[patch] to dentry_open() for NULL pointer dereference on ENFILE

From: Anne Milicia (milicia@missioncriticallinux.com)
Date: Tue Apr 04 2000 - 15:11:16 EST

Next message: Jeff Garzik: "BUG: disk corruption 2.3.99-pre4-pre3"
Previous message: Russell King: "Re: Keyboard delay and repeat rate"
Next in thread: Alexander Viro: "Re: [patch] to dentry_open() for NULL pointer dereference on ENFILE"
Reply: Alexander Viro: "Re: [patch] to dentry_open() for NULL pointer dereference on ENFILE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following patch to 2.3.99-pre3 fixes a kernel NULL pointer
dereference when the VFS file-max limit is reached. The problem
occurs when get_empty_filp() fails to return a file struct, and
dentry_open() does a put_filp(NULL) at label cleanup_dentry.
Problem exists in pre4-3, but I only tested this version.

Anne
milicia@missioncriticallinux.com

diff -u fs/open.c.orig fs/open.c
--- fs/open.c.orig Tue Apr 4 12:37:15 2000
+++ fs/open.c Tue Apr 4 13:39:19 2000
@@ -679,7 +679,7 @@
        if (f->f_mode & FMODE_WRITE) {
                error = get_write_access(inode);
                if (error)
- goto cleanup_dentry;
+ goto cleanup_file;
        }

        f->f_dentry = dentry;
@@ -703,9 +703,10 @@
        if (f->f_mode & FMODE_WRITE)
                put_write_access(inode);
        f->f_dentry = NULL;
+cleanup_file:
+ put_filp(f);
cleanup_dentry:
        dput(dentry);
- put_filp(f);
        return ERR_PTR(error);
}

Dump for problem looks like:

crash> log
<4>VFS: file-max limit 8192 reached
<1>Unable to handle kernel NULL pointer dereference at virtual address
00000010
<4> printing eip:
<4>c0137f16
...

crash> bt
PID: 31071 TASK: c07d6000 CPU: 0 COMMAND: "cp"
#0 [c07d7e50] crash_save_current_state at c0112a90
    (c07d6000)
#1 [c07d7e60] panic at c0117f90
    (c023d8ba)
#2 [c07d7e6c] die at c010b345
    (c024201e, c07d7f30, 2)
#3 [c07d7f20] do_page_fault at c011356c
    (c07d7f30, 2)
#4 [c07d7f64] page_fault (via error_code) at c010af9d
    EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: cfc03b60 EBP:
c07d7f64
    DS: 0018 ESI: 00000000 ES: 0018 EDI: ffffffe9
    CS: 0010 EIP: c0137f16 ERR: ffffffff EFLAGS: 00010202
#5 [c07d7f64] put_filp+0x6 at c0137f16
    (0, cfc03b60, 0, 0, 0)
#6 [c07d7f80] dentry_open at c0136ce5
    (cfc03b60, 0)
#7 [c07d7f9c] filp_open at c0136be8
    (c87e1000, 0, 0, 0)
#8 [c07d7fbc] sys_open at c0136e8c
    (400109c1, 0, 0)
#9 [bffff414] system_call at c010ae8c
    EAX: 00000005 EBX: 400109c1 ECX: 00000000 EDX: 00000000

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "BUG: disk corruption 2.3.99-pre4-pre3"
Previous message: Russell King: "Re: Keyboard delay and repeat rate"
Next in thread: Alexander Viro: "Re: [patch] to dentry_open() for NULL pointer dereference on ENFILE"
Reply: Alexander Viro: "Re: [patch] to dentry_open() for NULL pointer dereference on ENFILE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Apr 07 2000 - 21:00:12 EST