From: Mingming Cao <cmm@us.ibm.com>
To: Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, marcelo.tosatti@cyclades.com
Cc: Paul.McKenney@us.ibm.com
Subject: [BUG]Missing i_sb NULL pointer check in destroy_inode()
Date: 24 Nov 2003 11:00:38 -0800 [thread overview]
Message-ID: <1069700440.16649.19433.camel@localhost.localdomain> (raw)
In-Reply-To: <20031109152936.3a9ffb69.akpm@osdl.org>
Hello, Andrew, Marcelo,
destroy_inode() dereferences inode->i_sb without checking if it is NULL.
This is inconsistent with its caller: iput() and clear_inode(), both of
which check inode->i_sb before dereferencing it. Since iput() calls
destroy_inode() after calling file system's .clear_inode method(via
clear_inode()), some file systems might choose to clear the i_sb in the
.clear_inode super block operation. This results in a crash in
destroy_inode().
This issue exists in both 2.6, 2.4 and 2.4 kernel. A simple fix against
2.6.0-test9 is included below. 2.4 based fix should be very similar to
this one. Please take a look and consider include it.
Many thanks!!
--Mingming
----------------------------------------------------------
diff -urNp linux-2.6.0-test9/fs/inode.c a/fs/inode.c
--- linux-2.6.0-test9/fs/inode.c 2003-10-25 11:44:53.000000000 -0700
+++ a/fs/inode.c 2003-11-20 17:28:04.000000000 -0800
@@ -160,7 +160,7 @@ void destroy_inode(struct inode *inode)
if (inode_has_buffers(inode))
BUG();
security_inode_free(inode);
- if (inode->i_sb->s_op->destroy_inode)
+ if (inode->i_sb && inode->i_sb->s_op->destroy_inode)
inode->i_sb->s_op->destroy_inode(inode);
else
kmem_cache_free(inode_cachep, (inode));
next parent reply other threads:[~2003-11-24 18:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1068045518.10730.266.camel@socrates>
[not found] ` <20031105181600.GC18278@thunk.org>
[not found] ` <1068066524.10726.289.camel@socrates>
[not found] ` <20031106033817.GB22081@thunk.org>
[not found] ` <1068145132.10735.322.camel@socrates>
[not found] ` <20031106123922.Y10197@schatzie.adilger.int>
[not found] ` <1068148881.10730.337.camel@socrates>
[not found] ` <1068230146.10726.359.camel@socrates>
[not found] ` <20031109130826.2b37219d.akpm@osdl.org>
[not found] ` <1068419747.687.28.camel@socrates>
[not found] ` <20031109152936.3a9ffb69.akpm@osdl.org>
2003-11-24 19:00 ` Mingming Cao [this message]
2003-11-24 19:27 ` [BUG]Missing i_sb NULL pointer check in destroy_inode() Andrew Morton
2003-11-24 20:10 ` Mingming Cao
2003-11-25 8:36 ` Christoph Hellwig
2003-11-26 22:09 ` Mingming Cao
2003-11-27 1:10 ` Timo Kamph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1069700440.16649.19433.camel@localhost.localdomain \
--to=cmm@us.ibm.com \
--cc=Paul.McKenney@us.ibm.com \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox