Btrfs: open_ctree() error handling can oops on fs_info
authorQinghuang Feng <qhfeng.kernel@gmail.com>
Wed, 21 Jan 2009 15:49:16 +0000 (10:49 -0500)
committerChris Mason <chris.mason@oracle.com>
Wed, 21 Jan 2009 15:49:16 +0000 (10:49 -0500)
a bug in open_ctree:

struct btrfs_root *open_ctree(..)
{
....
if (!extent_root || !tree_root || !fs_info ||
    !chunk_root || !dev_root || !csum_root) {
err = -ENOMEM;
goto fail;
//When code flow goes to "fail", fs_info may be NULL or uninitialized.
}
....

fail:
btrfs_close_devices(fs_info->fs_devices);// !
btrfs_mapping_tree_free(&fs_info->mapping_tree);// !

kfree(extent_root);
kfree(tree_root);
bdi_destroy(&fs_info->bdi);// !
...
)

Signed-off-by: Qinghuang Feng <qhfeng.kernel@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
fs/btrfs/disk-io.c

index 26a18779e84bb3df55e62f79630218010202326e..3cf17257f89dca5f1e8b5d0041e170a6da22aa37 100644 (file)
@@ -1823,13 +1823,14 @@ fail_sb_buffer:
 fail_iput:
        invalidate_inode_pages2(fs_info->btree_inode->i_mapping);
        iput(fs_info->btree_inode);
-fail:
+
        btrfs_close_devices(fs_info->fs_devices);
        btrfs_mapping_tree_free(&fs_info->mapping_tree);
+       bdi_destroy(&fs_info->bdi);
 
+fail:
        kfree(extent_root);
        kfree(tree_root);
-       bdi_destroy(&fs_info->bdi);
        kfree(fs_info);
        kfree(chunk_root);
        kfree(dev_root);