From: Xiaochen Zou <xzou017@ucr.edu>
To: reiserfs-devel@vger.kernel.org
Cc: Xiaochen Zou <xzou017@ucr.edu>
Subject: [PATCH] fs/reiserfs: Null check to prevent null-ptr-deref bug
Date: Fri, 5 Jan 2024 11:48:32 -0800 [thread overview]
Message-ID: <20240105194832.1196581-1-xzou017@ucr.edu> (raw)
It's necessary to perform a null check on the return value of
sb_getblk() to prevent null-ptr-deref bugs
Signed-off-by: Xiaochen Zou <xzou017@ucr.edu>
---
fs/reiserfs/fix_node.c | 2 ++
fs/reiserfs/journal.c | 13 ++++++++++++-
fs/reiserfs/stree.c | 2 ++
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/fs/reiserfs/fix_node.c b/fs/reiserfs/fix_node.c
index 6c13a8d9a73c..cfa2520a34c3 100644
--- a/fs/reiserfs/fix_node.c
+++ b/fs/reiserfs/fix_node.c
@@ -888,6 +888,8 @@ static int get_empty_nodes(struct tree_balance *tb, int h)
"PAP-8135: reiserfs_new_blocknrs failed when got new blocks");
new_bh = sb_getblk(sb, *blocknr);
+ if (unlikely(!new_bh))
+ return -ENOMEM;
RFALSE(buffer_dirty(new_bh) ||
buffer_journaled(new_bh) ||
buffer_journal_dirty(new_bh),
diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 171c912af50f..c8e6e9c07f31 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -2115,6 +2115,7 @@ static int journal_read_transaction(struct super_block *sb,
struct reiserfs_journal_desc *desc;
struct reiserfs_journal_commit *commit;
unsigned int trans_id = 0;
+ int err = 0;
struct buffer_head *c_bh;
struct buffer_head *d_bh;
struct buffer_head **log_blocks = NULL;
@@ -2209,11 +2210,19 @@ static int journal_read_transaction(struct super_block *sb,
real_blocks[i] =
sb_getblk(sb,
le32_to_cpu(desc->j_realblock[i]));
+ if (unlikely(!real_blocks[i])) {
+ err = -ENOMEM;
+ goto out;
+ }
} else {
real_blocks[i] =
sb_getblk(sb,
le32_to_cpu(commit->
j_realblock[i - trans_half]));
+ if (unlikely(!real_blocks[i])) {
+ err = -ENOMEM;
+ goto out;
+ }
}
if (real_blocks[i]->b_blocknr > SB_BLOCK_COUNT(sb)) {
reiserfs_warning(sb, "journal-1207",
@@ -2300,11 +2309,13 @@ static int journal_read_transaction(struct super_block *sb,
/* check for trans_id overflow */
if (journal->j_trans_id == 0)
journal->j_trans_id = 10;
+
+out:
brelse(c_bh);
brelse(d_bh);
kfree(log_blocks);
kfree(real_blocks);
- return 0;
+ return err;
}
/*
diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
index 2138ee7d271d..eee861680348 100644
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -562,6 +562,8 @@ static int search_by_key_reada(struct super_block *s,
for (i = 0; i < num; i++) {
bh[i] = sb_getblk(s, b[i]);
+ if (unlikely(!bh[i]))
+ return -ENOMEM;
}
/*
* We are going to read some blocks on which we
--
2.25.1
reply other threads:[~2024-01-05 19:48 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240105194832.1196581-1-xzou017@ucr.edu \
--to=xzou017@ucr.edu \
--cc=reiserfs-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).