diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2009-05-05 19:04:29 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2009-05-06 16:16:36 -0400 |
commit | b2c0cea6b1cb210e962f07047df602875564069e (patch) | |
tree | f6327b45df075955d8ef9e9ad93c453ea5fc7a4c | |
parent | ccecee1e5e42981f5eb37f4411e8552b9db04d30 (diff) |
nfsd4: check for negative dentry before use in nfsv4 readdir
After 2f9092e1020246168b1309b35e085ecd7ff9ff72 "Fix i_mutex vs. readdir
handling in nfsd" (and 14f7dd63 "Copy XFS readdir hack into nfsd code"),
an entry may be removed between the first mutex_unlock and the second
mutex_lock. In this case, lookup_one_len() will return a negative
dentry. Check for this case to avoid a NULL dereference.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Reviewed-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Cc: stable@kernel.org
-rw-r--r-- | fs/nfsd/nfs4xdr.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index b820c311931c..b73549d293be 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c | |||
@@ -2214,6 +2214,15 @@ nfsd4_encode_dirent_fattr(struct nfsd4_readdir *cd, | |||
2214 | dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen); | 2214 | dentry = lookup_one_len(name, cd->rd_fhp->fh_dentry, namlen); |
2215 | if (IS_ERR(dentry)) | 2215 | if (IS_ERR(dentry)) |
2216 | return nfserrno(PTR_ERR(dentry)); | 2216 | return nfserrno(PTR_ERR(dentry)); |
2217 | if (!dentry->d_inode) { | ||
2218 | /* | ||
2219 | * nfsd_buffered_readdir drops the i_mutex between | ||
2220 | * readdir and calling this callback, leaving a window | ||
2221 | * where this directory entry could have gone away. | ||
2222 | */ | ||
2223 | dput(dentry); | ||
2224 | return nfserr_noent; | ||
2225 | } | ||
2217 | 2226 | ||
2218 | exp_get(exp); | 2227 | exp_get(exp); |
2219 | /* | 2228 | /* |
@@ -2276,6 +2285,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen, | |||
2276 | struct nfsd4_readdir *cd = container_of(ccd, struct nfsd4_readdir, common); | 2285 | struct nfsd4_readdir *cd = container_of(ccd, struct nfsd4_readdir, common); |
2277 | int buflen; | 2286 | int buflen; |
2278 | __be32 *p = cd->buffer; | 2287 | __be32 *p = cd->buffer; |
2288 | __be32 *cookiep; | ||
2279 | __be32 nfserr = nfserr_toosmall; | 2289 | __be32 nfserr = nfserr_toosmall; |
2280 | 2290 | ||
2281 | /* In nfsv4, "." and ".." never make it onto the wire.. */ | 2291 | /* In nfsv4, "." and ".." never make it onto the wire.. */ |
@@ -2292,7 +2302,7 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen, | |||
2292 | goto fail; | 2302 | goto fail; |
2293 | 2303 | ||
2294 | *p++ = xdr_one; /* mark entry present */ | 2304 | *p++ = xdr_one; /* mark entry present */ |
2295 | cd->offset = p; /* remember pointer */ | 2305 | cookiep = p; |
2296 | p = xdr_encode_hyper(p, NFS_OFFSET_MAX); /* offset of next entry */ | 2306 | p = xdr_encode_hyper(p, NFS_OFFSET_MAX); /* offset of next entry */ |
2297 | p = xdr_encode_array(p, name, namlen); /* name length & name */ | 2307 | p = xdr_encode_array(p, name, namlen); /* name length & name */ |
2298 | 2308 | ||
@@ -2306,6 +2316,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen, | |||
2306 | goto fail; | 2316 | goto fail; |
2307 | case nfserr_dropit: | 2317 | case nfserr_dropit: |
2308 | goto fail; | 2318 | goto fail; |
2319 | case nfserr_noent: | ||
2320 | goto skip_entry; | ||
2309 | default: | 2321 | default: |
2310 | /* | 2322 | /* |
2311 | * If the client requested the RDATTR_ERROR attribute, | 2323 | * If the client requested the RDATTR_ERROR attribute, |
@@ -2324,6 +2336,8 @@ nfsd4_encode_dirent(void *ccdv, const char *name, int namlen, | |||
2324 | } | 2336 | } |
2325 | cd->buflen -= (p - cd->buffer); | 2337 | cd->buflen -= (p - cd->buffer); |
2326 | cd->buffer = p; | 2338 | cd->buffer = p; |
2339 | cd->offset = cookiep; | ||
2340 | skip_entry: | ||
2327 | cd->common.err = nfs_ok; | 2341 | cd->common.err = nfs_ok; |
2328 | return 0; | 2342 | return 0; |
2329 | fail: | 2343 | fail: |