kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #140761
[Bug 1455364] Re: the wrong return value of function ubifs_fill_super()
** Changed in: linux (Ubuntu)
Status: Triaged => Confirmed
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => anna (rucsoftsec)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1455364
Title:
the wrong return value of function ubifs_fill_super()
Status in linux package in Ubuntu:
Confirmed
Bug description:
In function ubifs_fill_super() at fs/ubifs/super.c: 1955, the call to d_alloc_root() in line 2058 may return a NULL pointer, and thus function ubifs_fill_super() will return the value of variable err. And, the function ubifs_fill_super() will return 0 at last when it runs well. However, when the call to d_alloc_root() in line 2058 return a NULL pointer, the value of err is 0. So the function ubifs_fill_super() will return 0 to its caller functions when it runs error because of the failing call to d_alloc_root(), leading to a wrong return value of function ubifs_fill_super().
The related code snippets in ubifs_fill_super() is as following.
ubifs_fill_super @@fs/ubifs/super.c: 1955
1955 static int ubifs_fill_super(struct super_block *sb, void *data, int silent)
1956 {
...
2045 err = mount_ubifs(c);
2046 if (err) {
2047 ubifs_assert(err < 0);
2048 goto out_unlock;
2049 }
2050
2051 /* Read the root inode */
2052 root = ubifs_iget(sb, UBIFS_ROOT_INO);
2053 if (IS_ERR(root)) {
2054 err = PTR_ERR(root);
2055 goto out_umount;
2056 }
2057
2058 sb->s_root = d_alloc_root(root);
2059 if (!sb->s_root)
2060 goto out_iput;
2061
2062 mutex_unlock(&c->umount_mutex);
2063 return 0;
2064
2065 out_iput:
2066 iput(root);
2067 out_umount:
2068 ubifs_umount(c);
2069 out_unlock:
2070 mutex_unlock(&c->umount_mutex);
2071 out_bdi:
2072 bdi_destroy(&c->bdi);
2073 out_close:
2074 ubi_close_volume(c->ubi);
2075 out_free:
2076 kfree(c);
2077 return err;
2078 }
Generally, the return value of caller functions which call function d_alloc_root() shall be set to a negative error code when the call to d_alloc_root() returns a NULL pointer, like the following codes in another file.
bfs_fill_super @@fs/bfs/inode.c: 317
317 static int bfs_fill_super(struct super_block *s, void *data, int silent)
318 {
...
371 s->s_root = d_alloc_root(inode);
372 if (!s->s_root) {
373 iput(inode);
374 ret = -ENOMEM;
375 goto out2;
376 }
...
444 return 0;
445
446 out3:
447 dput(s->s_root);
448 s->s_root = NULL;
449 out2:
450 kfree(info->si_imap);
451 out1:
452 brelse(sbh);
453 out:
454 mutex_destroy(&info->bfs_lock);
455 kfree(info);
456 s->s_fs_info = NULL;
457 return ret;
458 }
Thank you
RUC_Soft_Sec
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1455364/+subscriptions
References