fs/binfmt_misc.c: node could be NULL when evicting inode
authorEryu Guan <eguan@redhat.com>
Fri, 13 Oct 2017 22:58:18 +0000 (15:58 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 13 Oct 2017 23:18:33 +0000 (16:18 -0700)
inode->i_private is assigned by a Node pointer only after registering a
new binary format, so it could be NULL if inode was created by
bm_fill_super() (or iput() was called by the error path in
bm_register_write()), and this could result in NULL pointer dereference
when evicting such an inode.  e.g.  mount binfmt_misc filesystem then
umount it immediately:

  mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
  umount /proc/sys/fs/binfmt_misc

will result in

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000013
  IP: bm_evict_inode+0x16/0x40 [binfmt_misc]
  Call Trace:

Fix it by making sure Node (e) is not NULL.

Link: http://lkml.kernel.org/r/20171010100642.31786-1-eguan@redhat.com
Fixes: 83f918274e4b ("exec: binfmt_misc: shift filp_close(interp_file) from kill_node() to bm_evict_inode()")
Signed-off-by: Eryu Guan <eguan@redhat.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

index 2a46762def315638e31a2042a3e2d7ccd06a52de..a7c5a9861bef5a73b8f7377dfa9e045427b915c7 100644 (file)
@@ -596,7 +596,7 @@ static void bm_evict_inode(struct inode *inode)
        Node *e = inode->i_private;
-       if (e->flags & MISC_FMT_OPEN_FILE)
+       if (e && e->flags & MISC_FMT_OPEN_FILE)
                filp_close(e->interp_file, NULL);