ceph: quota: fix null pointer dereference in quota check

Luis Henriques · idryomov · commit 71f2cc64d027 · 2018-11-08T17:51:11.000+01:00
This patch fixes a possible null pointer dereference in check_quota_exceeded, detected by the static checker smatch, with the following warning: fs/ceph/quota.c:240 check_quota_exceeded() error: we previously assumed 'realm' could be null (see line 188) Fixes: b7a2921 ("ceph: quota: support for ceph.quota.max_files") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luis Henriques <lhenriques@suse.com> Reviewed-by: "Yan, Zheng" <zyan@redhat.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c
@@ -237,7 +237,8 @@ static bool check_quota_exceeded(struct inode *inode, enum quota_check_op op,
 		ceph_put_snap_realm(mdsc, realm);
 		realm = next;
 	}
-	ceph_put_snap_realm(mdsc, realm);
+	if (realm)
+		ceph_put_snap_realm(mdsc, realm);
 	up_read(&mdsc->snap_rwsem);
 
 	return exceeded;

Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,8 @@ static bool check_quota_exceeded(struct inode *inode, enum quota_check_op op,`
`237`	`237`	`ceph_put_snap_realm(mdsc, realm);`
`238`	`238`	`realm = next;`
`239`	`239`	`}`
`240`		`- ceph_put_snap_realm(mdsc, realm);`
	`240`	`+ if (realm)`
	`241`	`+ ceph_put_snap_realm(mdsc, realm);`
`241`	`242`	`up_read(&mdsc->snap_rwsem);`
`242`	`243`
`243`	`244`	`return exceeded;`