Allocations may fail, prevent NULL dereferences.
Signed-off-by: Roel Kluin <roel.kl...@gmail.com>
---
In several sections of fs/btrfs code a kmalloc() occurs without a
check whether it succeeded. this potentially leads to dereferences
of a NULL pointer. Are there reasons why we do not check the
allocations? Did I choose an incorrect way to err out? please
review.
fs/btrfs/compression.c | 3 +++
fs/btrfs/extent-tree.c | 2 ++
fs/btrfs/file.c | 2 ++
fs/btrfs/inode.c | 2 ++
fs/btrfs/tree-log.c | 2 ++
5 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
index 9d8ba4d..1cb049d 100644
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -351,6 +351,8 @@ int btrfs_submit_compressed_write(struct inode *inode, u64
start,
WARN_ON(start & ((u64)PAGE_CACHE_SIZE - 1));
cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
+ if (cb == NULL)
+ return -ENOMEM;
atomic_set(&cb->pending_bios, 0);
cb->errors = 0;
cb->inode = inode;
@@ -601,6 +603,7 @@ int btrfs_submit_compressed_read(struct inode *inode,
struct bio *bio,
compressed_len = em->block_len;
cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
+ BUG_ON(cb == NULL);
atomic_set(&cb->pending_bios, 0);
cb->errors = 0;
cb->inode = inode;
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 72a2b9c..e37aa04 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -6729,6 +6729,8 @@ static noinline int relocate_one_extent(struct btrfs_root
*extent_root,
u64 group_start = group->key.objectid;
new_extents = kmalloc(sizeof(*new_extents),
GFP_NOFS);
+ if (new_extents == NULL)
+ goto out
nr_extents = 1;
ret = get_new_locations(reloc_inode,
extent_key,
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index 4b83397..58b343c 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -949,6 +949,8 @@ static ssize_t btrfs_file_write(struct file *file, const
char __user *buf,
file_update_time(file);
pages = kmalloc(nrptrs * sizeof(struct page *), GFP_KERNEL);
+ if (pages == NULL)
+ goto out_nolock;
mutex_lock(&inode->i_mutex);
BTRFS_I(inode)->sequence++;
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 59cba18..cea4423 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4013,6 +4013,8 @@ static noinline int uncompress_inline(struct btrfs_path
*path,
inline_size = btrfs_file_extent_inline_item_len(leaf,
btrfs_item_nr(leaf, path->slots[0]));
tmp = kmalloc(inline_size, GFP_NOFS);
+ if (tmp == NULL)
+ return -ENOMEM;
ptr = btrfs_file_extent_inline_start(item);
read_extent_buffer(leaf, tmp, ptr, inline_size);
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index d91b0de..fc6c3f1 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -652,6 +652,7 @@ static noinline int drop_one_dir_item(struct
btrfs_trans_handle *trans,
btrfs_dir_item_key_to_cpu(leaf, di, &location);
name_len = btrfs_dir_name_len(leaf, di);
name = kmalloc(name_len, GFP_NOFS);
+ BUG_ON(name == NULL);
read_extent_buffer(leaf, name, (unsigned long)(di + 1), name_len);
btrfs_release_path(root, path);
@@ -1155,6 +1156,7 @@ static noinline int replay_one_name(struct
btrfs_trans_handle *trans,
name_len = btrfs_dir_name_len(eb, di);
name = kmalloc(name_len, GFP_NOFS);
+ BUG_ON(name == NULL);
log_type = btrfs_dir_type(eb, di);
read_extent_buffer(eb, name, (unsigned long)(di + 1),
name_len);
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
