diff mbox

Null dereference in ext4_ext_migrate()

Message ID alpine.DEB.2.00.0901302346430.12904@bikeee
State Accepted, archived
Headers show

Commit Message

Dan Carpenter Feb. 3, 2009, 7:49 a.m. UTC
There is a potential null dereference of tmp_inode.

The patch also removes an unnecessary check for whether tmp_inode is null.

This was found through a code checker (http://repo.or.cz/w/smatch.git/). 
It looks like you might be able to trigger the error by trying to migrate 
a readonly file system.  I have only compile tested though, sorry.

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Theodore Y. Ts'o Feb. 16, 2009, 1:06 a.m. UTC | #1
On Tue, Feb 03, 2009 at 10:49:22AM +0300, Dan Carpenter wrote:
> There is a potential null dereference of tmp_inode.
>
> The patch also removes an unnecessary check for whether tmp_inode is null.
>
> This was found through a code checker (http://repo.or.cz/w/smatch.git/).  
> It looks like you might be able to trigger the error by trying to migrate 
> a readonly file system.  I have only compile tested though, sorry.

Thanks, I've included this in the ext4 patch queue to be pushed to Linus.

	     	      	      	       	     	   - Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

--- orig/fs/ext4/migrate.c	2009-01-30 23:55:33.000000000 +0300
+++ devel/fs/ext4/migrate.c	2009-01-30 23:57:14.000000000 +0300
@@ -481,7 +481,7 @@ 
  					+ 1);
  	if (IS_ERR(handle)) {
  		retval = PTR_ERR(handle);
-		goto err_out;
+		return retval;
  	}
  	tmp_inode = ext4_new_inode(handle,
  				inode->i_sb->s_root->d_inode,
@@ -489,8 +489,7 @@ 
  	if (IS_ERR(tmp_inode)) {
  		retval = -ENOMEM;
  		ext4_journal_stop(handle);
-		tmp_inode = NULL;
-		goto err_out;
+		return retval;
  	}
  	i_size_write(tmp_inode, i_size_read(inode));
  	/*
@@ -618,8 +617,7 @@ 

  	ext4_journal_stop(handle);

-	if (tmp_inode)
-		iput(tmp_inode);
+	iput(tmp_inode);

  	return retval;
  }