On Fri, Oct 12, 2018 at 4:38 PM <fdman...@kernel.org> wrote: > > From: Filipe Manana <fdman...@suse.com> > > At inode.c:compress_file_range(), under the "free_pages_out" label, we can > end up dereferencing the "pages" pointer when it has a NULL value. This > case happens when "start" has a value of 0 and we fail to allocate memory > for the "pages" pointer. When that happens we jump to the "cont" label and > then enter the "if (start == 0)" branch where we immediately call the > cow_file_range_inline() function. If that function returns 0 (success > creating an inline extent) or an error (like -ENOMEM for example) we jump > to the "free_pages_out" label and then access "pages[i]" leading to a NULL > pointer dereference, since "nr_pages" has a value greater than zero at > that point. > > Fix this by setting "nr_pages" to 0 when we fail to allocate memory for > the "pages" pointer. >
Looks good. Reviewed-by: Liu Bo <bo....@linux.alibaba.com> thanks, liubo > Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119 > Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads") > Signed-off-by: Filipe Manana <fdman...@suse.com> > --- > > V2: Updated changelog. > > fs/btrfs/inode.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 66c6c4103d2f..d6b61b1facdd 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -503,6 +503,7 @@ static noinline void compress_file_range(struct inode > *inode, > pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS); > if (!pages) { > /* just bail out to the uncompressed code */ > + nr_pages = 0; > goto cont; > } > > -- > 2.11.0 >
