From: Julia Lawall <julia@diku.dk>
This code is preceded by a call to btrfs_alloc_path, which allocates some
memory. There is some error handling code at the end of the function that
frees it, that can be taken advantage of with a little ordering adjustment.
A simplified version of the semantic match that finds this problem is:
(http://coccinelle.lip6.fr/)
// <smpl>
@r exists@
local idexpression x;
expression E;
identifier f1;
iterator I;
@@
x = btrfs_alloc_path(...);
<... when != x
when != true (x == NULL || ...)
when != if (...) { <+...x...+> }
when != I (...) { <+...x...+> }
(
x == NULL
|
x == E
|
x->f1
)
...>
* return ...;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
---
fs/btrfs/inode.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index c038644..d38587c 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4438,15 +4438,14 @@ static struct inode *btrfs_new_inode(struct
btrfs_trans_handle *trans,
BUG_ON(!path);
inode = new_inode(root->fs_info->sb);
- if (!inode)
- return ERR_PTR(-ENOMEM);
-
+ if (!inode) {
+ ret = -ENOMEM;
+ goto fail_path;
+ }
if (dir) {
ret = btrfs_set_inode_index(dir, index);
- if (ret) {
- iput(inode);
- return ERR_PTR(ret);
- }
+ if (ret)
+ goto fail_inode;
}
/*
* index_cnt is ignored for everything but a dir,
@@ -4519,8 +4518,10 @@ static struct inode *btrfs_new_inode(struct
btrfs_trans_handle *trans,
fail:
if (dir)
BTRFS_I(dir)->index_cnt--;
- btrfs_free_path(path);
+fail_inode:
iput(inode);
+fail_path:
+ btrfs_free_path(path);
return ERR_PTR(ret);
}