Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1209143ybg; Thu, 4 Jun 2020 04:03:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9tRClQgQME6+LDOxFIDfEjsE7GRkN1HG4AMMLJ59eDwwSYrme0zv/8QnHTAp/6A4CbYM/ X-Received: by 2002:a17:907:20ee:: with SMTP id rh14mr3407878ejb.395.1591268625666; Thu, 04 Jun 2020 04:03:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591268625; cv=none; d=google.com; s=arc-20160816; b=Lq31CPrqNJUE86CuYIBHtQgB3PJMtG9ZQLMrlT41d5eJJ6115noKEY4XjXV9UNipug vrv4lt2NfJpYr5jsDCHs2tVGqtRVvVUU/zzLp18hjOoRlwvKDKYyqUPyh3gfDajJ7Xz1 TfS7GZr4cqNkBpDalw10CV22FjhIIErPsvUVCAYihIE/d4Qm/pN7kFVuSSkTkYW034BV RhghIS6+lFteTMct9PWywU9HtmWHYDs5NPRvORNlaxiJeJevhBwZ0wVGSXdaRME91XPE NwhuaEL4Vn3n/Xa9RKwnarmAOVvZMx8CDHWkYgI0tqqTjpTrzUg9XGn5vpgT70kyOtPc Y53Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=J7btnW3tsRxnIcXWy64DJz6nFcHS2EOi2Wpoy2UuEWQ=; b=to2fDknptoiFE4ZwlqHwohoDybw9HSUCC4J0Uw6JUYxchD2xHaEkDXa0kxEG1fe3M0 9eWUgAst35mb8triaIMyF0lOr4JC7pRG+YrcSIkn+FyQiqyNet/EaBJWEVRk4WoMc7G+ wHneghxyVe1uLcDKDBKL7Db8MzeGoDQrDZSd2rutwAgK3wo9cy01k2AVQNZ4BLhL0FYL h9imAAwwlg6F/wYQMvhQSCqTtKBo5qo0M+RoxamVWo8/ztlkFeAtN29HCtShHy1mGnSG IxpzB+PE3XG78tI6kdcCEw4E84XlzynZmgHhP6U2hdCSjwuY6itoZI1sZsZxoHK7gNEh asSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=QYPuNXUX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id de28si1466315edb.492.2020.06.04.04.03.03; Thu, 04 Jun 2020 04:03:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=QYPuNXUX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728049AbgFDJjh (ORCPT + 99 others); Thu, 4 Jun 2020 05:39:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36706 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726774AbgFDJjh (ORCPT ); Thu, 4 Jun 2020 05:39:37 -0400 Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 139C9C03E97D for ; Thu, 4 Jun 2020 02:39:37 -0700 (PDT) Received: by mail-ed1-x541.google.com with SMTP id x93so4119496ede.9 for ; Thu, 04 Jun 2020 02:39:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J7btnW3tsRxnIcXWy64DJz6nFcHS2EOi2Wpoy2UuEWQ=; b=QYPuNXUXgWjqVo65fdSoRHO9CgkgNI76FQMpdvgcNSunnwsKIobrL81g/G/D3F14GA xtaIXdN6O9X9bBEBEn4ru62fmVgnFkVqcDxfiNG87C+lwW8+tLFRSV7Btz2DGPiAuLyO D+z6aFktaf7jWvDMeM8FMthrfku1de5uPqUPQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J7btnW3tsRxnIcXWy64DJz6nFcHS2EOi2Wpoy2UuEWQ=; b=ZnFENe+K9bX5tKUYiZSLJnCYz75k+Dm+0LEr0p18XqgAE8xRQ2J+rpTt0IzVX5xoUb /hcL3K1fi4aj2yxEGJ4R+oucaxkOozeK3kV8CZMKOYyUQp4efjeaYpsXR+MQcuMaMeOq 6SydO4b55do2LdQPLzAvoIv35+ohQKXqTAQGUzZQRGOIpE1PTp6I7OOQ5CC4XIwFF4RK 7d/jnMh76+jyCuU1pu+2eN7/qTzqYNYCFdvdEg9mcUzhL6+FW2xD0wH33SfsweduROHF w2259B9K3vtnlnkcRY/dF2jgOD+AUu+URM/B+AzAd6KXpVEjC+vas+K3YyZcDdrFMI80 eljg== X-Gm-Message-State: AOAM532/H0Un98weZuu6A1Kh/VjfpLkUHC8Gz0P0wsxWW6FWOf2uF5eF Jl3BnMLD2/XTrnmbiqT+oD8fV9mb5iKhX7sqjrG9X+Z9pXw= X-Received: by 2002:a50:ee8f:: with SMTP id f15mr3506384edr.168.1591263575775; Thu, 04 Jun 2020 02:39:35 -0700 (PDT) MIME-Version: 1.0 References: <20200603154559.140418-1-colin.king@canonical.com> <1edc291d-6e63-89d8-d48c-443908ddc0e8@canonical.com> <78e9b4ed-f530-1fd0-07a2-aca5245a6bd8@canonical.com> In-Reply-To: <78e9b4ed-f530-1fd0-07a2-aca5245a6bd8@canonical.com> From: Miklos Szeredi Date: Thu, 4 Jun 2020 11:39:24 +0200 Message-ID: Subject: Re: [PATCH][next] ovl: fix null pointer dereference on null stack pointer on error return To: Colin Ian King Cc: Amir Goldstein , overlayfs , kernel-janitors@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 4, 2020 at 11:27 AM Colin Ian King wrote: > > On 04/06/2020 08:25, Miklos Szeredi wrote: > > On Wed, Jun 3, 2020 at 6:15 PM Colin Ian King wrote: > >> > >> On 03/06/2020 17:11, Amir Goldstein wrote: > >>> On Wed, Jun 3, 2020 at 6:46 PM Colin King wrote: > >>>> > >>>> From: Colin Ian King > >>>> > >>>> There are two error return paths where the call to path_put is > >>>> dereferencing the null pointer 'stack'. Fix this by avoiding the > >>>> error exit path via label 'out_err' that will lead to the path_put > >>>> calls and instead just return the error code directly. > >>>> > >>>> Addresses-Coverity: ("Dereference after null check)" > >>>> Fixes: 4155c10a0309 ("ovl: clean up getting lower layers") > >>>> Signed-off-by: Colin Ian King > >>> > >>> > >>> Which branch is that based on? > >>> Doesn't seem to apply to master nor next > >> > >> It was based on today's linux-next > > > > Yeah, it's actually > > > > Fixes: 73819e26c0f0 ("ovl: get rid of redundant members in struct ovl_fs") > > > > So I'll just fold your patch. There's still a change in the loop > > count for later errors, but that's okay, since > > ovl_lower_dir()/ovl_mount_dir_noesc() use the path_put_init() variant. > > Actually ovl_lower_dir() can get rid of that path_put_init() > > completely, since now the only caller will take care of that... > > > > Thanks for reporting! > > > > Miklos > > > Is there a reason for folding the fix and hence losing the Signed-off-by > tag? I generally prefer to fold small fixes for not yet merged patches. In this case it's more of a personal preference, but in other cases it might have an effect on bisectability. Thanks, Miklos