btrfs-progs: extent_io: Fix NULL pointer dereference in free_extent_buffer_final()

In free_extent_buffer_final() we access eb->tree->cache_size in
BUG_ON().  However eb->tree can be NULL if it's a cloned extent buffer.

Currently the cloned extent buffer is only used in backref.c,
paths_from_inode() function.  Thankfully that function is not used yet
(but could be pretty useful to convert inode number to path, so I'd like
to keep such function).

Anyway, check eb->tree before accessing its member.

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/extent_io.c b/extent_io.c
index eda1fb6..986ad5c 100644 (file)
--- a/extent_io.c
+++ b/extent_io.c
@@ -587,7 +587,7 @@ static void free_extent_buffer_final(struct extent_buffer *eb)
        struct extent_io_tree *tree = eb->tree;
 
        BUG_ON(eb->refs);
-       BUG_ON(tree->cache_size < eb->len);
+       BUG_ON(tree && tree->cache_size < eb->len);
        list_del_init(&eb->lru);
        if (!(eb->flags & EXTENT_BUFFER_DUMMY)) {
                remove_cache_extent(&tree->cache, &eb->cache_node);