From patchwork Wed Jun 17 18:17:49 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 485611
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 420361401E7;
	Thu, 18 Jun 2015 04:26:37 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Z5I2i-0001xp-M4; Wed, 17 Jun 2015 18:26:32 +0000
Received: from mail-wg0-f51.google.com ([74.125.82.51])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <apw@canonical.com>) id 1Z5I2c-0001xG-PL
	for kernel-team@lists.ubuntu.com; Wed, 17 Jun 2015 18:26:26 +0000
Received: by wgv5 with SMTP id 5so44013916wgv.1
	for <kernel-team@lists.ubuntu.com>;
	Wed, 17 Jun 2015 11:26:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=yl9evqyCn/+0ofWu+UCeVlrnK0kGgd70CviQbueU5SY=;
	b=AZazRDuAQeWl2QQhyAL3cXR+UkDVCCeazobfx0C986hdqvMO5bSnQmgl4Bme7K2K/h
	6r4+FvIjJ/5d7sTrFqZcmSvYnAATkhG4s6a1o1K3e//tstWtI+oUQ7VY0VOS6cSoZlhN
	yOtc3gdeymhNfhMlcyRHAdBL34VLLN9OqGmnyNKh7JlTFeZMBgDCf7AmNg7A4GTaUW6t
	SvwlSTa6KYiT+IyAe6PC/31EQJONoZ7xWV3MJd4DK5girTxxoDJ4TVK/uyOjo+dINi1t
	+nf6wCw5kACBd8uAqr8w3mpqu4M30CNcc0QjmMwdvJVnsy2+WYwK7c2s/81m9W/IcJ/O
	atjg==
X-Gm-Message-State: 
 ALoCoQmW0e1HiHmWxw95unlDcH9RctL/o1WWpOBKPmaPOHODt8ZmRrHoPzcxL6o7pkZ2rKmQmftm
X-Received: by 10.180.81.70 with SMTP id y6mr56945654wix.14.1434565586651;
	Wed, 17 Jun 2015 11:26:26 -0700 (PDT)
Received: from localhost ([149.18.33.207])
	by mx.google.com with ESMTPSA id d3sm8976933wic.1.2015.06.17.11.26.25
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 17 Jun 2015 11:26:25 -0700 (PDT)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [utopic 1/1] UBUNTU: SAUCE: ensure that upper/lower layers are valid
	before checking permissions
Date: Wed, 17 Jun 2015 19:17:49 +0100
Message-Id: <1434565069-30669-4-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1434565069-30669-1-git-send-email-apw@canonical.com>
References: <1434565069-30669-1-git-send-email-apw@canonical.com>
Cc: Andy Whitcroft <apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

When removing a directory which was only on the lower layer and was empty
on that lower layer we will attempt to confirm we are permitted to write
to the upper layer when we have no upper layer.  Leading to a panic.

  [10531.508838] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
  [10531.508889] IP: [<ffffffffa08bed80>] ovl_dentry_root_may+0x30/0x60 [overlayfs]

BugLink: http://bugs.launchpad.net/bugs/1465998
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/overlayfs/readdir.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
index 86bac77..6d4eb5a 100644
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -330,13 +330,16 @@ static int ovl_iterate(struct file *file, struct dir_context *ctx)
 		ovl_path_lower(file->f_path.dentry, &lowerpath);
 		ovl_path_upper(file->f_path.dentry, &upperpath);
 
-		res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
-		if (res)
-			return res;
-		res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
-		if (res)
-			return res;
-
+		if (upperpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
+			if (res)
+				return res;
+		}
+		if (lowerpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
+			if (res)
+				return res;
+		}
 		res = ovl_dir_read_merged(&upperpath, &lowerpath, &od->cache);
 		if (res) {
 			ovl_cache_free(&od->cache);
@@ -481,13 +484,16 @@ static int ovl_check_empty_dir(struct dentry *dentry, struct list_head *list)
 	ovl_path_upper(dentry, &upperpath);
 	ovl_path_lower(dentry, &lowerpath);
 
-	err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
-	if (err)
-		return err;
-	err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
-	if (err)
-		return err;
-
+	if (upperpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
+		if (err)
+			return err;
+	}
+	if (lowerpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
+		if (err)
+			return err;
+	}
 	err = ovl_dir_read_merged(&upperpath, &lowerpath, list);
 	if (err)
 		return err;