NFS ACL regression fix for 3.10.x (and possibly others)

Moritz Mühlenhoff <muehlenhoff@xxxxxxxxxxxxx> · Tue, 25 Nov 2014 10:38:44 +0100

Hi,
3.10.46 backported aa07c713ecfc0522916f3cd57ac628ea6127c0ec from 3.15.

This triggers a NULL pointer dereference in in all kernels < 3.14:
https://bugs.launchpad.net/debian/+source/linux/+bug/1348670/comments/5

The original upstream fix is not applicable, but Ben already merged a targeted 
fix for older kernels in 3.2.64 (which also backported 
aa07c713ecfc0522916f3cd57ac628ea6127c0ec) (as attached):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-
stable.git/commit/?id=5b6da64a7e447eadce0d3e201c0fd6f540f2ec93

This fix is also needed for 3.10.x (and other stable series < 3.14 which have 
backported aa07c713ecfc0522916f3cd57ac628ea6127c0ec).

Cheers,
        Moritz
-- 
Moritz Mühlenhoff
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0 [.....]
Fax : +49 421 22232-99

muehlenhoff@xxxxxxxxxxxxx
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876 
From 5b6da64a7e447eadce0d3e201c0fd6f540f2ec93 Mon Sep 17 00:00:00 2001
From: Sergio Gelato <Sergio.Gelato@xxxxxxxxxxx>
Date: Wed, 24 Sep 2014 08:47:24 +0200
Subject: nfsd: Fix ACL null pointer deref

BugLink: http://bugs.launchpad.net/bugs/1348670

Fix regression introduced in pre-3.14 kernels by cherry-picking
aa07c713ecfc0522916f3cd57ac628ea6127c0ec
(NFSD: Call ->set_acl with a NULL ACL structure if no entries).

The affected code was removed in 3.14 by commit
4ac7249ea5a0ceef9f8269f63f33cc873c3fac61
(nfsd: use get_acl and ->set_acl).
The ->set_acl methods are already able to cope with a NULL argument.

Signed-off-by: Sergio Gelato <Sergio.Gelato@xxxxxxxxxxx>
[bwh: Rewrite the subject]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 11e1888..e2e7914 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -508,6 +508,9 @@ set_nfsv4_acl_one(struct dentry *dentry, struct posix_acl *pacl, char *key)
 	char *buf = NULL;
 	int error = 0;
 
+	if (!pacl)
+		return vfs_setxattr(dentry, key, NULL, 0, 0);
+
 	buflen = posix_acl_xattr_size(pacl->a_count);
 	buf = kmalloc(buflen, GFP_KERNEL);
 	error = -ENOMEM;
-- 
cgit v0.10.1





