Bug 9647 - NULL dereference in fs/nfs/super.c:nfs_xdev_get_sb()
Summary: NULL dereference in fs/nfs/super.c:nfs_xdev_get_sb()
Status: CLOSED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: NFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Trond Myklebust
URL:
Keywords:
Depends on:
Blocks: 9243
  Show dependency tree
 
Reported: 2007-12-27 12:36 UTC by Adrian Bunk
Modified: 2008-01-03 13:13 UTC (History)
0 users

See Also:
Kernel Version: 2.6.24-rc6
Subsystem:
Regression: Yes
Bisected commit-id:

Attachments
NFS: Fix a possible Oops in fs/nfs/super.c (1.78 KB, patch)
2008-01-02 10:38 UTC, Trond Myklebust 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Adrian Bunk 2007-12-27 12:36:30 UTC 
The Coverity checker spotted that commit 4584f520e1f773082ef44ff4f8969a5d992b16ec introduced the following NULL dereference in 2.6.24-rc6:

<--  snip  -->

...
static int nfs_xdev_get_sb(struct file_system_type *fs_type, int flags,
                           const char *dev_name, void *raw_data,
                           struct vfsmount *mnt)
{
...
        if (s->s_fs_info != server) {
                nfs_free_server(server);
                server = NULL;     <---------------
        }

        if (!s->s_root) {
                /* initial superblock/root creation */
                nfs_clone_super(s, data->sb);
        }

        mntroot = nfs_get_root(s, data->fh);
        if (IS_ERR(mntroot)) {
                error = PTR_ERR(mntroot);
                goto error_splat_super;
        }
        if (mntroot->d_inode->i_op != server->nfs_client->rpc_ops->dir_inode_ops) {
...

<--  snip  -->
Comment 1 Adrian Bunk 2007-12-27 12:37:42 UTC 
The NULL dereference is at the server->nfs_client->rpc_ops->dir_inode_ops.
Comment 2 Trond Myklebust 2008-01-02 10:38:36 UTC 
Created attachment 14265 [details]
NFS: Fix a possible Oops in fs/nfs/super.c

Fix the fix by dereferencing s->s_fs_info.

Also add in the same namespace Oops fix for NFSv4 in both the mountpoint
crossing case, and the referral case.

Please pass the brown bag...
Comment 3 Adrian Bunk 2008-01-03 13:13:59 UTC 
Patch went as commit e9cc6c234bfe414ef36f484e3ad8be621854c440 into Lunus' tree.
Note You need to log in before you can comment on or make changes to this bug.