Btrfs: fix null pointer dereference on compressed write path error

fdmanana · kdave · commit 3527a018c00e · 2018-10-17T17:42:46.000+02:00
At inode.c:compress_file_range(), under the "free_pages_out" label, we can end up dereferencing the "pages" pointer when it has a NULL value. This case happens when "start" has a value of 0 and we fail to allocate memory for the "pages" pointer. When that happens we jump to the "cont" label and then enter the "if (start == 0)" branch where we immediately call the cow_file_range_inline() function. If that function returns 0 (success creating an inline extent) or an error (like -ENOMEM for example) we jump to the "free_pages_out" label and then access "pages[i]" leading to a NULL pointer dereference, since "nr_pages" has a value greater than zero at that point. Fix this by setting "nr_pages" to 0 when we fail to allocate memory for the "pages" pointer. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119 Fixes: 771ed68 ("Btrfs: Optimize compressed writeback and reads") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
@@ -502,6 +502,7 @@ static noinline void compress_file_range(struct inode *inode,
 		pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS);
 		if (!pages) {
 			/* just bail out to the uncompressed code */
+			nr_pages = 0;
 			goto cont;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -502,6 +502,7 @@ static noinline void compress_file_range(struct inode *inode,`
`502`	`502`	`pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS);`
`503`	`503`	`if (!pages) {`
`504`	`504`	`/* just bail out to the uncompressed code */`
	`505`	`+ nr_pages = 0;`
`505`	`506`	`goto cont;`
`506`	`507`	`}`
`507`	`508`