[CHECKER] Dereference of NULL pointer in VFS (2.4.19)

[Junfeng Yang]

Hi,

We came accross this warning in fs/super.c.  Please confirm or clarify,
thanks!

-Junfeng


[BUG] bd_acquire's returns -ENOMEM when it fails to acquire the bdev.
get_sb_bdev does not check the return of bd_acquire.  It then dereferens
the potential NULL pointer inode->i_bdev.

fs/super.c
static struct super_block *get_sb_bdev(struct file_system_type *fs_type,
	int flags, char *dev_name, void * data)
{
	...
Alloc-->
	bd_acquire(inode);
	bdev = inode->i_bdev;
	de = devfs_get_handle_from_inode (inode);
	bdops = devfs_get_ops (de);         /*  Increments module use count  */
	if (bdops) bdev->bd_op = bdops;
	/* Done with lookups, semaphore down */
Deref-->
	dev = to_kdev_t(bdev->bd_dev);
	...
}


fs/block_dev.c
int bd_acquire(struct inode *inode)
{
	struct block_device *bdev;
	spin_lock(&bdev_lock);
	if (inode->i_bdev) {
		atomic_inc(&inode->i_bdev->bd_count);
		spin_unlock(&bdev_lock);
		return 0;
	}
	spin_unlock(&bdev_lock);
	bdev = bdget(kdev_t_to_nr(inode->i_rdev));
	if (!bdev)
		return -ENOMEM;
	spin_lock(&bdev_lock);
	if (!inode->i_bdev) {
		inode->i_bdev = bdev;
		inode->i_mapping = bdev->bd_inode->i_mapping;
		list_add(&inode->i_devices, &bdev->bd_inodes);
	} else if (inode->i_bdev != bdev)
		BUG();
	spin_unlock(&bdev_lock);
	return 0;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/