ext4: always check ext4_ext_find_extent result
Where are some places where logic guaranties us that extent we are searching exits, but this may not be true due to on-disk data corruption. If such corruption happens we must prevent possible null pointer dereferences. Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
This commit is contained in:
parent
8dc79ec4c0
commit
a18ed359bd
|
@ -3313,6 +3313,11 @@ static int ext4_split_extent(handle_t *handle,
|
||||||
return PTR_ERR(path);
|
return PTR_ERR(path);
|
||||||
depth = ext_depth(inode);
|
depth = ext_depth(inode);
|
||||||
ex = path[depth].p_ext;
|
ex = path[depth].p_ext;
|
||||||
|
if (!ex) {
|
||||||
|
EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
|
||||||
|
(unsigned long) map->m_lblk);
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
uninitialized = ext4_ext_is_uninitialized(ex);
|
uninitialized = ext4_ext_is_uninitialized(ex);
|
||||||
split_flag1 = 0;
|
split_flag1 = 0;
|
||||||
|
|
||||||
|
@ -3694,6 +3699,12 @@ static int ext4_convert_initialized_extents(handle_t *handle,
|
||||||
}
|
}
|
||||||
depth = ext_depth(inode);
|
depth = ext_depth(inode);
|
||||||
ex = path[depth].p_ext;
|
ex = path[depth].p_ext;
|
||||||
|
if (!ex) {
|
||||||
|
EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
|
||||||
|
(unsigned long) map->m_lblk);
|
||||||
|
err = -EIO;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
err = ext4_ext_get_access(handle, inode, path + depth);
|
err = ext4_ext_get_access(handle, inode, path + depth);
|
||||||
|
@ -5340,6 +5351,12 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
|
||||||
return PTR_ERR(path);
|
return PTR_ERR(path);
|
||||||
depth = path->p_depth;
|
depth = path->p_depth;
|
||||||
extent = path[depth].p_ext;
|
extent = path[depth].p_ext;
|
||||||
|
if (!extent) {
|
||||||
|
EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
|
||||||
|
(unsigned long) start);
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
|
||||||
current_block = le32_to_cpu(extent->ee_block);
|
current_block = le32_to_cpu(extent->ee_block);
|
||||||
if (start > current_block) {
|
if (start > current_block) {
|
||||||
/* Hole, move to the next extent */
|
/* Hole, move to the next extent */
|
||||||
|
|
Loading…
Reference in New Issue