From patchwork Wed Jun 17 18:17:48 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 485610
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 87749140218;
	Thu, 18 Jun 2015 04:24:26 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Z5I0c-0001mE-Rj; Wed, 17 Jun 2015 18:24:22 +0000
Received: from mail-wg0-f52.google.com ([74.125.82.52])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <apw@canonical.com>) id 1Z5I0X-0001la-F1
	for kernel-team@lists.ubuntu.com; Wed, 17 Jun 2015 18:24:17 +0000
Received: by wgzl5 with SMTP id l5so43974757wgz.3
	for <kernel-team@lists.ubuntu.com>;
	Wed, 17 Jun 2015 11:24:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=+9svtKuAHqsPdvpKQpGiJ9db8TkqhxTwLUKmfOQGQeg=;
	b=OsYT0IkINITDJEPUenqEEzanyWT+cDEz8GNCR7DeXB9H+Nr8+rO7ifBXAqKyY8l9MB
	MTsxyQ00vfVpUZpRXlLPpujsIxQkvTS+lvjOIPrtkBop/WWYuyYRxWWLiQFvWxbf8l/H
	rMZbNB2JH8SJkyIAJzDZf5bSYLpT3mvkWjNlPtGLvZj3z8vf+w044lKogxFlSx3v9YEk
	3Pr1xhKFRq6eLf3rJpTGqSDnpLQvkoHREHNrk5Xvzb0DKhpXmgD0qf6T6CiegGbnVvHR
	j2AcEHVoBmCd370GmxABeeCPssqKlm06eBr8gb33ye7aDg1DLiJT1Z5P1GiwxkpMiw+9
	91ZA==
X-Gm-Message-State: 
 ALoCoQl4yiHAXPod+v6swBldVKPohXTa2fxFMbJDuHtJVMCtv2Xo7J5rih1iXBqDC8MWfu7RTg8N
X-Received: by 10.194.200.228 with SMTP id jv4mr7993553wjc.157.1434565457309;
	Wed, 17 Jun 2015 11:24:17 -0700 (PDT)
Received: from localhost ([149.18.33.207]) by mx.google.com with ESMTPSA id
	c2sm5149016wjf.18.2015.06.17.11.24.16
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 17 Jun 2015 11:24:16 -0700 (PDT)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [trusty 1/1] UBUNTU: SAUCE: ensure that upper/lower layers are valid
	before checking permissions
Date: Wed, 17 Jun 2015 19:17:48 +0100
Message-Id: <1434565069-30669-3-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1434565069-30669-1-git-send-email-apw@canonical.com>
References: <1434565069-30669-1-git-send-email-apw@canonical.com>
Cc: Andy Whitcroft <apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

When removing a directory which was only on the lower layer and was empty
on that lower layer we will attempt to confirm we are permitted to write
to the upper layer when we have no upper layer.  Leading to a panic.

  [10531.508838] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
  [10531.508889] IP: [<ffffffffa08bed80>] ovl_dentry_root_may+0x30/0x60 [overlayfs]

BugLink: http://bugs.launchpad.net/bugs/1465998
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/overlayfs/readdir.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
index 82269ff..f9896b2 100644
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -324,13 +324,16 @@ static int ovl_iterate(struct file *file, struct dir_context *ctx)
 		ovl_path_lower(file->f_path.dentry, &lowerpath);
 		ovl_path_upper(file->f_path.dentry, &upperpath);
 
-		res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
-		if (res)
-			return res;
-		res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
-		if (res)
-			return res;
-
+		if (upperpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
+			if (res)
+				return res;
+		}
+		if (lowerpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
+			if (res)
+				return res;
+		}
 		res = ovl_dir_read_merged(&upperpath, &lowerpath, &od->cache);
 		if (res) {
 			ovl_cache_free(&od->cache);
@@ -475,13 +478,16 @@ static int ovl_check_empty_dir(struct dentry *dentry, struct list_head *list)
 	ovl_path_upper(dentry, &upperpath);
 	ovl_path_lower(dentry, &lowerpath);
 
-	err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
-	if (err)
-		return err;
-	err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
-	if (err)
-		return err;
-
+	if (upperpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
+		if (err)
+			return err;
+	}
+	if (lowerpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
+		if (err)
+			return err;
+	}
 	err = ovl_dir_read_merged(&upperpath, &lowerpath, list);
 	if (err)
 		return err;