Found by cppcheck. 1. In btrfsic_process_superblock() @ check-integrity.c: null check at line 640 after dereference at line 632 2. In btrfs_destroy_dev_replace_tgtdev() @ volumes.c: null check at line 2310 after dereference at line 2308 3. __readahead_hook() at reada.c passes potentially null argument eb (according to the function doc) to these functions, which dereference eb: btrfs_header_generation(), btrfs_header_nritems(), btrfs_header_level(). btrfs_header_* are defined in ctree.h through BTRFS_SETGET_HEADER_FUNCS. reada_start_machine_dev() actually calls __readahead_hook() with eb = NULL.
Case Number 1 cannot happen as the only caller of btrfsic_process_superblock() is btrfsic_mount() and it allocates 'state' before calling btrfsic_process_superblock() and does proper error handling. Therefore we can a) remove the BUG_ON(NULL == state) completely and we can remove the local fs_info variable as well. I have patches doing both and will submit them soon. For case number 2, it is also impossible to pass a NULL tgtdev into btrfs_destroy_dev_replace_tgtdev(), so the NULL pointer check is superfluous. I do also have a patch in the queue to remove this check. For case number 3, this is also a false positive as we're never calling any of the btrfs_header_XXX() functions with a NULL extent_buffer. In all cases where eb could be NULL we're also setting the 'err' variable and __readahead_hook() has the following hunk in the beginning of the function: > /* > * this is the error case, the extent buffer has not been > * read correctly. We won't access anything from it and > * just cleanup our data structures. Effectively this will > * cut the branch below this node from read ahead. > */ > if (err) > goto cleanup; The patches silencing the static checkers for cases 1 and 2 can be found in: https://git.kernel.org/pub/scm/linux/kernel/git/jth/linux.git/log/?h=btrfs-misc-fixes
Patches added to misc-next, thanks.