From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH] btrfs: Fix possible NULL pointer dereference in btrfs selftest
Date: Fri, 22 Feb 2019 08:53:50 +0800 [thread overview]
Message-ID: <20190222005350.7535-1-wqu@suse.com> (raw)
When CONFIG_BTRFS_FS_RUN_SANITY_TESTS is enabled, btrfs will run
selftest at module load time.
During selftest, we allocate extent buffer using
alloc_test_extent_buffer(), instead of alloc_test_extent_buffer().
The problem is, unlike alloc_extent_buffer(),
alloc_test_extent_buffer() can return NULL pointer instead of error
pointer, and callers all expect error pointer other than NULL pointer.
So this could lead to NULL pointer dereference during selftest.
Fix it by returning error pointer in alloc_test_extent_buffer().
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
fs/btrfs/extent_io.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 52abe4082680..a7db78f49fdb 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4862,12 +4862,14 @@ struct extent_buffer *alloc_test_extent_buffer(struct btrfs_fs_info *fs_info,
return eb;
eb = alloc_dummy_extent_buffer(fs_info, start);
if (!eb)
- return NULL;
+ return ERR_PTR(-ENOMEM);
eb->fs_info = fs_info;
again:
ret = radix_tree_preload(GFP_NOFS);
- if (ret)
- goto free_eb;
+ if (ret) {
+ btrfs_release_extent_buffer(eb);
+ return ERR_PTR(ret);
+ }
spin_lock(&fs_info->buffer_lock);
ret = radix_tree_insert(&fs_info->buffer_radix,
start >> PAGE_SHIFT, eb);
@@ -4875,18 +4877,16 @@ struct extent_buffer *alloc_test_extent_buffer(struct btrfs_fs_info *fs_info,
radix_tree_preload_end();
if (ret == -EEXIST) {
exists = find_extent_buffer(fs_info, start);
- if (exists)
- goto free_eb;
- else
- goto again;
+ if (exists) {
+ btrfs_release_extent_buffer(eb);
+ return exists;
+ }
+ goto again;
}
check_buffer_tree_ref(eb);
set_bit(EXTENT_BUFFER_IN_TREE, &eb->bflags);
return eb;
-free_eb:
- btrfs_release_extent_buffer(eb);
- return exists;
}
#endif
--
2.20.1
next reply other threads:[~2019-02-22 0:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 0:53 Qu Wenruo [this message]
2019-02-22 7:00 ` [PATCH] btrfs: Fix possible NULL pointer dereference in btrfs selftest Dan Carpenter
2019-02-22 7:26 ` Qu Wenruo
2019-02-28 16:02 ` David Sterba
2019-03-01 1:22 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190222005350.7535-1-wqu@suse.com \
--to=wqu@suse.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox