From patchwork Fri Mar 30 05:48:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qu Wenruo <wqu@suse.com>
X-Patchwork-Id: 10316995
Return-Path: <linux-btrfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9B96560467 for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Fri, 30 Mar 2018 05:49:26 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8E2F62A54E
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Fri, 30 Mar 2018 05:49:26 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 811632A556; Fri, 30 Mar 2018 05:49:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EAAC92A555
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Fri, 30 Mar 2018 05:49:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751297AbeC3FtP (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Fri, 30 Mar 2018 01:49:15 -0400
Received: from victor.provo.novell.com ([137.65.250.26]:49508 "EHLO
	prv3-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750764AbeC3FtM (ORCPT
	<rfc822;groupwise-linux-btrfs@vger.kernel.org:0:0>);
	Fri, 30 Mar 2018 01:49:12 -0400
Received: from adam-pc.lan (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by prv3-mh.provo.novell.com with ESMTP (NOT encrypted);
	Thu, 29 Mar 2018 23:49:01 -0600
From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH v2 1/5] btrfs-progs: extent_io: Fix NULL pointer dereference
	in free_extent_buffer_final()
Date: Fri, 30 Mar 2018 13:48:53 +0800
Message-Id: <20180330054857.6106-2-wqu@suse.com>
X-Mailer: git-send-email 2.16.3
In-Reply-To: <20180330054857.6106-1-wqu@suse.com>
References: <20180330054857.6106-1-wqu@suse.com>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In free_extent_buffer_final() we access eb->tree->cache_size in
BUG_ON().
However eb->tree can be NULL if it's a cloned extent buffer.

Currently the cloned extent buffer is only used in backref.c,
paths_from_inode() function.
Thankfully that function is not used yet (but could be pretty useful to
convert inode number to path, so I'd like to keep such function).

Anyway, check eb->tree before accessing its member.

Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 extent_io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extent_io.c b/extent_io.c
index eda1fb6f5897..986ad5c0577c 100644
--- a/extent_io.c
+++ b/extent_io.c
@@ -587,7 +587,7 @@ static void free_extent_buffer_final(struct extent_buffer *eb)
 	struct extent_io_tree *tree = eb->tree;
 
 	BUG_ON(eb->refs);
-	BUG_ON(tree->cache_size < eb->len);
+	BUG_ON(tree && tree->cache_size < eb->len);
 	list_del_init(&eb->lru);
 	if (!(eb->flags & EXTENT_BUFFER_DUMMY)) {
 		remove_cache_extent(&tree->cache, &eb->cache_node);