[Unionfs] NULL pointer dereference if copyup_dentry() failed?

Sun Sep 21 23:47:29 EDT 2008

In message <200809220206.m8M26JZ4013812 at www262.sakura.ne.jp>, Tetsuo Handa writes:
> Hello.
> 
> > Could you add this small patch below and let me know if the BUG_ON triggers?
> > Given your stack trace, I'm suspecting that somehow the lower dentry isn't
> > instantiated w/ an inode perhaps.
> Yes, it triggered.

Thanks, Tetsuo.  I was able to reproduce the bug even w/ your old procedure,
and I understand now how it happens; the hint is some debugging info that
unionfs prints up as "CI" (Check Inode) shortly before the oops.

The patch below fixes this bug.  I tried it on top of unionfs-2.5 + 2.6.24.7
+ your patches as per your original email.  With this patch I get this
behaviour from /bin/touch (I assume that's what supposed to happen, right?):

# /bin/touch /mnt/foo
/bin/touch: setting times of `/mnt/foo': Operation not permitted

Please try this patch and let me know.

Thanks,
Erez.

##############################################################################

Unionfs: handle partial copyup errors gracefully

Don't leave any dentries behind if copying up the inode (or setting its
permission, i.e., using TOMOYO) failed.

CC: Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp>
Signed-off-by: Erez Zadok <ezk at cs.sunysb.edu>

diff --git a/fs/unionfs/copyup.c b/fs/unionfs/copyup.c
index bbd49c8..5b6ff23 100644
--- a/fs/unionfs/copyup.c
+++ b/fs/unionfs/copyup.c
@@ -519,8 +519,17 @@ out_free:
 		dput(old_lower_dentry);
 	kfree(symbuf);
 
-	if (err)
+	if (err) {
+		/*
+		 * if directory creation succeeded, but inode copyup failed,
+		 * then purge new dentries.
+		 */
+		if (dbstart(dentry) < old_bstart &&
+		    ibstart(dentry->d_inode) > dbstart(dentry))
+			__clear(dentry, NULL, old_bstart, old_bend,
+				unionfs_lower_dentry(dentry), dbstart(dentry));
 		goto out;
+	}
 	if (!S_ISDIR(dentry->d_inode->i_mode)) {
 		unionfs_postcopyup_release(dentry);
 		if (!unionfs_lower_inode(dentry->d_inode)) {
