btrfs: Prevent possible ERR_PTR() dereference

In btrfs_full_stripe_len/btrfs_is_parity_mirror we have similar code which
gets the chunk map for a particular range via get_chunk_map. However,
get_chunk_map can return an ERR_PTR value and while the 2 callers do catch
this with a WARN_ON they then proceed to indiscriminately dereference the
extent map. This of course leads to a crash. Fix the offenders by making the
dereference conditional on IS_ERR.

Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index f93ac3d7e997f3fe1438ea244038dd929fd22c6a..59f82939e634e9f81c30c75c98a71577385af44b 100644 (file)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -5173,12 +5173,13 @@ unsigned long btrfs_full_stripe_len(struct btrfs_fs_info *fs_info,
        unsigned long len = fs_info->sectorsize;
 
        em = get_chunk_map(fs_info, logical, len);
-       WARN_ON(IS_ERR(em));
 
-       map = em->map_lookup;
-       if (map->type & BTRFS_BLOCK_GROUP_RAID56_MASK)
-               len = map->stripe_len * nr_data_stripes(map);
-       free_extent_map(em);
+       if (!WARN_ON(IS_ERR(em))) {
+               map = em->map_lookup;
+               if (map->type & BTRFS_BLOCK_GROUP_RAID56_MASK)
+                       len = map->stripe_len * nr_data_stripes(map);
+               free_extent_map(em);
+       }
        return len;
 }
 
@@ -5190,12 +5191,13 @@ int btrfs_is_parity_mirror(struct btrfs_fs_info *fs_info,
        int ret = 0;
 
        em = get_chunk_map(fs_info, logical, len);
-       WARN_ON(IS_ERR(em));
 
-       map = em->map_lookup;
-       if (map->type & BTRFS_BLOCK_GROUP_RAID56_MASK)
-               ret = 1;
-       free_extent_map(em);
+       if(!WARN_ON(IS_ERR(em))) {
+               map = em->map_lookup;
+               if (map->type & BTRFS_BLOCK_GROUP_RAID56_MASK)
+                       ret = 1;
+               free_extent_map(em);
+       }
        return ret;
 }