[PATCH v3] xfs: do not call xfs_buf_hash_destroy on a NULL pag

"Bill O'Donnell" <billodo@xxxxxxxxxx> · Wed, 25 Jan 2017 13:04:43 -0600

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

If pag cannot be allocated, the current error exit path will trip
a null pointer deference error when calling xfs_buf_hash_destroy
with a null pag.  Fix this by adding a new error exit lable and
jumping to this, avoiding the hash destroy and unnecessary kmem_free
on pag.

Fixes CoverityScan CID#1397628 ("Dereference after null check")

Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>

------------
v2: correct error exit in xfs_initialize_perag() to properly unwind
    pags if error encountered.

v3: correction to error case: ensure previous valid pags not torn
    down and only new initialized pags are torn down.

Signed-off-by: Bill O'Donnell <billodo@xxxxxxxxxx>
---
 fs/xfs/xfs_mount.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index 9b9540d..afc49ac 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -188,8 +188,10 @@ xfs_initialize_perag(
 {
 	xfs_agnumber_t	index;
 	xfs_agnumber_t	first_initialised = 0;
+	xfs_agnumber_t	next_agindex = 0;
 	xfs_perag_t	*pag;
 	int		error = -ENOMEM;
+	int		i;
 
 	/*
 	 * Walk the current per-ag tree so we don't try to initialise AGs
@@ -200,14 +202,15 @@ xfs_initialize_perag(
 		pag = xfs_perag_get(mp, index);
 		if (pag) {
 			xfs_perag_put(pag);
+			next_agindex = index + 1;
 			continue;
 		}
-		if (!first_initialised)
+		if (!first_initialised && (next_agindex > 0))
 			first_initialised = index;
 
 		pag = kmem_zalloc(sizeof(*pag), KM_MAYFAIL);
 		if (!pag)
-			goto out_unwind;
+			goto out_unwind_pags;
 		pag->pag_agno = index;
 		pag->pag_mount = mp;
 		spin_lock_init(&pag->pag_ici_lock);
@@ -242,8 +245,11 @@ xfs_initialize_perag(
 out_unwind:
 	xfs_buf_hash_destroy(pag);
 	kmem_free(pag);
-	for (; index > first_initialised; index--) {
-		pag = radix_tree_delete(&mp->m_perag_tree, index);
+out_unwind_pags:
+	for (i = index; i >= first_initialised; i--) {
+		pag = radix_tree_delete(&mp->m_perag_tree, (xfs_agnumber_t)i);
+		if (!pag)
+			continue;
 		xfs_buf_hash_destroy(pag);
 		kmem_free(pag);
 	}
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






