Bug 205003
Summary: | possible null pointer dereferences | ||
---|---|---|---|
Product: | File System | Reporter: | p (pkoroau+bz) |
Component: | btrfs | Assignee: | BTRFS virtual assignee (fs_btrfs) |
Status: | RESOLVED CODE_FIX | ||
Severity: | normal | CC: | dsterba, jth |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 5.4, 4.19 | Subsystem: | |
Regression: | No | Bisected commit-id: |
Description
p
2019-09-26 06:39:11 UTC
Case Number 1 cannot happen as the only caller of btrfsic_process_superblock() is btrfsic_mount() and it allocates 'state' before calling btrfsic_process_superblock() and does proper error handling. Therefore we can a) remove the BUG_ON(NULL == state) completely and we can remove the local fs_info variable as well. I have patches doing both and will submit them soon. For case number 2, it is also impossible to pass a NULL tgtdev into btrfs_destroy_dev_replace_tgtdev(), so the NULL pointer check is superfluous. I do also have a patch in the queue to remove this check. For case number 3, this is also a false positive as we're never calling any of the btrfs_header_XXX() functions with a NULL extent_buffer. In all cases where eb could be NULL we're also setting the 'err' variable and __readahead_hook() has the following hunk in the beginning of the function: > /* > * this is the error case, the extent buffer has not been > * read correctly. We won't access anything from it and > * just cleanup our data structures. Effectively this will > * cut the branch below this node from read ahead. > */ > if (err) > goto cleanup; The patches silencing the static checkers for cases 1 and 2 can be found in: https://git.kernel.org/pub/scm/linux/kernel/git/jth/linux.git/log/?h=btrfs-misc-fixes Patches added to misc-next, thanks. |