[PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling()
@ 2019-07-29  3:24 Jia-Ju Bai
  2019-07-29  4:20 ` Darrick J. Wong
  0 siblings, 1 reply; 4+ messages in thread
From: Jia-Ju Bai @ 2019-07-29  3:24 UTC (permalink / raw)
  To: darrick.wong, bfoster, sandeen; +Cc: linux-xfs, linux-kernel, Jia-Ju Bai

In xchk_da_btree_block_check_sibling(), there is an if statement on 
line 274 to check whether ds->state->altpath.blk[level].bp is NULL:
    if (ds->state->altpath.blk[level].bp)

When ds->state->altpath.blk[level].bp is NULL, it is used on line 281: 
    xfs_trans_brelse(..., ds->state->altpath.blk[level].bp);
        struct xfs_buf_log_item	*bip = bp->b_log_item;
        ASSERT(bp->b_transp == tp);

Thus, possible null-pointer dereferences may occur.

To fix these bugs, ds->state->altpath.blk[level].bp is checked before
being used.

These bugs are found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 fs/xfs/scrub/dabtree.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/scrub/dabtree.c b/fs/xfs/scrub/dabtree.c
index 94c4f1de1922..33ff90c0dd70 100644
--- a/fs/xfs/scrub/dabtree.c
+++ b/fs/xfs/scrub/dabtree.c
@@ -278,7 +278,9 @@ xchk_da_btree_block_check_sibling(
 	/* Compare upper level pointer to sibling pointer. */
 	if (ds->state->altpath.blk[level].blkno != sibling)
 		xchk_da_set_corrupt(ds, level);
-	xfs_trans_brelse(ds->dargs.trans, ds->state->altpath.blk[level].bp);
+	if (ds->state->altpath.blk[level].bp)
+		xfs_trans_brelse(ds->dargs.trans, 
+						ds->state->altpath.blk[level].bp);
 out:
 	return error;
 }
-- 
2.17.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling()
  2019-07-29  3:24 [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling() Jia-Ju Bai
@ 2019-07-29  4:20 ` Darrick J. Wong
  2019-07-29  7:25   ` Jia-Ju Bai
  0 siblings, 1 reply; 4+ messages in thread
From: Darrick J. Wong @ 2019-07-29  4:20 UTC (permalink / raw)
  To: Jia-Ju Bai; +Cc: bfoster, sandeen, linux-xfs, linux-kernel

On Mon, Jul 29, 2019 at 11:24:01AM +0800, Jia-Ju Bai wrote:
> In xchk_da_btree_block_check_sibling(), there is an if statement on 
> line 274 to check whether ds->state->altpath.blk[level].bp is NULL:
>     if (ds->state->altpath.blk[level].bp)
> 
> When ds->state->altpath.blk[level].bp is NULL, it is used on line 281: 
>     xfs_trans_brelse(..., ds->state->altpath.blk[level].bp);
>         struct xfs_buf_log_item	*bip = bp->b_log_item;
>         ASSERT(bp->b_transp == tp);
> 
> Thus, possible null-pointer dereferences may occur.
> 
> To fix these bugs, ds->state->altpath.blk[level].bp is checked before
> being used.
> 
> These bugs are found by a static analysis tool STCheck written by us.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  fs/xfs/scrub/dabtree.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/xfs/scrub/dabtree.c b/fs/xfs/scrub/dabtree.c
> index 94c4f1de1922..33ff90c0dd70 100644
> --- a/fs/xfs/scrub/dabtree.c
> +++ b/fs/xfs/scrub/dabtree.c
> @@ -278,7 +278,9 @@ xchk_da_btree_block_check_sibling(
>  	/* Compare upper level pointer to sibling pointer. */
>  	if (ds->state->altpath.blk[level].blkno != sibling)
>  		xchk_da_set_corrupt(ds, level);
> -	xfs_trans_brelse(ds->dargs.trans, ds->state->altpath.blk[level].bp);
> +	if (ds->state->altpath.blk[level].bp)
> +		xfs_trans_brelse(ds->dargs.trans, 
> +						ds->state->altpath.blk[level].bp);

Indentation here (in xfs we use two spaces)

Also, uh, shouldn't we set ds->state->altpath.blk[level].bp to NULL
since we've released the buffer?

--D

>  out:
>  	return error;
>  }
> -- 
> 2.17.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling()
  2019-07-29  4:20 ` Darrick J. Wong
@ 2019-07-29  7:25   ` Jia-Ju Bai
  2019-07-29 14:58     ` Darrick J. Wong
  0 siblings, 1 reply; 4+ messages in thread
From: Jia-Ju Bai @ 2019-07-29  7:25 UTC (permalink / raw)
  To: Darrick J. Wong; +Cc: bfoster, sandeen, linux-xfs, linux-kernel



On 2019/7/29 12:20, Darrick J. Wong wrote:
> On Mon, Jul 29, 2019 at 11:24:01AM +0800, Jia-Ju Bai wrote:
>> In xchk_da_btree_block_check_sibling(), there is an if statement on
>> line 274 to check whether ds->state->altpath.blk[level].bp is NULL:
>>      if (ds->state->altpath.blk[level].bp)
>>
>> When ds->state->altpath.blk[level].bp is NULL, it is used on line 281:
>>      xfs_trans_brelse(..., ds->state->altpath.blk[level].bp);
>>          struct xfs_buf_log_item	*bip = bp->b_log_item;
>>          ASSERT(bp->b_transp == tp);
>>
>> Thus, possible null-pointer dereferences may occur.
>>
>> To fix these bugs, ds->state->altpath.blk[level].bp is checked before
>> being used.
>>
>> These bugs are found by a static analysis tool STCheck written by us.
>>
>> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
>> ---
>>   fs/xfs/scrub/dabtree.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/xfs/scrub/dabtree.c b/fs/xfs/scrub/dabtree.c
>> index 94c4f1de1922..33ff90c0dd70 100644
>> --- a/fs/xfs/scrub/dabtree.c
>> +++ b/fs/xfs/scrub/dabtree.c
>> @@ -278,7 +278,9 @@ xchk_da_btree_block_check_sibling(
>>   	/* Compare upper level pointer to sibling pointer. */
>>   	if (ds->state->altpath.blk[level].blkno != sibling)
>>   		xchk_da_set_corrupt(ds, level);
>> -	xfs_trans_brelse(ds->dargs.trans, ds->state->altpath.blk[level].bp);
>> +	if (ds->state->altpath.blk[level].bp)
>> +		xfs_trans_brelse(ds->dargs.trans,
>> +						ds->state->altpath.blk[level].bp);
> Indentation here (in xfs we use two spaces)

Okay, I will fix this.

>
> Also, uh, shouldn't we set ds->state->altpath.blk[level].bp to NULL
> since we've released the buffer?

So I should set ds->state->altpath.blk[level].bp to NULL at the end of 
the function xchk_da_btree_block_check_sibling()?
Like:
     if (ds->state->altpath.blk[level].bp)
         xfs_trans_brelse(ds->dargs.trans,
                 ds->state->altpath.blk[level].bp);
     ds->state->altpath.blk[level].bp = NULL;


Best wishes,
Jia-Ju Bai

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling()
  2019-07-29  7:25   ` Jia-Ju Bai
@ 2019-07-29 14:58     ` Darrick J. Wong
  0 siblings, 0 replies; 4+ messages in thread
From: Darrick J. Wong @ 2019-07-29 14:58 UTC (permalink / raw)
  To: Jia-Ju Bai; +Cc: bfoster, sandeen, linux-xfs, linux-kernel

On Mon, Jul 29, 2019 at 03:25:04PM +0800, Jia-Ju Bai wrote:
> 
> 
> On 2019/7/29 12:20, Darrick J. Wong wrote:
> > On Mon, Jul 29, 2019 at 11:24:01AM +0800, Jia-Ju Bai wrote:
> > > In xchk_da_btree_block_check_sibling(), there is an if statement on
> > > line 274 to check whether ds->state->altpath.blk[level].bp is NULL:
> > >      if (ds->state->altpath.blk[level].bp)
> > > 
> > > When ds->state->altpath.blk[level].bp is NULL, it is used on line 281:
> > >      xfs_trans_brelse(..., ds->state->altpath.blk[level].bp);
> > >          struct xfs_buf_log_item	*bip = bp->b_log_item;
> > >          ASSERT(bp->b_transp == tp);
> > > 
> > > Thus, possible null-pointer dereferences may occur.
> > > 
> > > To fix these bugs, ds->state->altpath.blk[level].bp is checked before
> > > being used.
> > > 
> > > These bugs are found by a static analysis tool STCheck written by us.
> > > 
> > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> > > ---
> > >   fs/xfs/scrub/dabtree.c | 4 +++-
> > >   1 file changed, 3 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/fs/xfs/scrub/dabtree.c b/fs/xfs/scrub/dabtree.c
> > > index 94c4f1de1922..33ff90c0dd70 100644
> > > --- a/fs/xfs/scrub/dabtree.c
> > > +++ b/fs/xfs/scrub/dabtree.c
> > > @@ -278,7 +278,9 @@ xchk_da_btree_block_check_sibling(
> > >   	/* Compare upper level pointer to sibling pointer. */
> > >   	if (ds->state->altpath.blk[level].blkno != sibling)
> > >   		xchk_da_set_corrupt(ds, level);
> > > -	xfs_trans_brelse(ds->dargs.trans, ds->state->altpath.blk[level].bp);
> > > +	if (ds->state->altpath.blk[level].bp)
> > > +		xfs_trans_brelse(ds->dargs.trans,
> > > +						ds->state->altpath.blk[level].bp);
> > Indentation here (in xfs we use two spaces)
> 
> Okay, I will fix this.
> 
> > 
> > Also, uh, shouldn't we set ds->state->altpath.blk[level].bp to NULL
> > since we've released the buffer?
> 
> So I should set ds->state->altpath.blk[level].bp to NULL at the end of the
> function xchk_da_btree_block_check_sibling()?
> Like:
>     if (ds->state->altpath.blk[level].bp)
>         xfs_trans_brelse(ds->dargs.trans,
>                 ds->state->altpath.blk[level].bp);
>     ds->state->altpath.blk[level].bp = NULL;

You could put the whole thing in a single if clause, e.g.

	if (ds->state->altpath.blk[level].bp) {
		xfs_trans_brelse(ds->dargs.trans,
				 ds->state->altpath.blk[level].bp);
		ds->state->altpath.blk[level].bp = NULL;
	}

--D

> 
> 
> Best wishes,
> Jia-Ju Bai

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-07-29 14:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29  3:24 [PATCH] fs: xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling() Jia-Ju Bai
2019-07-29  4:20 ` Darrick J. Wong
2019-07-29  7:25   ` Jia-Ju Bai
2019-07-29 14:58     ` Darrick J. Wong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).