From: Jesper Juhl <jesper.juhl@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: Rick Sladkey <jrs@world.std.com>, Olaf Kirch <okir@monad.swb.de>,
Neil Brown <neilb@cse.unsw.edu.au>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
nfs@lists.sourceforge.net
Subject: [PATCH] NFS: possible NULL pointer deref in nfs_sillyrename()
Date: Thu, 17 Aug 2006 00:22:28 +0200 [thread overview]
Message-ID: <200608170022.29168.jesper.juhl@gmail.com> (raw)
The coverity checker spotted this as bug #1013.
If we get a NULL dentry->d_inode, then regardless of
NFS_PARANOIA or no NFS_PARANOIA, then if
if (dentry->d_flags & DCACHE_NFSFS_RENAMED)
turns out to be false we'll end up dereferencing
that NULL d_inode in two places below.
And since the check for "(!dentry->d_inode)" even exists
(although inside #ifdef NFS_PARANOIA) I take that to mean
that this is a possibility.
And the fact that we check
if (dentry->d_flags & DCACHE_NFSFS_RENAMED)
must also mean that there are cases where the check could
fail.
So, we can get in trouble here :
1) as an arg to sprintf() :
sprintf(silly, ".nfs%*.*lx",
i_inosize, i_inosize, dentry->d_inode->i_ino);
2) or we pass it to nfs_inode_return_delegation() which then dereferences it.
nfs_inode_return_delegation(dentry->d_inode);
I propose the following patch to handle this.
Compile tested only.
If this patch is somehow incorrect I'd appreciate an explanation of why :)
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---
fs/nfs/dir.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
--- linux-2.6.18-rc4-orig/fs/nfs/dir.c 2006-08-11 00:11:12.000000000 +0200
+++ linux-2.6.18-rc4/fs/nfs/dir.c 2006-08-17 00:06:23.000000000 +0200
@@ -1299,15 +1299,15 @@ static int nfs_sillyrename(struct inode
atomic_read(&dentry->d_count));
nfs_inc_stats(dir, NFSIOS_SILLYRENAME);
-#ifdef NFS_PARANOIA
-if (!dentry->d_inode)
-printk("NFS: silly-renaming %s/%s, negative dentry??\n",
-dentry->d_parent->d_name.name, dentry->d_name.name);
-#endif
+ error = -EBUSY;
+ if (!dentry->d_inode) {
+ printk("NFS: silly-renaming %s/%s, negative dentry??\n",
+ dentry->d_parent->d_name.name, dentry->d_name.name);
+ goto out;
+ }
/*
* We don't allow a dentry to be silly-renamed twice.
*/
- error = -EBUSY;
if (dentry->d_flags & DCACHE_NFSFS_RENAMED)
goto out;
next reply other threads:[~2006-08-16 22:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-16 22:22 Jesper Juhl [this message]
2006-08-17 0:16 ` [PATCH] NFS: possible NULL pointer deref in nfs_sillyrename() Trond Myklebust
2006-08-17 10:05 ` Jesper Juhl
2006-09-19 0:25 ` Kill NFS_PARANOIA (was: Re: [PATCH] NFS: possible NULL pointer deref in nfs_sillyrename() ) Jesper Juhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200608170022.29168.jesper.juhl@gmail.com \
--to=jesper.juhl@gmail.com \
--cc=jrs@world.std.com \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@cse.unsw.edu.au \
--cc=nfs@lists.sourceforge.net \
--cc=okir@monad.swb.de \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox