On Tue, Aug 04, 2020 at 03:25:46PM +0800, Qu Wenruo wrote: > This is an attempt to remove the inode_need_compress() call in > compress_file_extent(). > > As that compress_file_extent() can race with inode ioctl or bad > compression ratio, to cause NULL pointer dereferecen for @pages, it's > nature to try to remove that inode_need_compress() to remove the race > completely. > > However that's not that easy, we have the following problems: > > - We still need to check @pages anyway > That @pages check is for kcalloc() failure, so what we really get is > just removing one indent from the if (inode_need_compress()). > Everything else is still the same (in fact, even worse, see below > problems) > > - Behavior change > Before that change, every async_chunk does their check on > INODE_NO_COMPRESS flags. > If we hit any bad compression ratio, all incoming async_chunk will > fall back to plain text write. > > But if we remove that inode_need_compress() check, then we still try > to compress, and lead to potentially wasted CPU times. > > - Still race between compression disable and NULL pointer dereferecen > There is a hidden race, mostly exposed by btrfs/071 test case, that we > have "compress_type = fs_info->compress_type", so we can still hit case > where that compress_type is NONE (caused by remount -o nocompress), and > then btrfs_compress_pages() will return -E2BIG, without modifying > @nr_pages > > Then later when we cleanup @pages, we try to access pages[i]->mapping, > triggering NULL pointer dereference. > > This will be address in the first patch though. > > Changelog: > v2: > - Fix a bad commit merge > Which merges the commit message for the first patch, though the content is > still correct. > > Qu Wenruo (2): > btrfs: prevent NULL pointer dereference in compress_file_range() when > btrfs_compress_pages() hits default case
Patch 1 added to misc-next, due to this bug report https://bugzilla.kernel.org/show_bug.cgi?id=212331
