[goldwynr:iomap 27/33] fs/btrfs/file.c:1517 btrfs_buffered_iomap_begin() error: dereferencing freed memory 'bi'
From: Dan Carpenter
Date: Thu Jan 06 2022 - 08:02:11 EST
tree: https://github.com/goldwynr/linux iomap
head: 30c74a8c201365178cae26d0d7aefa120c3245ab
commit: f3623890897fee87c24f37ae01a2f1a5c35a39d9 [27/33] btrfs: use srcmap for read-before-write cases
config: i386-randconfig-m031-20211228 (https://download.01.org/0day-ci/archive/20211230/202112302317.OJzUYuIb-lkp@xxxxxxxxx/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
smatch warnings:
fs/btrfs/file.c:1517 btrfs_buffered_iomap_begin() error: dereferencing freed memory 'bi'
vim +/bi +1517 fs/btrfs/file.c
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1490 static int btrfs_buffered_iomap_begin(struct inode *inode, loff_t pos,
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1491 loff_t length, unsigned flags, struct iomap *iomap,
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1492 struct iomap *srcmap)
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1493 {
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1494 int ret;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1495 size_t write_bytes = length;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1496 struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1497 size_t sector_offset = pos & (fs_info->sectorsize - 1);
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1498 struct btrfs_iomap *bi;
f3623890897fee Goldwyn Rodrigues 2021-04-21 1499 loff_t end = pos + length;
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1500
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1501 bi = kzalloc(sizeof(struct btrfs_iomap), GFP_NOFS);
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1502 if (!bi)
f4ecee4435f363 Goldwyn Rodrigues 2021-04-21 1503 return -ENOMEM;
b192ee8d4db510 Goldwyn Rodrigues 2021-04-21 1504
f3623890897fee Goldwyn Rodrigues 2021-04-21 1505 if ((pos & (PAGE_SIZE - 1) || end & (PAGE_SIZE - 1))) {
f3623890897fee Goldwyn Rodrigues 2021-04-21 1506 loff_t isize = i_size_read(inode);
f3623890897fee Goldwyn Rodrigues 2021-04-21 1507 if (pos >= isize) {
f3623890897fee Goldwyn Rodrigues 2021-04-21 1508 srcmap->addr = IOMAP_NULL_ADDR;
f3623890897fee Goldwyn Rodrigues 2021-04-21 1509 srcmap->type = IOMAP_HOLE;
f3623890897fee Goldwyn Rodrigues 2021-04-21 1510 srcmap->offset = isize;
f3623890897fee Goldwyn Rodrigues 2021-04-21 1511 srcmap->length = end - isize;
f3623890897fee Goldwyn Rodrigues 2021-04-21 1512 } else {
f3623890897fee Goldwyn Rodrigues 2021-04-21 1513 bi->em = btrfs_get_extent(BTRFS_I(inode), NULL, 0,
f3623890897fee Goldwyn Rodrigues 2021-04-21 1514 pos - sector_offset, length);
f3623890897fee Goldwyn Rodrigues 2021-04-21 1515 if (IS_ERR(bi->em)) {
f3623890897fee Goldwyn Rodrigues 2021-04-21 1516 kfree(bi);
^^^^^^^^^
f3623890897fee Goldwyn Rodrigues 2021-04-21 @1517 return PTR_ERR(bi->em);
^^^^^^
f3623890897fee Goldwyn Rodrigues 2021-04-21 1518 }
f3623890897fee Goldwyn Rodrigues 2021-04-21 1519 btrfs_em_to_iomap(inode, bi->em, srcmap,
f3623890897fee Goldwyn Rodrigues 2021-04-21 1520 pos - sector_offset);
f3623890897fee Goldwyn Rodrigues 2021-04-21 1521 }
f3623890897fee Goldwyn Rodrigues 2021-04-21 1522 }
f3623890897fee Goldwyn Rodrigues 2021-04-21 1523
f3623890897fee Goldwyn Rodrigues 2021-04-21 1524 if ((srcmap->type != IOMAP_HOLE) &&
f3623890897fee Goldwyn Rodrigues 2021-04-21 1525 (end > srcmap->offset + srcmap->length))
f3623890897fee Goldwyn Rodrigues 2021-04-21 1526 write_bytes = srcmap->offset + srcmap->length - pos;
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx