Btrfs: open_ctree() error handling can oops on fs_info

a bug in open_ctree: struct btrfs_root *open_ctree(..) { .... if (!extent_root || !tree_root || !fs_info || !chunk_root || !dev_root || !csum_root) { err = -ENOMEM; goto fail; //When code flow goes to "fail", fs_info may be NULL or uninitialized. } .... fail: btrfs_close_devices(fs_info->fs_devices);// ! btrfs_mapping_tree_free(&fs_info->mapping_tree);// ! kfree(extent_root); kfree(tree_root); bdi_destroy(&fs_info->bdi);// ! ... ) Signed-off-by: Qinghuang Feng <qhfeng.kernel@gmail.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
author: Qinghuang Feng <qhfeng.kernel@gmail.com> 2009-01-21 10:49:16 -0500
committer: Chris Mason <chris.mason@oracle.com> 2009-01-21 10:49:16 -0500
commit: 7e6628544abad773222d8b177f738ac2db1859de (patch)
tree: b1bdb87b850ed4639f45b1ca10d739f90e186646 /fs
parent: 86288a198d8e4e8411ff02f9ab848245e8f11257 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 26a18779e84b..3cf17257f89d 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1823,13 +1823,14 @@ fail_sb_buffer:
 fail_iput:
        invalidate_inode_pages2(fs_info->btree_inode->i_mapping);
        iput(fs_info->btree_inode);
-fail:
        btrfs_close_devices(fs_info->fs_devices);
        btrfs_mapping_tree_free(&fs_info->mapping_tree);
+        bdi_destroy(&fs_info->bdi);
+fail:
        kfree(extent_root);
        kfree(tree_root);
-        bdi_destroy(&fs_info->bdi);
        kfree(fs_info);
        kfree(chunk_root);
        kfree(dev_root);
author	Qinghuang Feng <qhfeng.kernel@gmail.com>	2009-01-21 10:49:16 -0500
committer	Chris Mason <chris.mason@oracle.com>	2009-01-21 10:49:16 -0500
commit	7e6628544abad773222d8b177f738ac2db1859de (patch)
tree	b1bdb87b850ed4639f45b1ca10d739f90e186646 /fs
parent	86288a198d8e4e8411ff02f9ab848245e8f11257 (diff)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 26a18779e84b..3cf17257f89d 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c
@@ -1823,13 +1823,14 @@ fail_sb_buffer:
1823	fail_iput:	1823	fail_iput:
1824	invalidate_inode_pages2(fs_info->btree_inode->i_mapping);	1824	invalidate_inode_pages2(fs_info->btree_inode->i_mapping);
1825	iput(fs_info->btree_inode);	1825	iput(fs_info->btree_inode);
1826	fail:	1826
1827	btrfs_close_devices(fs_info->fs_devices);	1827	btrfs_close_devices(fs_info->fs_devices);
1828	btrfs_mapping_tree_free(&fs_info->mapping_tree);	1828	btrfs_mapping_tree_free(&fs_info->mapping_tree);
		1829	bdi_destroy(&fs_info->bdi);
1829		1830
		1831	fail:
1830	kfree(extent_root);	1832	kfree(extent_root);
1831	kfree(tree_root);	1833	kfree(tree_root);
1832	bdi_destroy(&fs_info->bdi);
1833	kfree(fs_info);	1834	kfree(fs_info);
1834	kfree(chunk_root);	1835	kfree(chunk_root);
1835	kfree(dev_root);	1836	kfree(dev_root);