Recently, syzkaller reported the following issue:
BUG: kernel NULL pointer dereference, address: 0000000000000000
Call Trace:
<TASK>
mempool_alloc_noprof+0x1a7/0x510 mm/mempool.c:402
bch2_btree_update_start+0x549/0x1480 fs/bcachefs/btree_update_interior.c:1194
bch2_btree_node_rewrite+0x17e/0x1120 fs/bcachefs/btree_update_interior.c:2208
bch2_move_btree+0x6f0/0xc70 fs/bcachefs/move.c:1093
bch2_scan_old_btree_nodes+0x95/0x240 fs/bcachefs/move.c:1215
bch2_data_job+0x646/0x910 fs/bcachefs/move.c:1354
bch2_data_thread+0x8f/0x1d0 fs/bcachefs/chardev.c:315
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
This is because after commit d4d71b58e513 ("bcachefs: RO mounts now use less
memory"),
read-only mounts no longer initialize btree_interior_update_pool, which is
required for
processing BCH_IOCTL_DATA requests.
Since all BCH_IOCTL_DATA requests involve writing data, EROFS should be
returned in this scenario.
Reported-by: [email protected]
Closes: https://lore.kernel.org/all/[email protected]
Fixes: d4d71b58e513 ("bcachefs: RO mounts now use less memory")
Signed-off-by: Julian Sun <[email protected]>
---
fs/bcachefs/chardev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index fde3c2380e28..ba9859fc9f24 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -384,6 +384,9 @@ static long bch2_ioctl_data(struct bch_fs *c,
if (arg.op >= BCH_DATA_OP_NR || arg.flags)
return -EINVAL;
+ if (c->vfs_sb->s_flags & SB_RDONLY)
+ return -EROFS;
+
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
return -ENOMEM;
--
2.39.5
