[patch] ext4: potential NULL dereference on error

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Theodore Ts'o <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] ext4: potential NULL dereference on error
Date: Sun, 13 May 2012 14:41:04 +0000	[thread overview]
Message-ID: <20120513144104.GA21998@elgon.mountain> (raw)

The ext4_get_group_desc() function returns NULL on error, and
ext4_free_inodes_count() function dereferences it without checking.
There is a check on the next line, but it's too late.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static checker fix.

diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index a044a9b..1526f33 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -389,7 +389,7 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	ext4_group_t real_ngroups = ext4_get_groups_count(sb);
 	int inodes_per_group = EXT4_INODES_PER_GROUP(sb);
-	unsigned int freei, avefreei, grp_free;
+	unsigned int freei, avefreei;
 	ext4_fsblk_t freeb, avefreec;
 	unsigned int ndirs;
 	int max_dirs, min_inodes;
@@ -399,6 +399,7 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
 	struct orlov_stats stats;
 	int flex_size = ext4_flex_bg_size(sbi);
 	struct dx_hash_info hinfo;
+	unsigned int grp_free = 0;
 
 	ngroups = real_ngroups;
 	if (flex_size > 1) {
@@ -508,7 +509,8 @@ fallback_retry:
 	for (i = 0; i < ngroups; i++) {
 		grp = (parent_group + i) % ngroups;
 		desc = ext4_get_group_desc(sb, grp, NULL);
-		grp_free = ext4_free_inodes_count(sb, desc);
+		if (desc)
+			grp_free = ext4_free_inodes_count(sb, desc);
 		if (desc && grp_free && grp_free >= avefreei) {
 			*group = grp;
 			return 0;

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] ext4: potential NULL dereference on error
Date: Sun, 13 May 2012 17:41:04 +0300	[thread overview]
Message-ID: <20120513144104.GA21998@elgon.mountain> (raw)

The ext4_get_group_desc() function returns NULL on error, and
ext4_free_inodes_count() function dereferences it without checking.
There is a check on the next line, but it's too late.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Static checker fix.

diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index a044a9b..1526f33 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -389,7 +389,7 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	ext4_group_t real_ngroups = ext4_get_groups_count(sb);
 	int inodes_per_group = EXT4_INODES_PER_GROUP(sb);
-	unsigned int freei, avefreei, grp_free;
+	unsigned int freei, avefreei;
 	ext4_fsblk_t freeb, avefreec;
 	unsigned int ndirs;
 	int max_dirs, min_inodes;
@@ -399,6 +399,7 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
 	struct orlov_stats stats;
 	int flex_size = ext4_flex_bg_size(sbi);
 	struct dx_hash_info hinfo;
+	unsigned int grp_free = 0;
 
 	ngroups = real_ngroups;
 	if (flex_size > 1) {
@@ -508,7 +509,8 @@ fallback_retry:
 	for (i = 0; i < ngroups; i++) {
 		grp = (parent_group + i) % ngroups;
 		desc = ext4_get_group_desc(sb, grp, NULL);
-		grp_free = ext4_free_inodes_count(sb, desc);
+		if (desc)
+			grp_free = ext4_free_inodes_count(sb, desc);
 		if (desc && grp_free && grp_free >= avefreei) {
 			*group = grp;
 			return 0;

next             reply	other threads:[~2012-05-13 14:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-13 14:41 Dan Carpenter [this message]
2012-05-13 14:41 ` [patch] ext4: potential NULL dereference on error Dan Carpenter
2012-05-14 22:25 ` Jan Kara
2012-05-14 22:25   ` Jan Kara
2012-05-15  6:13   ` Dan Carpenter
2012-05-15  6:13     ` Dan Carpenter
2012-05-15  8:46   ` [patch v2] " Dan Carpenter
2012-05-15  8:46     ` Dan Carpenter
2012-05-15 10:01     ` Jan Kara
2012-05-15 10:01       ` Jan Kara
2012-05-28 15:01     ` Ted Ts'o
2012-05-28 15:01       ` Ted Ts'o

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a044a9b dfblob:1526f33 dfblob:a044a9b dfblob:1526f33 )
 OR (
bs:"[patch] ext4: potential NULL dereference on error" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120513144104.GA21998@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.