes the problem by using the saved inode pointer, done->inode. btrfs_retry_endio_nocsum has the same problem, and it's fixed as well. Also cleanup unused @start (which is too trivial for a separate patch). Cc: David Sterba <dsterba@suse.cz> Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
author: Liu Bo <bo.li.liu@oracle.com> 2017-04-05 17:04:19 -0400
committer: David Sterba <dsterba@suse.com> 2017-04-11 12:49:08 -0400
commit: 2e949b0a5592664f8b3eb3e2e48213f514892561 (patch)
tree: 1c43f7ca722cb55cca12418e618cf56bbabf3209
parent: 951e7966398b0fd6bacebec2d87ffd61c3f68b18 (diff)
1 files changed, 4 insertions, 10 deletions
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 876f1d36030c..388c6ce069de 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7910,7 +7910,6 @@ struct btrfs_retry_complete {
 static void btrfs_retry_endio_nocsum(struct bio *bio)
 {
        struct btrfs_retry_complete *done = bio->bi_private;
-        struct inode *inode;
        struct bio_vec *bvec;
        int i;
@@ -7918,12 +7917,12 @@ static void btrfs_retry_endio_nocsum(struct bio *bio)
                goto end;
        ASSERT(bio->bi_vcnt == 1);
-        inode = bio->bi_io_vec->bv_page->mapping->host;
+        ASSERT(bio->bi_io_vec->bv_len == btrfs_inode_sectorsize(done->inode));
-        ASSERT(bio->bi_io_vec->bv_len == btrfs_inode_sectorsize(inode));
        done->uptodate = 1;
        bio_for_each_segment_all(bvec, bio, i)
-        clean_io_failure(BTRFS_I(done->inode), done->start, bvec->bv_page, 0);
+                clean_io_failure(BTRFS_I(done->inode), done->start,
+                                 bvec->bv_page, 0);
 end:
        complete(&done->done);
        bio_put(bio);
@@ -7986,9 +7985,7 @@ static void btrfs_retry_endio(struct bio *bio)
 {
        struct btrfs_retry_complete *done = bio->bi_private;
        struct btrfs_io_bio *io_bio = btrfs_io_bio(bio);
-        struct inode *inode;
        struct bio_vec *bvec;
-        u64 start;
        int uptodate;
        int ret;
        int i;
@@ -7998,11 +7995,8 @@ static void btrfs_retry_endio(struct bio *bio)
        uptodate = 1;
-        start = done->start;
        ASSERT(bio->bi_vcnt == 1);
-        inode = bio->bi_io_vec->bv_page->mapping->host;
+        ASSERT(bio->bi_io_vec->bv_len == btrfs_inode_sectorsize(done->inode));
-        ASSERT(bio->bi_io_vec->bv_len == btrfs_inode_sectorsize(inode));
        bio_for_each_segment_all(bvec, bio, i) {
                ret = __readpage_endio_check(done->inode, io_bio, i,
author	Liu Bo <bo.li.liu@oracle.com>	2017-04-05 17:04:19 -0400
committer	David Sterba <dsterba@suse.com>	2017-04-11 12:49:08 -0400
commit	2e949b0a5592664f8b3eb3e2e48213f514892561 (patch)
tree	1c43f7ca722cb55cca12418e618cf56bbabf3209
parent	951e7966398b0fd6bacebec2d87ffd61c3f68b18 (diff)