| Message ID | 20200929123357.930605-1-yebin10@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next] btrfs: Fix wild pointer reference in btrfs_set_buffer_lockdep_class | expand |
On Tue, Sep 29, 2020 at 08:33:57PM +0800, Ye Bin wrote: > 'ks' is pointer type, but not initialized, so ks->keys will reference > wild pointer. > - struct btrfs_lockdep_keyset *ks; > + struct btrfs_lockdep_keyset *ks = btrfs_lockdep_keysets; > > BUG_ON(level >= ARRAY_SIZE(ks->keys)); ARRAY_SIZE does not dereference the pointer, it uses only the type information, in this case 'struct btrfs_lockdep_keyset::keys'.
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 177da507dc2a..7068d006d43f 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -189,12 +189,12 @@ void __init btrfs_init_lockdep(void) void btrfs_set_buffer_lockdep_class(u64 objectid, struct extent_buffer *eb, int level) { - struct btrfs_lockdep_keyset *ks; + struct btrfs_lockdep_keyset *ks = btrfs_lockdep_keysets; BUG_ON(level >= ARRAY_SIZE(ks->keys)); /* find the matching keyset, id 0 is the default entry */ - for (ks = btrfs_lockdep_keysets; ks->id; ks++) + for (; ks->id; ks++) if (ks->id == objectid) break;
'ks' is pointer type, but not initialized, so ks->keys will reference wild pointer. Signed-off-by: Ye Bin <yebin10@huawei.com> --- fs/btrfs/disk-io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)