[patch 2/2] cifs: dereferencing first then checking

Jeff Layton jlayton at redhat.com
Wed Oct 27 17:51:23 MDT 2010 

On Wed, 27 Oct 2010 23:22:53 +0200
Dan Carpenter <error27 at gmail.com> wrote:

> Smatch complained about a couple checking for NULL after dereferencing
> bugs.  I'm not super familiar with the code so I did the conservative
> thing and move the dereferences after the checks.
> 
> The dereferences in cifs_lock() and cifs_fsync() were added in
> ba00ba64cf0 "cifs: make various routines use the cifsFileInfo->tcon
> pointer".  The dereference in find_writable_file() was added in 
> 6508d904e6f "cifs: have find_readable/writable_file filter by fsuid".
> The comments there say it's possible to trigger the NULL dereference
> under stress.
> 
> Signed-off-by: Dan Carpenter <error27 at gmail.com>
> 
> diff --git a/fs/cifs/file.c b/fs/cifs/file.c
> index 06a006b..33a19b4 100644
> --- a/fs/cifs/file.c
> +++ b/fs/cifs/file.c
> @@ -775,13 +775,13 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
>  		cFYI(1, "Unknown type of lock");
>  
>  	cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
> -	tcon = tlink_tcon(((struct cifsFileInfo *)file->private_data)->tlink);
>  
>  	if (file->private_data == NULL) {
>  		rc = -EBADF;
>  		FreeXid(xid);
>  		return rc;
>  	}
	^^^^^^^
I think the above check can just go away now. If this pointer is NULL
then something is badly wrong.

> +	tcon = tlink_tcon(((struct cifsFileInfo *)file->private_data)->tlink);
>  	netfid = ((struct cifsFileInfo *)file->private_data)->netfid;
>  
>  	if ((tcon->ses->capabilities & CAP_UNIX) &&
> @@ -1179,7 +1179,7 @@ struct cifsFileInfo *find_writable_file(struct cifsInodeInfo *cifs_inode,
>  					bool fsuid_only)
>  {
>  	struct cifsFileInfo *open_file;
> -	struct cifs_sb_info *cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
> +	struct cifs_sb_info *cifs_sb;
>  	bool any_available = false;
>  	int rc;
>  
> @@ -1192,6 +1192,7 @@ struct cifsFileInfo *find_writable_file(struct cifsInodeInfo *cifs_inode,
>  		dump_stack();
>  		return NULL;
>  	}
	^^^^^^
	I think we ought to rid ourselves of the above check too. It's
	not clear how we'd get a NULL pointer there anyway -- mostly we
	get cifsInodeInfo pointers from the CIFS_I(inode) macro which does a
	container_of() on the inode. That should never return a NULL
	pointer anyway, unless the inode pointer happens to be corrupt
	in a very specific way.

> +	cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
>  
>  	/* only filter by fsuid on multiuser mounts */
>  	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER))
> @@ -1628,15 +1629,26 @@ int cifs_fsync(struct file *file, int datasync)
>  		file->f_path.dentry->d_name.name, datasync);
>  
>  	rc = filemap_write_and_wait(inode->i_mapping);
> -	if (rc == 0) {
> -		rc = CIFS_I(inode)->write_behind_rc;
> -		CIFS_I(inode)->write_behind_rc = 0;
> -		tcon = tlink_tcon(smbfile->tlink);
> -		if (!rc && tcon && smbfile &&
> -		   !(CIFS_SB(inode->i_sb)->mnt_cifs_flags & CIFS_MOUNT_NOSSYNC))
> -			rc = CIFSSMBFlush(xid, tcon, smbfile->netfid);
> -	}
> +	if (rc)
> +		goto err_out;
> +
> +	rc = CIFS_I(inode)->write_behind_rc;
> +	CIFS_I(inode)->write_behind_rc = 0;
> +	if (rc)
> +		goto err_out;
> +
> +	if (CIFS_SB(inode->i_sb)->mnt_cifs_flags & CIFS_MOUNT_NOSSYNC)
> +		goto done;
> +	if (!smbfile)
> +		goto done;
> +	tcon = tlink_tcon(smbfile->tlink);
> +	if (!tcon)
> +		goto done;
> +
> +	rc = CIFSSMBFlush(xid, tcon, smbfile->netfid);
>  
> +err_out:
> +done:
>  	FreeXid(xid);
>  	return rc;
>  }

The above delta shouldn't be needed once the patches in Steve's tree
are pushed to Linus. I think what we should probably do is wait for
Steve to push to Linus and then do a patch to remove the first two
checks.

Sound like a plan?

-- 
Jeff Layton <jlayton at redhat.com>

More information about the samba-technical mailing list