gfs2: prevent NULL pointer dereference during unmount

When flushing out outstanding glock work during an unmount, gfs2_log_flush()
can be called when sdp->sd_jdesc has already been deallocated and sdp->sd_jdesc
is NULL.  Commit 35264909e9d1 ("gfs2: Fix NULL pointer dereference in
gfs2_log_flush") added a check for that to gfs2_log_flush() itself, but it
missed the sdp->sd_jdesc dereference in gfs2_log_release().  Fix that.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604071139.HNJiCaAi-lkp@intel.com/
Fixes: 35264909e9d1 ("gfs2: Fix NULL pointer dereference in gfs2_log_flush")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>

diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 3a01d4e7667a1054757f1529fe471fe7159ac8ec..78bba8cc10b8fd6de0c6d4a9cc984dc3022175e6 100644 (file)
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -467,8 +467,9 @@ void gfs2_log_release(struct gfs2_sbd *sdp, unsigned int blks)
 {
        atomic_add(blks, &sdp->sd_log_blks_free);
        trace_gfs2_log_blocks(sdp, blks);
-       gfs2_assert_withdraw(sdp, atomic_read(&sdp->sd_log_blks_free) <=
-                                 sdp->sd_jdesc->jd_blocks);
+       gfs2_assert_withdraw(sdp, !sdp->sd_jdesc ||
+                       atomic_read(&sdp->sd_log_blks_free) <=
+                       sdp->sd_jdesc->jd_blocks);
        if (atomic_read(&sdp->sd_log_blks_needed))
                wake_up(&sdp->sd_log_waitq);
 }