Commit:     b4c07bce796833401317519e44075889c5fd4d5f
Parent:     e73a75fa7f062b52d015f1c961685dcaac57f710
Author:     Lee Schermerhorn <[EMAIL PROTECTED]>
AuthorDate: Sun Jul 15 23:40:54 2007 -0700
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Mon Jul 16 09:05:46 2007 -0700

    hugetlbfs: handle empty options string
    I was seeing a null pointer deref in fs/super.c:vfs_kern_mount().
    Some file system get_sb() handler was returning NULL mnt_sb with
    a non-negative return value.  I also noticed a "hugetlbfs: Bad
    mount option:" message in the log.
    Turns out that hugetlbfs_parse_options() was not checking for an
    empty option string after call to strsep().  On failure,
    hugetlbfs_parse_options() returns 1.  hugetlbfs_fill_super() just
    passed this return code back up the call stack where
    vfs_kern_mount() missed the error and proceeded with a NULL mnt_sb.
    Apparently introduced by patch:
    The problem was exposed by this line in my fstab:
    none        /huge       hugetlbfs   defaults    0 0
    It can also be demonstrated by invoking mount of hugetlbfs
    directly with no options or a bogus option.
    This patch:
    1) adds the check for empty option to hugetlbfs_parse_options(),
    2) enhances the error message to bracket any unrecognized
       option with quotes ,
    3) modifies hugetlbfs_parse_options() to return -EINVAL on any
       unrecognized option,
    4) adds a BUG_ON() to vfs_kern_mount() to catch any get_sb()
       handler that returns a NULL mnt->mnt_sb with a return value
       >= 0.
    Signed-off-by: Lee Schermerhorn <[EMAIL PROTECTED]>
    Acked-by: Randy Dunlap <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
 fs/hugetlbfs/inode.c |    8 +++++---
 fs/super.c           |    1 +
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 711b801..d145cb7 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -621,6 +621,8 @@ hugetlbfs_parse_options(char *options, struct 
hugetlbfs_config *pconfig)
        while ((p = strsep(&options, ",")) != NULL) {
                int token;
+               if (!*p)
+                       continue;
                token = match_token(p, tokens, args);
                switch (token) {
@@ -665,8 +667,9 @@ hugetlbfs_parse_options(char *options, struct 
hugetlbfs_config *pconfig)
-                       printk(KERN_ERR "hugetlbfs: Bad mount option: %s\n", p);
-                       return 1;
+                       printk(KERN_ERR "hugetlbfs: Bad mount option: \"%s\"\n",
+                                p);
+                       return -EINVAL;
@@ -693,7 +696,6 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, 
int silent)
        config.gid = current->fsgid;
        config.mode = 0755;
        ret = hugetlbfs_parse_options(data, &config);
        if (ret)
                return ret;
diff --git a/fs/super.c b/fs/super.c
index 5260d62..fc8ebed 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -884,6 +884,7 @@ vfs_kern_mount(struct file_system_type *type, int flags, 
const char *name, void
        error = type->get_sb(type, flags, name, data, mnt);
        if (error < 0)
                goto out_free_secdata;
+       BUG_ON(!mnt->mnt_sb);
        error = security_sb_kern_mount(mnt->mnt_sb, secdata);
        if (error)
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to