From patchwork Wed Jun 17 18:17:47 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 485609
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 98218140218;
	Thu, 18 Jun 2015 04:22:17 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Z5HyX-0001XZ-Sf; Wed, 17 Jun 2015 18:22:13 +0000
Received: from mail-wi0-f173.google.com ([209.85.212.173])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <apw@canonical.com>) id 1Z5HyS-0001XG-77
	for kernel-team@lists.ubuntu.com; Wed, 17 Jun 2015 18:22:08 +0000
Received: by wiwd19 with SMTP id d19so80315wiw.0
	for <kernel-team@lists.ubuntu.com>;
	Wed, 17 Jun 2015 11:22:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=yIIBNsDaFKPgzIxSfv16/YjahVI/KKbuVibIjinfEtk=;
	b=H6eum+6p1wMYyybRKAua7w+5ovvLpE7oEnKNFqKPJpQf7V57rUaZAtQZ4Pagh0NAj2
	2+psfhzyOsRpF3dkqh4QEuwoJe1f1NLjgku6eEjEz80gQ4KIvG7mu9/rhLksOKxpIy1S
	yHobeP1Z4BDAU9+HxFT1zAsHyRaGPaaa1NxsHyF0VXHfi1B/VAnuTd9n/ysmq5T5tnGL
	RLPL9HsaBgQsjnGXuXTYk+nXxeBYVuFfUeV3GhpV/fY3KepuuNZz38O6abSRIQsWmKuq
	1JWFYBWOoc7Pl4CbDnRosSEHK4EMuIlgFZOldvyvNodut3TnYG8WxPLB57FXd/ug3ICE
	VU/A==
X-Gm-Message-State: 
 ALoCoQmDl/mXEWHaxS7ufRsHGWGeelpH1TIKzK/7DtUQDanhdoSljg2Y4i1xUlKVMlnP0X0gfRfp
X-Received: by 10.194.235.100 with SMTP id ul4mr7926478wjc.33.1434565328083;
	Wed, 17 Jun 2015 11:22:08 -0700 (PDT)
Received: from localhost ([149.18.33.207]) by mx.google.com with ESMTPSA id
	xa9sm3446788wjc.43.2015.06.17.11.22.06
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 17 Jun 2015 11:22:07 -0700 (PDT)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [precise 1/1] UBUNTU: SAUCE: ensure that upper/lower layers are
	valid before checking permissions
Date: Wed, 17 Jun 2015 19:17:47 +0100
Message-Id: <1434565069-30669-2-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1434565069-30669-1-git-send-email-apw@canonical.com>
References: <1434565069-30669-1-git-send-email-apw@canonical.com>
Cc: Andy Whitcroft <apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

When removing a directory which was only on the lower layer and was empty
on that lower layer we will attempt to confirm we are permitted to write
to the upper layer when we have no upper layer.  Leading to a panic.

  [10531.508838] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
  [10531.508889] IP: [<ffffffffa08bed80>] ovl_dentry_root_may+0x30/0x60 [overlayfs]

BugLink: http://bugs.launchpad.net/bugs/1465998
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/overlayfs/readdir.c | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
index cd55d2d..2dd897a 100644
--- a/fs/overlayfs/readdir.c
+++ b/fs/overlayfs/readdir.c
@@ -322,13 +322,16 @@ static int ovl_readdir(struct file *file, void *buf, filldir_t filler)
 		ovl_path_lower(file->f_path.dentry, &lowerpath);
 		ovl_path_upper(file->f_path.dentry, &upperpath);
 
-		res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
-		if (res)
-			return res;
-		res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
-		if (res)
-			return res;
-
+		if (upperpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &upperpath, MAY_READ);
+			if (res)
+				return res;
+		}
+		if (lowerpath.dentry) {
+			res = ovl_dentry_root_may(file->f_path.dentry, &lowerpath, MAY_READ);
+			if (res)
+				return res;
+		}
 		res = ovl_dir_read_merged(&upperpath, &lowerpath, &rdd);
 		if (res) {
 			ovl_cache_free(rdd.list);
@@ -479,13 +482,16 @@ static int ovl_check_empty_dir(struct dentry *dentry, struct list_head *list)
 	ovl_path_upper(dentry, &upperpath);
 	ovl_path_lower(dentry, &lowerpath);
 
-	err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
-	if (err)
-		return err;
-	err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
-	if (err)
-		return err;
-
+	if (upperpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &upperpath, MAY_READ);
+		if (err)
+			return err;
+	}
+	if (lowerpath.dentry) {
+		err = ovl_dentry_root_may(dentry, &lowerpath, MAY_READ);
+		if (err)
+			return err;
+	}
 	err = ovl_dir_read_merged(&upperpath, &lowerpath, &rdd);
 	if (err)
 		return err;