Commit a18ed359 authored by Dmitry Monakhov's avatar Dmitry Monakhov Committed by Theodore Ts'o
Browse files

ext4: always check ext4_ext_find_extent result 



Where are some places where logic guaranties us that extent we are
searching exits, but this may not be true due to on-disk data
corruption. If such corruption happens we must prevent possible
null pointer dereferences.

Signed-off-by: default avatarDmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
parent 8dc79ec4

fs/ext4/extents.c

+17 −0
Original line number Diff line number Diff line
@@ -3313,6 +3313,11 @@ static int ext4_split_extent(handle_t *handle, 
		return PTR_ERR(path);

	depth = ext_depth(inode);

	ex = path[depth].p_ext;

	if (!ex) {

		EXT4_ERROR_INODE(inode, "unexpected hole at %lu",

				 (unsigned long) map->m_lblk);

		return -EIO;

	}

	uninitialized = ext4_ext_is_uninitialized(ex);

	split_flag1 = 0;
@@ -3694,6 +3699,12 @@ static int ext4_convert_initialized_extents(handle_t *handle, 
		}

		depth = ext_depth(inode);

		ex = path[depth].p_ext;

		if (!ex) {

			EXT4_ERROR_INODE(inode, "unexpected hole at %lu",

					 (unsigned long) map->m_lblk);

			err = -EIO;

			goto out;

		}

	}



	err = ext4_ext_get_access(handle, inode, path + depth);
@@ -5340,6 +5351,12 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, 
			return PTR_ERR(path);

		depth = path->p_depth;

		extent = path[depth].p_ext;

		if (!extent) {

			EXT4_ERROR_INODE(inode, "unexpected hole at %lu",

					 (unsigned long) start);

			return -EIO;

		}



		current_block = le32_to_cpu(extent->ee_block);

		if (start > current_block) {

			/* Hole, move to the next extent */

CRA Git | Maintained and supported by SUSTech CRA and CCSE