ceph: fix potential NULL dereference issue in ceph_fill_trace()

The Coverity Scan service has detected a potential dereference of
an explicit NULL value in ceph_fill_trace() [1].

The variable in is declared in the beggining of
ceph_fill_trace() [2]:

struct inode *in = NULL;

However, the initialization of the variable is happening under
condition [3]:

if (rinfo->head->is_target) {
    <skipped>
    in = req->r_target_inode;
    <skipped>
}

Potentially, if rinfo->head->is_target == FALSE, then
in variable continues to be NULL and later the dereference of
NULL value could happen in ceph_fill_trace() logic [4,5]:

else if ((req->r_op == CEPH_MDS_OP_LOOKUPSNAP ||
            req->r_op == CEPH_MDS_OP_MKSNAP) &&
            test_bit(CEPH_MDS_R_PARENT_LOCKED, &req->r_req_flags) &&
             !test_bit(CEPH_MDS_R_ABORTED, &req->r_req_flags)) {
<skipped>
     ihold(in);
     err = splice_dentry(&req->r_dentry, in);
     if (err < 0)
         goto done;
}

This patch adds the checking of in variable for NULL value
and it returns -EINVAL error code if it has NULL value.

v2
Alex Markuze suggested to add unlikely macro
in the checking condition.

[1] https://scan5.scan.coverity.com/#/project-view/64304/10063?selectedIssue=1141197
[2] https://elixir.bootlin.com/linux/v6.17-rc3/source/fs/ceph/inode.c#L1522
[3] https://elixir.bootlin.com/linux/v6.17-rc3/source/fs/ceph/inode.c#L1629
[4] https://elixir.bootlin.com/linux/v6.17-rc3/source/fs/ceph/inode.c#L1745
[5] https://elixir.bootlin.com/linux/v6.17-rc3/source/fs/ceph/inode.c#L1777

Signed-off-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index f67025465de0dae7d6e50748f091af4a90ef226a..03a8f2e3341e606339283e2c751a93bf6db78baa 100644 (file)
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1793,6 +1793,11 @@ retry_lookup:
                        goto done;
                }
 
+               if (unlikely(!in)) {
+                       err = -EINVAL;
+                       goto done;
+               }
+
                /* attach proper inode */
                if (d_really_is_negative(dn)) {
                        ceph_dir_clear_ordered(dir);
@@ -1828,6 +1833,12 @@ retry_lookup:
                doutc(cl, " linking snapped dir %p to dn %p\n", in,
                      req->r_dentry);
                ceph_dir_clear_ordered(dir);
+
+               if (unlikely(!in)) {
+                       err = -EINVAL;
+                       goto done;
+               }
+
                ihold(in);
                err = splice_dentry(&req->r_dentry, in);
                if (err < 0)