Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp13857796pxu; Mon, 4 Jan 2021 06:26:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJyGrBWBISC0te1OHQM5+W3SORDhVcdI5iBm3Xirz7HFT8z9PTaNEYrcyx/C0PTPVpZdkyk9 X-Received: by 2002:a17:906:aac1:: with SMTP id kt1mr64144666ejb.329.1609770408416; Mon, 04 Jan 2021 06:26:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609770408; cv=none; d=google.com; s=arc-20160816; b=cS2cG7xjrSv7KHl+560bnHFoE2tbLoDYC9FlavGJ/5OXnoOyYPaOR3yAcdtQdzmYxA yurU16WvPUBMVvwD6lWjuB3zzahSLDdIhuiCiw3Ow/SRCb74Zaq5SP0CibYgzgSmSdUx TfCF1Gq7DDjJzYxArbr1RZpcVnq8iYiE21k2PPWk33t6E13EErMtGVDhaiv+/vsKyc9X iTyPulH1Bp233E7/UQ2nqUgQbw/JMFwqPXG3eW/jhW3mqeB0vK4IrKTKmzsUp50YENoK cbj9ctr9U/aF7jpw8OjFW+MQlzuUV+6ncQt3BY1C5h9lH/aIx3Vif8eoMVH8Qrduc8bL KV4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:subject:from:cc:to; bh=RGJ+RN3GL2xk7VXhq7pPX63eRyuzrdpoBxBi8CrZcs4=; b=a+K+jcDVlN6NV8TOv2//stLfbPirT9U4KhsOMw7cQRxtqoeIVuCTCDWwwQt3HKZYVs +Gs2C7RD37tvdo2vY9dsOs+KmGbLZ5GYZWVZ807DGKDgbZcbwHYkeZtFL7P7GvmJY7jp 6h7+m1FNJk7rhrGNyi1sVHKBfIc4gFdaYhfdhR/fzBUin3sckhlVBY5bdgRw+RYl4lC0 dM7t6PMHGCSddzD7Fb7oY64dSrg362/EXyUGU0pFe+UZaAsds/wtzSFlEemEJkm76M7M 7v+G3eLNoyH0Tst40/DwtB6AxtmUldvPh9LCGySTfJAZlT0ae9/0jW2qLm52oFqvn8t+ zjtg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s18si31885645ejd.607.2021.01.04.06.26.25; Mon, 04 Jan 2021 06:26:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726419AbhADOZX (ORCPT + 99 others); Mon, 4 Jan 2021 09:25:23 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:49197 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726029AbhADOZW (ORCPT ); Mon, 4 Jan 2021 09:25:22 -0500 Received: from 1.general.cking.uk.vpn ([10.172.193.212]) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kwQml-0008BG-Tt; Mon, 04 Jan 2021 14:24:40 +0000 To: Daeho Jeong Cc: Chao Yu , Jaegeuk Kim , linux-f2fs-devel@lists.sourceforge.net, "linux-kernel@vger.kernel.org" From: Colin Ian King Subject: re: f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE Message-ID: <1acf4202-e5e6-f3fb-73c3-11bc965d3058@canonical.com> Date: Mon, 4 Jan 2021 14:24:39 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Static analysis using Coverity has detected a potential null pointer dereference after a null check in the following commit: commit 5fdb322ff2c2b4ad519f490dcb7ebb96c5439af7 Author: Daeho Jeong Date: Thu Dec 3 15:56:15 2020 +0900 f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE The analysis is as follows: 4025 static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len) 4026 { 4027 DEFINE_READAHEAD(ractl, NULL, inode->i_mapping, page_idx); 4028 struct address_space *mapping = inode->i_mapping; 4029 struct page *page; 4030 pgoff_t redirty_idx = page_idx; 4031 int i, page_len = 0, ret = 0; 4032 4033 page_cache_ra_unbounded(&ractl, len, 0); 4034 1. Condition i < len, taking true branch. 4. Condition i < len, taking true branch. 4035 for (i = 0; i < len; i++, page_idx++) { 4036 page = read_cache_page(mapping, page_idx, NULL, NULL); 2. Condition IS_ERR(page), taking false branch. 5. Condition IS_ERR(page), taking true branch. 4037 if (IS_ERR(page)) { 4038 ret = PTR_ERR(page); 6. Breaking from loop. 4039 break; 4040 } 4041 page_len++; 3. Jumping back to the beginning of the loop. 4042 } 4043 7. Condition i < page_len, taking true branch. 4044 for (i = 0; i < page_len; i++, redirty_idx++) { 4045 page = find_lock_page(mapping, redirty_idx); 8. Condition !page, taking true branch. 9. var_compare_op: Comparing page to null implies that page might be null. 4046 if (!page) 4047 ret = -ENOENT; Dereference after null check (FORWARD_NULL) 10. var_deref_model: Passing null pointer page to set_page_dirty, which dereferences it. 4048 set_page_dirty(page); 4049 f2fs_put_page(page, 1); 4050 f2fs_put_page(page, 0); 4051 } 4052 4053 return ret; 4054 } The !page check on line 4046 sets ret appropriately but we have a following call to set_page_dirty on a null page that causes the error. Not sure how this should be fixed, should the check bail out immediately or just avoid the following set_page_dirty anf f2fs_put_page calls? Colin