2011/8/5 Jeff Layton <[email protected]>: > The loop around lookup_one_len doesn't handle the case where it might > return a negative dentry, which can cause an oops on the next pass > through the loop. Check for that and break out of the loop with an > error of -ENOENT if there is one. > > Fixes the panic reported here: > > https://bugzilla.redhat.com/show_bug.cgi?id=727927 > > Reported-by: TR Bentley <[email protected]> > Reported-by: Iain Arnell <[email protected]> > Cc: Al Viro <[email protected]> > Cc: [email protected] > Signed-off-by: Jeff Layton <[email protected]> > --- > fs/cifs/cifsfs.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c > index 212e562..f93eb94 100644 > --- a/fs/cifs/cifsfs.c > +++ b/fs/cifs/cifsfs.c > @@ -563,6 +563,10 @@ cifs_get_root(struct smb_vol *vol, struct super_block > *sb) > mutex_unlock(&dir->i_mutex); > dput(dentry); > dentry = child; > + if (!dentry->d_inode) {
dentry can be NULL here (returned from lookup_one_len) and it can cause a null pointer dereference. > + dput(dentry); > + dentry = ERR_PTR(-ENOENT); > + } > } while (!IS_ERR(dentry)); > _FreeXid(xid); > kfree(full_path); > -- > 1.7.6 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Best regards, Pavel Shilovsky. -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
