Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1094896ybg; Thu, 4 Jun 2020 00:27:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0DNAHjfBwhg4n6rG1yh9Rr43lfcqUuao4lRy6hQr5sBo7sfHjSYh3CJGo0PDM4hCWmAZb X-Received: by 2002:a17:906:2c08:: with SMTP id e8mr2608326ejh.385.1591255649368; Thu, 04 Jun 2020 00:27:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591255649; cv=none; d=google.com; s=arc-20160816; b=RAlYQuRF5PKwjy+mtcLPWnkmLa+FHZZ6Vi787JigMDGpygAncrLhiFf7CwgoJzJQsc BKfcKFCIhIHM/AOi6Qwz4Ml66t1CW6QG3vYAx18SRXI8sHNPes9HaWA2KMTr4nZFY16m oYRvVtWix2F0iaYHdkyNQkPgQ4g5XxO+Vw0+XgZwiGazs2/DFnNAhg/6RqH84SnQ5XWF +Z4QVoAoZRmoLou0vqn+9hDYSzIb/lFTycpVooBabRiUDXnrjhnGhjqUE+CnoCOLYKfe TofoXCgvIFP2f2P/ds5P4R7hBkn5Fwuyl+RukXIwB70FAyNAkcb9d9MMH22oW7k9rTs5 bliA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=miIndVNlOTPdeJt8s3Y3ldTQotNreZeR3Q0h4ZepU7U=; b=TL8ZrnMJ2PYytECK7tnZf9yyfopPB+xekdwXz2fNgZI1KSrGLrC6BeGc87Z2a/VF+H L1qNIG2yk/ZycSS6AnTU57m/YYyman5to6P0nro3AGfHf5cvdwANvXIBtxFYezE9veCP 1CO+GFPMnJmwW7pL0dGCjkEfIvjsUEyQX0Eb03tczuRp8JhSuxgIb/vqv8nYdhPNotnK eOi5IJC+BjWVYaC1UCtRTndaA/TEUF8yKguGAkuEC9BtjbxtgCluo5Yv0yN6aVR557Nz 3kWJl7grqJOCKLqozVIt18OHL13ENsq6Wuhp95n2O6I7k1yp9codhIHOjVEnvv/08aY3 AFNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=mAa1rRBA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ox6si1127229ejb.678.2020.06.04.00.27.06; Thu, 04 Jun 2020 00:27:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=mAa1rRBA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727829AbgFDHZS (ORCPT + 99 others); Thu, 4 Jun 2020 03:25:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726802AbgFDHZR (ORCPT ); Thu, 4 Jun 2020 03:25:17 -0400 Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 721F4C03E96E for ; Thu, 4 Jun 2020 00:25:17 -0700 (PDT) Received: by mail-ed1-x542.google.com with SMTP id o26so3854047edq.0 for ; Thu, 04 Jun 2020 00:25:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=miIndVNlOTPdeJt8s3Y3ldTQotNreZeR3Q0h4ZepU7U=; b=mAa1rRBAoldVCWaTSzF06cV+P3hcLCX8KkHP3QFGSHokDRK+TWNz503qMs8eIy8HRl fcydqW7L8p18rL7w0cBoRhxAq/91+E7ZrXGdqE3h1j3gPL9/MdeL4GkmdDmUPSYbv+aw X8jV72IxQ8hMTqSjiFzI50i+CK6/VqJxNN3AI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=miIndVNlOTPdeJt8s3Y3ldTQotNreZeR3Q0h4ZepU7U=; b=ufAxE6MITO8mNd68xELpSRSFNMqDCwqDQHA3OcVajP54v81koWe0ktLf2fdf8pAMj3 rupfeFE9Nha+RDhRW816AVBZKdbLG4mwJvd+74ztcXJ1zJXfQu8IRyS9mUZmpQoGfZrr MMHq/KH0KqhQ6zSjIbubtTpgTXKL5+JrjaF1iZOxfu1phPtAZ3TB2shqCPWDr6BSXwA8 /UlFN1seAgyPBGP0z6rXIg20T8Ie8xdKaAiUgQgT+tHlRAAloGienzZcfE+6tj1o2wlB 2Fed69qAC7pqK01daNFwLpE2udL4O/IW8QDPxhbmu8wjKGqLCwAKHCrvPOqYMrEs5A1e VzYA== X-Gm-Message-State: AOAM530KBxUTseovzlGCqR2D3s/gHZjixagEZpGKOh/3o9Ly/poiDg9f GQI5when5VmfQihzsm4N/XeBwUTQF/SvT7IgZpbdwA== X-Received: by 2002:a50:d499:: with SMTP id s25mr3137029edi.161.1591255516019; Thu, 04 Jun 2020 00:25:16 -0700 (PDT) MIME-Version: 1.0 References: <20200603154559.140418-1-colin.king@canonical.com> <1edc291d-6e63-89d8-d48c-443908ddc0e8@canonical.com> In-Reply-To: <1edc291d-6e63-89d8-d48c-443908ddc0e8@canonical.com> From: Miklos Szeredi Date: Thu, 4 Jun 2020 09:25:04 +0200 Message-ID: Subject: Re: [PATCH][next] ovl: fix null pointer dereference on null stack pointer on error return To: Colin Ian King Cc: Amir Goldstein , overlayfs , kernel-janitors@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 3, 2020 at 6:15 PM Colin Ian King wrote: > > On 03/06/2020 17:11, Amir Goldstein wrote: > > On Wed, Jun 3, 2020 at 6:46 PM Colin King wrote: > >> > >> From: Colin Ian King > >> > >> There are two error return paths where the call to path_put is > >> dereferencing the null pointer 'stack'. Fix this by avoiding the > >> error exit path via label 'out_err' that will lead to the path_put > >> calls and instead just return the error code directly. > >> > >> Addresses-Coverity: ("Dereference after null check)" > >> Fixes: 4155c10a0309 ("ovl: clean up getting lower layers") > >> Signed-off-by: Colin Ian King > > > > > > Which branch is that based on? > > Doesn't seem to apply to master nor next > > It was based on today's linux-next Yeah, it's actually Fixes: 73819e26c0f0 ("ovl: get rid of redundant members in struct ovl_fs") So I'll just fold your patch. There's still a change in the loop count for later errors, but that's okay, since ovl_lower_dir()/ovl_mount_dir_noesc() use the path_put_init() variant. Actually ovl_lower_dir() can get rid of that path_put_init() completely, since now the only caller will take care of that... Thanks for reporting! Miklos