From patchwork Sat Jan 19 15:27:45 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Ding X-Patchwork-Id: 2006821 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 2831EDF2F3 for ; Sat, 19 Jan 2013 15:28:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751427Ab3ASP2A (ORCPT ); Sat, 19 Jan 2013 10:28:00 -0500 Received: from mail-ee0-f49.google.com ([74.125.83.49]:38574 "EHLO mail-ee0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751276Ab3ASP17 (ORCPT ); Sat, 19 Jan 2013 10:27:59 -0500 Received: by mail-ee0-f49.google.com with SMTP id d4so2152402eek.36 for ; Sat, 19 Jan 2013 07:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer; bh=Il8soGNU2GI2nWiGu9Ml/MFupyD9/P0L4HLMyURSWKA=; b=ypZ2ozDn8mINHloOGKwCb8B4FqXyRKH7a5LtF1pNoiSzeP2UBIaIWJ0qLOcFoDimsT Ifpd/8CyQS4TguWas2hsZ6ri5FnMEyGGMkz8KVLP61+V/p38z2MXDuW2gEl31C/lXBBN rI5Kvb+ioX7tNgWC4iFmtRb+H8q/zARkUbeuA/SIDvmmuyiRW7f0PWGMPvjO/C02Qaj7 kfhoPzKv9JxpJOcWqh3p24IJOKS1P/YAmh4m1JBKiaHg7H6lPW5X9yJgzrEof/hJnusd v3IlUGAHxylrZgv6bNcurDBE9g+uYA+QIVivawig5EYXA96eEANyygAjWxNvOCn4tQE6 3Xaw== X-Received: by 10.14.0.133 with SMTP id 5mr38886261eeb.29.1358609277444; Sat, 19 Jan 2013 07:27:57 -0800 (PST) Received: from localhost.localdomain (77.47.90.154.dynamic.cablesurf.de. [77.47.90.154]) by mx.google.com with ESMTPS id 6sm12805985eea.3.2013.01.19.07.27.55 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Jan 2013 07:27:56 -0800 (PST) From: Cong Ding To: Chris Mason , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Cong Ding Subject: [PATCH] btrfs: fix potential null pointer dereference bug Date: Sat, 19 Jan 2013 16:27:45 +0100 Message-Id: <1358609265-347-1-git-send-email-dinggnu@gmail.com> X-Mailer: git-send-email 1.7.10.4 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org The bug happens when rb_node == NULL. It causes variable node to be NULL and then the NULL pointer is dereferenced this line: BUG_ON((struct btrfs_root *)node->data != root); Based on my analysis, function tree_search should not return NULL to variable rb_node in this case (otherwise here has to be something unknown thing wrong), so I replace "if (rb_node)" with UG_ON(!rb_node). Signed-off-by: Cong Ding --- fs/btrfs/relocation.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 17c306b..d674671 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -1263,10 +1263,11 @@ static int __update_reloc_root(struct btrfs_root *root, int del) spin_lock(&rc->reloc_root_tree.lock); rb_node = tree_search(&rc->reloc_root_tree.rb_root, root->commit_root->start); - if (rb_node) { - node = rb_entry(rb_node, struct mapping_node, rb_node); - rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); - } + BUG_ON(!rb_node); + + node = rb_entry(rb_node, struct mapping_node, rb_node); + rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root); + spin_unlock(&rc->reloc_root_tree.lock); BUG_ON((struct btrfs_root *)node->data != root);