From: Qu Wenruo <wqu@suse.com>
Date: Fri, 30 Mar 2018 05:48:53 +0000 (+0800)
Subject: btrfs-progs: extent_io: Fix NULL pointer dereference in free_extent_buffer_final()
X-Git-Tag: upstream/4.16.1~11
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Fbtrfs-progs.git;a=commitdiff_plain;h=98d5d325a887b6c061096c141eef10755762bbcf

btrfs-progs: extent_io: Fix NULL pointer dereference in free_extent_buffer_final()

In free_extent_buffer_final() we access eb->tree->cache_size in
BUG_ON().  However eb->tree can be NULL if it's a cloned extent buffer.

Currently the cloned extent buffer is only used in backref.c,
paths_from_inode() function.  Thankfully that function is not used yet
(but could be pretty useful to convert inode number to path, so I'd like
to keep such function).

Anyway, check eb->tree before accessing its member.

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
---

diff --git a/extent_io.c b/extent_io.c
index eda1fb6..986ad5c 100644
--- a/extent_io.c
+++ b/extent_io.c
@@ -587,7 +587,7 @@ static void free_extent_buffer_final(struct extent_buffer *eb)
 	struct extent_io_tree *tree = eb->tree;
 
 	BUG_ON(eb->refs);
-	BUG_ON(tree->cache_size < eb->len);
+	BUG_ON(tree && tree->cache_size < eb->len);
 	list_del_init(&eb->lru);
 	if (!(eb->flags & EXTENT_BUFFER_DUMMY)) {
 		remove_cache_extent(&tree->cache, &eb->cache_node);