On 08/11/2018 08:35 AM, Darrick J. Wong wrote:
From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> The VFS routine that calls ->get_link blindly copies whatever's returned into the user's buffer. If we return a NULL pointer, the vfs will crash on the null pointer. Therefore, return -EFSCORRUPTED instead of blowing up the kernel. Reported-by: wen.xu@xxxxxxxxxx Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> --- fs/xfs/xfs_iops.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c index 0ef5ad7fb851..26007a9db49d 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c @@ -471,8 +471,16 @@ xfs_vn_get_link_inline( struct inode *inode, struct delayed_call *done) { + char *ptr; + ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE); - return XFS_I(inode)->i_df.if_u1.if_data; + + /* + * The VFS crashes on a NULL pointer, so return -EFSCORRUPTED if + * if_data is junk. + */ + ptr = XFS_I(inode)->i_df.if_u1.if_data; + return ptr ? ptr : ERR_PTR(-EFSCORRUPTED); }STATIC int
Ok, looks fine. Reviewed-by: Allison Henderson <allison.henderson@xxxxxxxxxx>
