From: Li Ruilin liruilin4@huawei.com
euleros/rtos inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4LOJ6 CVE: NA
--------------------------------
commit 6947676c374("bcache: add a framework to perform prefetch") collects data insert info which includes device info got from bio. However, bio created by write_moving here has no device info, causing a null pointer dereference.
[ 1497.991768] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 1497.991869] PGD 0 P4D 0 [ 1497.991912] Oops: 0000 [#1] SMP PTI [ 1497.991962] CPU: 2 PID: 733 Comm: kworker/2:3 Not tainted 4.19.90+ #33 [ 1497.992030] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 1497.992137] Workqueue: bcache_gc write_moving [bcache] [ 1497.992219] RIP: 0010:bch_data_insert+0x4c/0x140 [bcache] ... [ 1497.993367] Call Trace: [ 1497.993427] ? cached_dev_read_error+0x140/0x140 [bcache] [ 1497.993526] write_moving+0x19e/0x1b0 [bcache] [ 1497.993621] process_one_work+0x1fd/0x440 [ 1497.993742] worker_thread+0x34/0x410 [ 1497.993811] kthread+0x121/0x140 [ 1497.993873] ? process_one_work+0x440/0x440 [ 1497.993946] ? kthread_create_worker_on_cpu+0x70/0x70 [ 1497.994043] ret_from_fork+0x35/0x40
Signed-off-by: Li Ruilin liruilin4@huawei.com Review-by: Song Chao chao.song@huawei.com Review-by: Xu Wei xuwei56@huawei.com Signed-off-by: Li Ruilin liruilin4@huawei.com Acked-by: Xie XiuQi xiexiuqi@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com Reviewed-by: Guangxing Deng dengguangxing@huawei.com Reviewed-by: chao song chao.song@huawei.com Reviewed-by: chao song chao.song@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- drivers/md/bcache/request.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c index bad70906e8a2..66605e7dcc42 100644 --- a/drivers/md/bcache/request.c +++ b/drivers/md/bcache/request.c @@ -315,12 +315,14 @@ void bch_data_insert(struct closure *cl) trace_bcache_write(op->c, op->inode, op->bio, op->writeback, op->bypass);
- msg.offset = op->bio->bi_iter.bi_sector; - msg.length = op->bio->bi_iter.bi_size; - msg.type = ACACHE_INFO_CACHE_INSERT; - msg.dev = bio_dev(op->bio); - msg.start_time = ktime_get_ns(); - save_circ_item(&msg); + if (op->bio->bi_disk) { + msg.offset = op->bio->bi_iter.bi_sector; + msg.length = op->bio->bi_iter.bi_size; + msg.type = ACACHE_INFO_CACHE_INSERT; + msg.dev = bio_dev(op->bio); + msg.start_time = ktime_get_ns(); + save_circ_item(&msg); + }
bch_keylist_init(&op->insert_keys); bio_get(op->bio);