2011/8/5 Jeff Layton <jlayton@xxxxxxxxxx>: > The loop around lookup_one_len doesn't handle the case where it might > return a negative dentry, which can cause an oops on the next pass > through the loop. Check for that and break out of the loop with an > error of -ENOENT if there is one. > > Fixes the panic reported here: > > https://bugzilla.redhat.com/show_bug.cgi?id=727927 > > Reported-by: TR Bentley <home@xxxxxxxxxxxxxxx> > Reported-by: Iain Arnell <iarnell@xxxxxxxxx> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: stable@xxxxxxxxxx > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx> > --- > fs/cifs/cifsfs.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c > index 212e562..f93eb94 100644 > --- a/fs/cifs/cifsfs.c > +++ b/fs/cifs/cifsfs.c > @@ -563,6 +563,10 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) > mutex_unlock(&dir->i_mutex); > dput(dentry); > dentry = child; > + if (!dentry->d_inode) { dentry can be NULL here (returned from lookup_one_len) and it can cause a null pointer dereference. > + dput(dentry); > + dentry = ERR_PTR(-ENOENT); > + } > } while (!IS_ERR(dentry)); > _FreeXid(xid); > kfree(full_path); > -- > 1.7.6 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Best regards, Pavel Shilovsky. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
