| Message ID | 20210406135503.164590-1-nborisov@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs-progs: Fix null pointer deref in balance_level | expand |
On 4/6/21 9:55 AM, Nikolay Borisov wrote: > In case the right buffer is emptied it's first set to null and > subsequently it's dereferenced to get its size to pass to root_sub_used. > This naturally leads to a null pointer dereference. The correct thing > to do is to pass the stashed right->len in "blocksize". > > Fixes #296 > > Signed-off-by: Nikolay Borisov <nborisov@suse.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Thanks, Josef
On Tue, Apr 06, 2021 at 04:55:03PM +0300, Nikolay Borisov wrote: > In case the right buffer is emptied it's first set to null and > subsequently it's dereferenced to get its size to pass to root_sub_used. > This naturally leads to a null pointer dereference. The correct thing > to do is to pass the stashed right->len in "blocksize". > > Fixes #296 I'm using the "Issue: #123" format for that. > Signed-off-by: Nikolay Borisov <nborisov@suse.com> Added to devel, thanks.
diff --git a/kernel-shared/ctree.c b/kernel-shared/ctree.c index 4cc3aebc1412..3a82286cc914 100644 --- a/kernel-shared/ctree.c +++ b/kernel-shared/ctree.c @@ -927,7 +927,7 @@ static int balance_level(struct btrfs_trans_handle *trans, if (wret) ret = wret; - root_sub_used(root, right->len); + root_sub_used(root, blocksize); wret = btrfs_free_extent(trans, root, bytenr, blocksize, 0, root->root_key.objectid,
In case the right buffer is emptied it's first set to null and subsequently it's dereferenced to get its size to pass to root_sub_used. This naturally leads to a null pointer dereference. The correct thing to do is to pass the stashed right->len in "blocksize". Fixes #296 Signed-off-by: Nikolay Borisov <nborisov@suse.com> --- kernel-shared/ctree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)