Bug 9647

Summary: NULL dereference in fs/nfs/super.c:nfs_xdev_get_sb()
Product: File System Reporter: Adrian Bunk (bunk)
Component: NFSAssignee: Trond Myklebust (trondmy)
Status: CLOSED CODE_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.24-rc6 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 9243    
Attachments: NFS: Fix a possible Oops in fs/nfs/super.c

Description Adrian Bunk 2007-12-27 12:36:30 UTC 
The Coverity checker spotted that commit 4584f520e1f773082ef44ff4f8969a5d992b16ec introduced the following NULL dereference in 2.6.24-rc6:

<--  snip  -->

...
static int nfs_xdev_get_sb(struct file_system_type *fs_type, int flags,
                           const char *dev_name, void *raw_data,
                           struct vfsmount *mnt)
{
...
        if (s->s_fs_info != server) {
                nfs_free_server(server);
                server = NULL;     <---------------
        }

        if (!s->s_root) {
                /* initial superblock/root creation */
                nfs_clone_super(s, data->sb);
        }

        mntroot = nfs_get_root(s, data->fh);
        if (IS_ERR(mntroot)) {
                error = PTR_ERR(mntroot);
                goto error_splat_super;
        }
        if (mntroot->d_inode->i_op != server->nfs_client->rpc_ops->dir_inode_ops) {
...

<--  snip  -->
Comment 1 Adrian Bunk 2007-12-27 12:37:42 UTC 
The NULL dereference is at the server->nfs_client->rpc_ops->dir_inode_ops.
Comment 2 Trond Myklebust 2008-01-02 10:38:36 UTC 
Created attachment 14265 [details]
NFS: Fix a possible Oops in fs/nfs/super.c

Fix the fix by dereferencing s->s_fs_info.

Also add in the same namespace Oops fix for NFSv4 in both the mountpoint
crossing case, and the referral case.

Please pass the brown bag...
Comment 3 Adrian Bunk 2008-01-03 13:13:59 UTC 
Patch went as commit e9cc6c234bfe414ef36f484e3ad8be621854c440 into Lunus' tree.