btrfs: init csum_list before possible free

commit e49be14b8d80e23bb7c53d78c21717a474ade76b upstream.

The scrub_ctx csum_list member must be initialized before scrub_free_ctx
is called. If the csum_list is not initialized beforehand, the
list_empty call in scrub_free_csums will result in a null deref if the
allocation fails in the for loop.

Fixes: a2de733c78fa ("btrfs: scrub")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 8dddedcfa96137c114142bee4a6ce4bc1069cb40..70edd60db654fc270cc1405b45fd8fe4f5411fc8 100644 (file)
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -417,6 +417,7 @@ struct scrub_ctx *scrub_setup_ctx(struct btrfs_device *dev, int is_dev_replace)
        sctx->pages_per_rd_bio = pages_per_rd_bio;
        sctx->curr = -1;
        sctx->dev_root = dev->dev_root;
+       INIT_LIST_HEAD(&sctx->csum_list);
        for (i = 0; i < SCRUB_BIOS_PER_SCTX; ++i) {
                struct scrub_bio *sbio;
 
@@ -444,7 +445,6 @@ struct scrub_ctx *scrub_setup_ctx(struct btrfs_device *dev, int is_dev_replace)
        atomic_set(&sctx->workers_pending, 0);
        atomic_set(&sctx->cancel_req, 0);
        sctx->csum_size = btrfs_super_csum_size(fs_info->super_copy);
-       INIT_LIST_HEAD(&sctx->csum_list);
 
        spin_lock_init(&sctx->list_lock);
        spin_lock_init(&sctx->stat_lock);