Found by cppcheck.
In btrfsic_process_superblock() @ check-integrity.c:
null check at line 640 after dereference at line 632
In btrfs_destroy_dev_replace_tgtdev() @ volumes.c:
null check at line 2310 after dereference at line 2308
__readahead_hook() at reada.c passes potentially null argument eb (according to
the function doc) to these functions, which dereference eb:
btrfs_header_* are defined in ctree.h through BTRFS_SETGET_HEADER_FUNCS.
reada_start_machine_dev() actually calls __readahead_hook() with eb = NULL.
Case Number 1 cannot happen as the only caller of btrfsic_process_superblock() is btrfsic_mount() and it allocates 'state' before calling btrfsic_process_superblock() and does proper error handling.
Therefore we can a) remove the BUG_ON(NULL == state) completely and we can remove the local fs_info variable as well. I have patches doing both and will submit them soon.
For case number 2, it is also impossible to pass a NULL tgtdev into btrfs_destroy_dev_replace_tgtdev(), so the NULL pointer check is superfluous. I do also have a patch in the queue to remove this check.
For case number 3, this is also a false positive as we're never calling any of the btrfs_header_XXX() functions with a NULL extent_buffer. In all cases where eb could be NULL we're also setting the 'err' variable and __readahead_hook() has the following hunk in the beginning of the function:
> * this is the error case, the extent buffer has not been
> * read correctly. We won't access anything from it and
> * just cleanup our data structures. Effectively this will
> * cut the branch below this node from read ahead.
> if (err)
> goto cleanup;
The patches silencing the static checkers for cases 1 and 2 can be found in:
Patches added to misc-next, thanks.