diff options
author | Qu Wenruo <wqu@suse.com> | 2018-03-30 13:48:53 +0800 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2018-04-24 13:00:11 +0200 |
commit | 98d5d325a887b6c061096c141eef10755762bbcf (patch) | |
tree | a1be1f4d960ba243c15a64f8595cfd70918a9db6 | |
parent | a5ef445f05fb077736d47624e31b9f6c7bbb0f1b (diff) | |
download | btrfs-progs-98d5d325a887b6c061096c141eef10755762bbcf.tar.gz btrfs-progs-98d5d325a887b6c061096c141eef10755762bbcf.tar.bz2 btrfs-progs-98d5d325a887b6c061096c141eef10755762bbcf.zip |
btrfs-progs: extent_io: Fix NULL pointer dereference in free_extent_buffer_final()
In free_extent_buffer_final() we access eb->tree->cache_size in
BUG_ON(). However eb->tree can be NULL if it's a cloned extent buffer.
Currently the cloned extent buffer is only used in backref.c,
paths_from_inode() function. Thankfully that function is not used yet
(but could be pretty useful to convert inode number to path, so I'd like
to keep such function).
Anyway, check eb->tree before accessing its member.
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
-rw-r--r-- | extent_io.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/extent_io.c b/extent_io.c index eda1fb6f..986ad5c0 100644 --- a/extent_io.c +++ b/extent_io.c @@ -587,7 +587,7 @@ static void free_extent_buffer_final(struct extent_buffer *eb) struct extent_io_tree *tree = eb->tree; BUG_ON(eb->refs); - BUG_ON(tree->cache_size < eb->len); + BUG_ON(tree && tree->cache_size < eb->len); list_del_init(&eb->lru); if (!(eb->flags & EXTENT_BUFFER_DUMMY)) { remove_cache_extent(&tree->cache, &eb->cache_node); |