From patchwork Mon Oct 24 02:43:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qu Wenruo <quwenruo@cn.fujitsu.com>
X-Patchwork-Id: 9391295
Return-Path: <linux-btrfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4A1A760762 for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 24 Oct 2016 02:44:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ECDF287BB
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 24 Oct 2016 02:44:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id F34CE28C13; Mon, 24 Oct 2016 02:44:02 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB1B7287BB
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Mon, 24 Oct 2016 02:44:01 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932183AbcJXCnz (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Sun, 23 Oct 2016 22:43:55 -0400
Received: from cn.fujitsu.com ([222.73.24.84]:39208 "EHLO
	song.cn.fujitsu.com"
	rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP
	id S932125AbcJXCnx (ORCPT <rfc822;linux-btrfs@vger.kernel.org>);
	Sun, 23 Oct 2016 22:43:53 -0400
X-IronPort-AV: E=Sophos;i="5.20,367,1444665600"; d="scan'208";a="922780"
Received: from unknown (HELO cn.fujitsu.com) ([10.167.250.3])
	by song.cn.fujitsu.com with ESMTP; 24 Oct 2016 10:43:49 +0800
Received: from adam-work.localdomain (unknown [10.167.226.34])
	by cn.fujitsu.com (Postfix) with ESMTP id 1849541B4BDA;
	Mon, 24 Oct 2016 10:43:45 +0800 (CST)
From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: linux-btrfs@vger.kernel.org, dsterba@suse.cz
Subject: [PATCH 4/4] btrfs-progs: fsck: Fix NULL pointer dereference for
	possible memory allocation failure
Date: Mon, 24 Oct 2016 10:43:35 +0800
Message-Id: <20161024024335.6770-4-quwenruo@cn.fujitsu.com>
X-Mailer: git-send-email 2.10.1
In-Reply-To: <20161024024335.6770-1-quwenruo@cn.fujitsu.com>
References: <20161024024335.6770-1-quwenruo@cn.fujitsu.com>
MIME-Version: 1.0
X-yoursite-MailScanner-ID: 1849541B4BDA.ADC25
X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-From: quwenruo@cn.fujitsu.com
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

We didn't check 'path' allocated in check_root_ref(), which can cause
NULL pointer dereference if the memory allocation failed.

Fix it by using stack memory, since the function should return error
bitmap not minus error code, we don't want memory allocation to be an
exception.

Reported-by: David Sterba <dsterba@suse.cz>
Resolves-Coverity-CID: 1372510
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
 cmds-check.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cmds-check.c b/cmds-check.c
index 91ed8b4..563cd55 100644
--- a/cmds-check.c
+++ b/cmds-check.c
@@ -5067,7 +5067,7 @@ out:
 static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 			  struct extent_buffer *node, int slot)
 {
-	struct btrfs_path *path;
+	struct btrfs_path path;
 	struct btrfs_key key;
 	struct btrfs_root_ref *ref;
 	struct btrfs_root_ref *backref;
@@ -5104,8 +5104,8 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 	key.type = BTRFS_ROOT_BACKREF_KEY + BTRFS_ROOT_REF_KEY - ref_key->type;
 	key.offset = ref_key->objectid;
 
-	path = btrfs_alloc_path();
-	ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+	btrfs_init_path(&path);
+	ret = btrfs_search_slot(NULL, root, &key, &path, 0, 0);
 	if (ret) {
 		err |= ROOT_REF_MISSING;
 		error("%s[%llu %llu] couldn't find relative ref",
@@ -5115,11 +5115,11 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 		goto out;
 	}
 
-	backref = btrfs_item_ptr(path->nodes[0], path->slots[0],
+	backref = btrfs_item_ptr(path.nodes[0], path.slots[0],
 				 struct btrfs_root_ref);
-	backref_dirid = btrfs_root_ref_dirid(path->nodes[0], backref);
-	backref_seq = btrfs_root_ref_sequence(path->nodes[0], backref);
-	backref_namelen = btrfs_root_ref_name_len(path->nodes[0], backref);
+	backref_dirid = btrfs_root_ref_dirid(path.nodes[0], backref);
+	backref_seq = btrfs_root_ref_sequence(path.nodes[0], backref);
+	backref_namelen = btrfs_root_ref_name_len(path.nodes[0], backref);
 
 	if (backref_namelen <= BTRFS_NAME_LEN) {
 		len = backref_namelen;
@@ -5130,7 +5130,7 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 			"ROOT_REF" : "ROOT_BACKREF",
 			key.objectid, key.offset);
 	}
-	read_extent_buffer(path->nodes[0], backref_name,
+	read_extent_buffer(path.nodes[0], backref_name,
 			   (unsigned long)(backref + 1), len);
 
 	if (ref_dirid != backref_dirid || ref_seq != backref_seq ||
@@ -5143,7 +5143,7 @@ static int check_root_ref(struct btrfs_root *root, struct btrfs_key *ref_key,
 		      ref_key->objectid, ref_key->offset);
 	}
 out:
-	btrfs_free_path(path);
+	btrfs_release_path(&path);
 	return err;
 }