* [PATCH] cifs: cope with negative dentries in cifs_get_root
@ 2011-08-05 13:02 Jeff Layton
2011-08-05 15:03 ` Steve French
[not found] ` <1312549360-4317-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 2 replies; 7+ messages in thread
From: Jeff Layton @ 2011-08-05 13:02 UTC (permalink / raw)
To: smfrench; +Cc: viro, linux-cifs, linux-fsdevel
The loop around lookup_one_len doesn't handle the case where it might
return a negative dentry, which can cause an oops on the next pass
through the loop. Check for that and break out of the loop with an
error of -ENOENT if there is one.
Fixes the panic reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=727927
Reported-by: TR Bentley <home@trarbentley.net>
Reported-by: Iain Arnell <iarnell@gmail.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
fs/cifs/cifsfs.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 212e562..f93eb94 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -563,6 +563,10 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
mutex_unlock(&dir->i_mutex);
dput(dentry);
dentry = child;
+ if (!dentry->d_inode) {
+ dput(dentry);
+ dentry = ERR_PTR(-ENOENT);
+ }
} while (!IS_ERR(dentry));
_FreeXid(xid);
kfree(full_path);
--
1.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
[not found] ` <1312549360-4317-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2011-08-05 14:54 ` Al Viro
[not found] ` <20110805145428.GS2203-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2011-08-09 5:41 ` Pavel Shilovsky
1 sibling, 1 reply; 7+ messages in thread
From: Al Viro @ 2011-08-05 14:54 UTC (permalink / raw)
To: Jeff Layton
Cc: smfrench-Re5JQEeQqe8AvxtiuMwx3w,
linux-cifs-u79uwXL29TY76Z2rM5mHXA,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
On Fri, Aug 05, 2011 at 09:02:40AM -0400, Jeff Layton wrote:
> The loop around lookup_one_len doesn't handle the case where it might
> return a negative dentry, which can cause an oops on the next pass
> through the loop. Check for that and break out of the loop with an
> error of -ENOENT if there is one.
Ouch. Nice catch and that one is my damn fault. Do you want that one
to go through cifs or vfs tree? ACK, in any case...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
[not found] ` <20110805145428.GS2203-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
@ 2011-08-05 15:01 ` Steve French
[not found] ` <CAH2r5mvB8jyZnnSaGCs1Z=NWMCh6LQBpwTR3hY1Fv9pxw54+Kw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: Steve French @ 2011-08-05 15:01 UTC (permalink / raw)
To: Al Viro
Cc: Jeff Layton, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
On Fri, Aug 5, 2011 at 9:54 AM, Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> wrote:
> On Fri, Aug 05, 2011 at 09:02:40AM -0400, Jeff Layton wrote:
>> The loop around lookup_one_len doesn't handle the case where it might
>> return a negative dentry, which can cause an oops on the next pass
>> through the loop. Check for that and break out of the loop with an
>> error of -ENOENT if there is one.
>
> Ouch. Nice catch and that one is my damn fault. Do you want that one
> to go through cifs or vfs tree? ACK, in any case...
Probably safer to go through my tree, reduce chance of merge conflict
Was planning on sending a merge request up soon in any case.
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
2011-08-05 13:02 [PATCH] cifs: cope with negative dentries in cifs_get_root Jeff Layton
@ 2011-08-05 15:03 ` Steve French
[not found] ` <1312549360-4317-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
1 sibling, 0 replies; 7+ messages in thread
From: Steve French @ 2011-08-05 15:03 UTC (permalink / raw)
To: Jeff Layton; +Cc: viro, linux-cifs, linux-fsdevel
On Fri, Aug 5, 2011 at 8:02 AM, Jeff Layton <jlayton@redhat.com> wrote:
> The loop around lookup_one_len doesn't handle the case where it might
> return a negative dentry, which can cause an oops on the next pass
> through the loop. Check for that and break out of the loop with an
> error of -ENOENT if there is one.
>
merged into cifs-2.6.git
--
Thanks,
Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
[not found] ` <CAH2r5mvB8jyZnnSaGCs1Z=NWMCh6LQBpwTR3hY1Fv9pxw54+Kw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2011-08-05 15:15 ` Al Viro
0 siblings, 0 replies; 7+ messages in thread
From: Al Viro @ 2011-08-05 15:15 UTC (permalink / raw)
To: Steve French
Cc: Jeff Layton, linux-cifs-u79uwXL29TY76Z2rM5mHXA,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
On Fri, Aug 05, 2011 at 10:01:47AM -0500, Steve French wrote:
> On Fri, Aug 5, 2011 at 9:54 AM, Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> wrote:
> > On Fri, Aug 05, 2011 at 09:02:40AM -0400, Jeff Layton wrote:
> >> The loop around lookup_one_len doesn't handle the case where it might
> >> return a negative dentry, which can cause an oops on the next pass
> >> through the loop. Check for that and break out of the loop with an
> >> error of -ENOENT if there is one.
> >
> > Ouch. ?Nice catch and that one is my damn fault. ?Do you want that one
> > to go through cifs or vfs tree? ?ACK, in any case...
>
> Probably safer to go through my tree, reduce chance of merge conflict
> Was planning on sending a merge request up soon in any case.
OK
Acked-by: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
[not found] ` <1312549360-4317-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-08-05 14:54 ` Al Viro
@ 2011-08-09 5:41 ` Pavel Shilovsky
[not found] ` <CAKywueRT9cGPu5pCiiYONd7DruBaE2TDvHVVyyELYwM_Ft5e+Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
1 sibling, 1 reply; 7+ messages in thread
From: Pavel Shilovsky @ 2011-08-09 5:41 UTC (permalink / raw)
To: Jeff Layton
Cc: smfrench-Re5JQEeQqe8AvxtiuMwx3w,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn,
linux-cifs-u79uwXL29TY76Z2rM5mHXA,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
2011/8/5 Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>:
> The loop around lookup_one_len doesn't handle the case where it might
> return a negative dentry, which can cause an oops on the next pass
> through the loop. Check for that and break out of the loop with an
> error of -ENOENT if there is one.
>
> Fixes the panic reported here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=727927
>
> Reported-by: TR Bentley <home-XKIT1lZdXBwO+8BAsp4z4w@public.gmane.org>
> Reported-by: Iain Arnell <iarnell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Cc: Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
> Cc: stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
> Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
> fs/cifs/cifsfs.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
> index 212e562..f93eb94 100644
> --- a/fs/cifs/cifsfs.c
> +++ b/fs/cifs/cifsfs.c
> @@ -563,6 +563,10 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
> mutex_unlock(&dir->i_mutex);
> dput(dentry);
> dentry = child;
> + if (!dentry->d_inode) {
dentry can be NULL here (returned from lookup_one_len) and it can
cause a null pointer dereference.
> + dput(dentry);
> + dentry = ERR_PTR(-ENOENT);
> + }
> } while (!IS_ERR(dentry));
> _FreeXid(xid);
> kfree(full_path);
> --
> 1.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Best regards,
Pavel Shilovsky.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cifs: cope with negative dentries in cifs_get_root
[not found] ` <CAKywueRT9cGPu5pCiiYONd7DruBaE2TDvHVVyyELYwM_Ft5e+Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2011-08-09 6:38 ` Al Viro
0 siblings, 0 replies; 7+ messages in thread
From: Al Viro @ 2011-08-09 6:38 UTC (permalink / raw)
To: Pavel Shilovsky
Cc: Jeff Layton, smfrench-Re5JQEeQqe8AvxtiuMwx3w,
linux-cifs-u79uwXL29TY76Z2rM5mHXA,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
On Tue, Aug 09, 2011 at 09:41:33AM +0400, Pavel Shilovsky wrote:
> > ? ? ? ? ? ? ? ?mutex_unlock(&dir->i_mutex);
> > ? ? ? ? ? ? ? ?dput(dentry);
> > ? ? ? ? ? ? ? ?dentry = child;
> > + ? ? ? ? ? ? ? if (!dentry->d_inode) {
>
> dentry can be NULL here (returned from lookup_one_len) and it can
> cause a null pointer dereference.
Not NULL, ERR_PTR(...). IOW, we need to check IS_ERR(dentry) to protect
that check of dentry->d_inode.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-08-09 6:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-08-05 13:02 [PATCH] cifs: cope with negative dentries in cifs_get_root Jeff Layton
2011-08-05 15:03 ` Steve French
[not found] ` <1312549360-4317-1-git-send-email-jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-08-05 14:54 ` Al Viro
[not found] ` <20110805145428.GS2203-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2011-08-05 15:01 ` Steve French
[not found] ` <CAH2r5mvB8jyZnnSaGCs1Z=NWMCh6LQBpwTR3hY1Fv9pxw54+Kw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-08-05 15:15 ` Al Viro
2011-08-09 5:41 ` Pavel Shilovsky
[not found] ` <CAKywueRT9cGPu5pCiiYONd7DruBaE2TDvHVVyyELYwM_Ft5e+Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-08-09 6:38 ` Al Viro
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).