On 2019/7/24 上午10:11, Jia-Ju Bai wrote: > In insert_inline_extent(), there is an if statement on line 181 to check > whether compressed_pages is NULL: > if (compressed_size && compressed_pages) > > When compressed_pages is NULL, compressed_pages is used on line 215: > cpage = compressed_pages[i]; > > Thus, a possible null-pointer dereference may occur. > > To fix this possible bug, compressed_pages is checked on line 214.
This can only be hit with compressed_size > 0 and compressed_pages != NULL. It would be better to have an extra ASSERT() to warn developers about the impossible case. Thanks, Qu > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <[email protected]> > --- > fs/btrfs/inode.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 1af069a9a0c7..19182272fbd8 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -211,7 +211,7 @@ static int insert_inline_extent(struct btrfs_trans_handle > *trans, > if (compress_type != BTRFS_COMPRESS_NONE) { > struct page *cpage; > int i = 0; > - while (compressed_size > 0) { > + while (compressed_size > 0 && compressed_pages) { > cpage = compressed_pages[i]; > cur_size = min_t(unsigned long, compressed_size, > PAGE_SIZE); >
signature.asc
Description: OpenPGP digital signature
