aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleg Drokin <green@linuxhacker.ru>2006-03-25 06:06:54 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-03-25 11:22:51 -0500
commit4af4c52f34606bdaab6930a845550c6fb02078a4 (patch)
treea61f9a164fea1819c3bfb970dbffa5d778935965
parent8d8c85117fbcbaea7718870ad4b1ddd12940d9b0 (diff)
[PATCH] Missed error checking for intent's filp in open_namei().
It seems there is error check missing in open_namei for errors returned through intent.open.file (from lookup_instantiate_filp). If there is plain open performed, then such a check done inside __path_lookup_intent_open called from path_lookup_open(), but when the open is performed with O_CREAT flag set, then __path_lookup_intent_open is only called with LOOKUP_PARENT set where no file opening can occur yet. Later on lookup_hash is called where exact opening might take place and intent.open.file may be filled. If it is filled with error value of some sort, then we get kernel attempting to dereference this error value as address (and corresponding oops) in nameidata_to_filp() called from filp_open(). While this is relatively simple to workaround in ->lookup() method by just checking lookup_instantiate_filp() return value and returning error as needed, this is not so easy in ->d_revalidate(), where we can only return "yes, dentry is valid" or "no, dentry is invalid, perform full lookup again", and just returning 0 on error would cause extra lookup (with potential extra costly RPCs). So in short, I believe that there should be no difference in error handling for opening a file and creating a file in open_namei() and propose this simple patch as a solution. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--fs/namei.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/namei.c b/fs/namei.c
index c72b940797fc..1baf1b06fe47 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1628,6 +1628,12 @@ do_last:
1628 goto exit; 1628 goto exit;
1629 } 1629 }
1630 1630
1631 if (IS_ERR(nd->intent.open.file)) {
1632 mutex_unlock(&dir->d_inode->i_mutex);
1633 error = PTR_ERR(nd->intent.open.file);
1634 goto exit_dput;
1635 }
1636
1631 /* Negative dentry, just create the file */ 1637 /* Negative dentry, just create the file */
1632 if (!path.dentry->d_inode) { 1638 if (!path.dentry->d_inode) {
1633 if (!IS_POSIXACL(dir->d_inode)) 1639 if (!IS_POSIXACL(dir->d_inode))