All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items
@ 2018-03-30 22:11 Liu Bo
  2018-04-01 10:03 ` Nikolay Borisov
  0 siblings, 1 reply; 4+ messages in thread
From: Liu Bo @ 2018-03-30 22:11 UTC (permalink / raw)
  To: linux-btrfs

0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
returned, path->nodes[0] could be NULL, log_dir_items lacks such a
check for <0 and we may run into a null pointer dereference panic.

Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
---
 fs/btrfs/tree-log.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 4344577..4ee9431 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3518,8 +3518,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
 		 * from this directory and from this transaction
 		 */
 		ret = btrfs_next_leaf(root, path);
-		if (ret == 1) {
-			last_offset = (u64)-1;
+		if (ret) {
+			if (ret == 1)
+				last_offset = (u64)-1;
+			else
+				err = ret;
 			goto done;
 		}
 		btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items
  2018-03-30 22:11 [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items Liu Bo
@ 2018-04-01 10:03 ` Nikolay Borisov
  2018-04-02 17:51   ` Liu Bo
  0 siblings, 1 reply; 4+ messages in thread
From: Nikolay Borisov @ 2018-04-01 10:03 UTC (permalink / raw)
  To: Liu Bo, linux-btrfs



On 31.03.2018 01:11, Liu Bo wrote:
> 0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
> returned, path->nodes[0] could be NULL, log_dir_items lacks such a
> check for <0 and we may run into a null pointer dereference panic.
> 
> Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>

This bug has been present ever since 2.6.29 (e02119d5a7b4 ("Btrfs: Add a
write ahead tree log to optimize synchronous operations"))
 so this needs a stable tag.

> ---
>  fs/btrfs/tree-log.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
> index 4344577..4ee9431 100644
> --- a/fs/btrfs/tree-log.c
> +++ b/fs/btrfs/tree-log.c
> @@ -3518,8 +3518,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
>  		 * from this directory and from this transaction
>  		 */
>  		ret = btrfs_next_leaf(root, path);
> -		if (ret == 1) {
> -			last_offset = (u64)-1;
> +		if (ret) {
> +			if (ret == 1)
> +				last_offset = (u64)-1;
> +			else
> +				err = ret;
>  			goto done;
>  		}
>  		btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items
  2018-04-01 10:03 ` Nikolay Borisov
@ 2018-04-02 17:51   ` Liu Bo
  2018-04-02 18:48     ` Nikolay Borisov
  0 siblings, 1 reply; 4+ messages in thread
From: Liu Bo @ 2018-04-02 17:51 UTC (permalink / raw)
  To: Nikolay Borisov; +Cc: Liu Bo, linux-btrfs

On Sun, Apr 1, 2018 at 3:03 AM, Nikolay Borisov <nborisov@suse.com> wrote:
>
>
> On 31.03.2018 01:11, Liu Bo wrote:
>> 0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
>> returned, path->nodes[0] could be NULL, log_dir_items lacks such a
>> check for <0 and we may run into a null pointer dereference panic.
>>
>> Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
> Reviewed-by: Nikolay Borisov <nborisov@suse.com>
>
> This bug has been present ever since 2.6.29 (e02119d5a7b4 ("Btrfs: Add a
> write ahead tree log to optimize synchronous operations"))
>  so this needs a stable tag.

OK, git describe e02119d5a7b4 doesn't show a tag though.

thanks,
liubo
>
>> ---
>>  fs/btrfs/tree-log.c | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
>> index 4344577..4ee9431 100644
>> --- a/fs/btrfs/tree-log.c
>> +++ b/fs/btrfs/tree-log.c
>> @@ -3518,8 +3518,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
>>                * from this directory and from this transaction
>>                */
>>               ret = btrfs_next_leaf(root, path);
>> -             if (ret == 1) {
>> -                     last_offset = (u64)-1;
>> +             if (ret) {
>> +                     if (ret == 1)
>> +                             last_offset = (u64)-1;
>> +                     else
>> +                             err = ret;
>>                       goto done;
>>               }
>>               btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items
  2018-04-02 17:51   ` Liu Bo
@ 2018-04-02 18:48     ` Nikolay Borisov
  0 siblings, 0 replies; 4+ messages in thread
From: Nikolay Borisov @ 2018-04-02 18:48 UTC (permalink / raw)
  To: Liu Bo; +Cc: Liu Bo, linux-btrfs



On  2.04.2018 20:51, Liu Bo wrote:
> On Sun, Apr 1, 2018 at 3:03 AM, Nikolay Borisov <nborisov@suse.com> wrote:
>>
>>
>> On 31.03.2018 01:11, Liu Bo wrote:
>>> 0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is
>>> returned, path->nodes[0] could be NULL, log_dir_items lacks such a
>>> check for <0 and we may run into a null pointer dereference panic.
>>>
>>> Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
>> Reviewed-by: Nikolay Borisov <nborisov@suse.com>
>>
>> This bug has been present ever since 2.6.29 (e02119d5a7b4 ("Btrfs: Add a
>> write ahead tree log to optimize synchronous operations"))
>>  so this needs a stable tag.
> 
> OK, git describe e02119d5a7b4 doesn't show a tag though.

I just used git tag --contains <sha id>
> 
> thanks,
> liubo
>>
>>> ---
>>>  fs/btrfs/tree-log.c | 7 +++++--
>>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
>>> index 4344577..4ee9431 100644
>>> --- a/fs/btrfs/tree-log.c
>>> +++ b/fs/btrfs/tree-log.c
>>> @@ -3518,8 +3518,11 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
>>>                * from this directory and from this transaction
>>>                */
>>>               ret = btrfs_next_leaf(root, path);
>>> -             if (ret == 1) {
>>> -                     last_offset = (u64)-1;
>>> +             if (ret) {
>>> +                     if (ret == 1)
>>> +                             last_offset = (u64)-1;
>>> +                     else
>>> +                             err = ret;
>>>                       goto done;
>>>               }
>>>               btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
>>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-02 18:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-30 22:11 [PATCH] Btrfs: fix NULL pointer dereference in log_dir_items Liu Bo
2018-04-01 10:03 ` Nikolay Borisov
2018-04-02 17:51   ` Liu Bo
2018-04-02 18:48     ` Nikolay Borisov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.