lowerdentry could be NULL, and dereferenced by calling d_inode.
code flow which described below
shows possibility of null dereference in ovl_get_inode.
(export.c) ovl_lower_fh_to_d
|_(export.c) ovl_get_dentry(sb, upper, NULL, NULL);
|_(export.c) ovl_obtain_alias (sb, upper, NULL, NULL);
|_(inode.c) ovl_get_inode(sb, &oip);
|_(in ovl_get_inode) realinode = d_inode(lowerdentry);
Fixes: 09d8b586731bf("ovl: move __upperdentry to ovl_inode")
Signed-off-by: youngjun <her0gyugyu@xxxxxxxxx>
---
fs/overlayfs/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 8be6cd264f66..53d82ef68ba8 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -958,8 +958,10 @@ struct inode *ovl_get_inode(struct super_block *sb,
unsigned long ino = 0;
int err = oip->newinode ? -EEXIST : -ENOMEM;
- if (!realinode)
+ if (!realinode && lowerdentry)
realinode = d_inode(lowerdentry);
+ else
+ return ERR_PTR(-EINVAL);
/*
* Copy up origin (lower) may exist for non-indexed upper, but we must
--
2.17.1
