Btrfs devel - May 2011 - [PATCH, fixed] Prevent oopsing in posix_acl_valid()

If posix_acl_from_xattr() returns an error code, a negative address is
dereferenced causing an oops; fix by checking for an error code first.

Typo fixed; too much late-night coding.

Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
---
 fs/btrfs/acl.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 5d505aa..44ea5b9 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -178,12 +178,13 @@ static int btrfs_xattr_acl_set(struct dentry *dentry,
const char *name,
 
 	if (value) {
 		acl = posix_acl_from_xattr(value, size);
+		if (IS_ERR(acl))
+			return PTR_ERR(acl);
+
 		if (acl) {
 			ret = posix_acl_valid(acl);
 			if (ret)
 				goto out;
-		} else if (IS_ERR(acl)) {
-			return PTR_ERR(acl);
 		}
 	}
 
-- 
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On 05/03/2011 10:54 PM, Daniel J Blueman wrote:
> If posix_acl_from_xattr() returns an error code, a negative address is
> dereferenced causing an oops; fix by checking for an error code first.
>
> Typo fixed; too much late-night coding.
>
> Signed-off-by: Daniel J Blueman<daniel.blueman@gmail.com>
> ---
>   fs/btrfs/acl.c |    5 +++--
>   1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
> index 5d505aa..44ea5b9 100644
> --- a/fs/btrfs/acl.c
> +++ b/fs/btrfs/acl.c
> @@ -178,12 +178,13 @@ static int btrfs_xattr_acl_set(struct dentry *dentry,
const char *name,
>
>   	if (value) {
>   		acl = posix_acl_from_xattr(value, size);
> +		if (IS_ERR(acl))
> +			return PTR_ERR(acl);
> +
>   		if (acl) {
>   			ret = posix_acl_valid(acl);
>   			if (ret)
>   				goto out;
> -		} else if (IS_ERR(acl)) {
> -			return PTR_ERR(acl);
>   		}
>   	}
>
Actually pulled this down and compiled it this time to make sure it 
worked.  You can add

Reviewed-by: Josef Bacik <josef@redhat.com>

Thanks,

Josef
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hi Chris,

On 4 May 2011 22:40, Josef Bacik <josef@redhat.com>
wrote:
> On 05/03/2011 10:54 PM, Daniel J Blueman wrote:
>>
>> If posix_acl_from_xattr() returns an error code, a negative address is
>> dereferenced causing an oops; fix by checking for an error code first.
>>
>> Typo fixed; too much late-night coding.
>>
>> Signed-off-by: Daniel J Blueman<daniel.blueman@gmail.com>
>> ---
>>  fs/btrfs/acl.c |    5 +++--
>>  1 files changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
>> index 5d505aa..44ea5b9 100644
>> --- a/fs/btrfs/acl.c
>> +++ b/fs/btrfs/acl.c
>> @@ -178,12 +178,13 @@ static int btrfs_xattr_acl_set(struct dentry
>> *dentry, const char *name,
>>
>>        if (value) {
>>                acl = posix_acl_from_xattr(value, size);
>> +               if (IS_ERR(acl))
>> +                       return PTR_ERR(acl);
>> +
>>                if (acl) {
>>                        ret = posix_acl_valid(acl);
>>                        if (ret)
>>                                goto out;
>> -               } else if (IS_ERR(acl)) {
>> -                       return PTR_ERR(acl);
>>                }
>>        }
>>
>
> Actually pulled this down and compiled it this time to make sure it worked.
>  You can add
>
> Reviewed-by: Josef Bacik <josef@redhat.com>
Will this fix go upstream for the final 2.6.39, now that the last -rc
is already out? I hit it in two independent cases when rebooting after
other kernel crashes.

Thanks,
  Daniel
-- 
Daniel J Blueman
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Excerpts from Daniel J Blueman''s message of 2011-05-10 01:42:45
-0400:
> Hi Chris,
> 
> On 4 May 2011 22:40, Josef Bacik <josef@redhat.com> wrote:
> > On 05/03/2011 10:54 PM, Daniel J Blueman wrote:
> >>
> >> If posix_acl_from_xattr() returns an error code, a negative
address is
> >> dereferenced causing an oops; fix by checking for an error code
first.
> >>
> >> Typo fixed; too much late-night coding.
> >>
> >> Signed-off-by: Daniel J Blueman<daniel.blueman@gmail.com>
> >> ---
> >>  fs/btrfs/acl.c |    5 +++--
> >>  1 files changed, 3 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
> >> index 5d505aa..44ea5b9 100644
> >> --- a/fs/btrfs/acl.c
> >> +++ b/fs/btrfs/acl.c
> >> @@ -178,12 +178,13 @@ static int btrfs_xattr_acl_set(struct dentry
> >> *dentry, const char *name,
> >>
> >>        if (value) {
> >>                acl = posix_acl_from_xattr(value, size);
> >> +               if (IS_ERR(acl))
> >> +                       return PTR_ERR(acl);
> >> +
> >>                if (acl) {
> >>                        ret = posix_acl_valid(acl);
> >>                        if (ret)
> >>                                goto out;
> >> -               } else if (IS_ERR(acl)) {
> >> -                       return PTR_ERR(acl);
> >>                }
> >>        }
> >>
> >
> > Actually pulled this down and compiled it this time to make sure it
worked.
> >  You can add
> >
> > Reviewed-by: Josef Bacik <josef@redhat.com>
> 
> Will this fix go upstream for the final 2.6.39, now that the last -rc
> is already out? I hit it in two independent cases when rebooting after
> other kernel crashes.
Yes, I have one other patch to from Li Zefan that I will send along.

-chris
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html