[PATCH] ocfs2: fix NULL deref in ocfs2_wait_for_recovery after recovery_exit

Next message: Jakub Kicinski: "Re: [PATCH net-next v7 04/10] enic: add admin CQ service with MSI-X interrupt and NAPI polling"
Previous message: Christian Fontanez: "[PATCH] virtio: add missing kernel-doc for map and vmap members"
Next in thread: Jiakai Xu: "Re: [PATCH] ocfs2: fix NULL deref in ocfs2_wait_for_recovery after recovery_exit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiakai Xu

Date: Mon May 18 2026 - 21:36:59 EST

In ocfs2_recovery_exit(), the recovery_map is freed via kfree() but
osb->recovery_map is not set to NULL afterward. If ocfs2_wait_for_recovery()
is called subsequently (e.g. during inode eviction in the dismount path or
via a racing stat() syscall), ocfs2_recovery_completed() dereferences the
stale pointer, leading to a NULL pointer dereference at rm->rm_used.

Fix this by:
1. Setting osb->recovery_map = NULL after kfree() in ocfs2_recovery_exit()
2. Adding a NULL guard in ocfs2_recovery_completed() so that it safely
returns "recovery completed" when the map has been freed

Fixes: 553abd046af6 ("ocfs2: Change the recovery map to an array of node numbers.")
Signed-off-by: Jiakai Xu <xujiakai24@xxxxxxxxxxxxxxxx>
---
fs/ocfs2/journal.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index f9bf3bac085d..5529a177f90e 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -243,6 +243,7 @@ void ocfs2_recovery_exit(struct ocfs2_super *osb)
/* XXX: Should we bug if there are dirty entries? */

kfree(rm);
+ osb->recovery_map = NULL;
}

static int __ocfs2_recovery_map_test(struct ocfs2_super *osb,
@@ -1225,6 +1226,9 @@ static int ocfs2_recovery_completed(struct ocfs2_super *osb)
int empty;
struct ocfs2_recovery_map *rm = osb->recovery_map;

+ if (!rm)
+ return 1;
+
spin_lock(&osb->osb_lock);
empty = (rm->rm_used == 0);
spin_unlock(&osb->osb_lock);
--
2.34.1