• Anand Jain's avatar
    btrfs: fix null pointer deref when target device is missing · acf18c56
    Anand Jain authored
    The replace target device can be missing when mounted with -o degraded,
    but we wont allocate a missing btrfs_device to it. So check the device
    before accessing.
    
    BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
    IP: btrfs_destroy_dev_replace_tgtdev+0x43/0xf0 [btrfs]
    Call Trace:
    btrfs_dev_replace_cancel+0x15f/0x180 [btrfs]
    btrfs_ioctl+0x2216/0x2590 [btrfs]
    do_vfs_ioctl+0x625/0x650
    SyS_ioctl+0x4e/0x80
    do_syscall_64+0x5d/0x160
    entry_SYSCALL64_slow_path+0x25/0x25
    
    This patch has been moved in front of patch "btrfs: log, when replace,
    is canceled by the user" that could reproduce the crash if the system
    reboots inside btrfs_dev_replace_start before the
    btrfs_dev_replace_finishing call.
    
     $ mkfs /dev/sda
     $ mount /dev/sda mnt
     $ btrfs replace start /dev/sda /dev/sdb
     <insert reboot>
     $ mount po degraded /dev/sdb mnt
     <crash>
    Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
    [ added reproducer description from mail ]
    Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
    acf18c56
dev-replace.c 29.2 KB