From dbdec37cb77d2b981de3861785ecc9d06d36d9f7 Mon Sep 17 00:00:00 2001 From: aburford Date: Sat, 14 May 2022 21:32:03 -0400 Subject: [PATCH] Wrapfs: fix NULL pointer dereference when stacking wrapfs on top of itself. Wrapfs assumes that the d_fsdata field has already been initialized whenever it is passed one of its own dentries, but it doesn't give the lower fs a chance to allocate their d_fsdata field when it creates a new lower_dentry. This is fixed by simply replacing a call to d_add in __wrapfs_lookup with a call to ->lookup on the lower fs inode. Signed-off-by: Andrew Burford --- fs/wrapfs/lookup.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/wrapfs/lookup.c b/fs/wrapfs/lookup.c index 7c78d5a4a30f..b166c0e50b98 100644 --- a/fs/wrapfs/lookup.c +++ b/fs/wrapfs/lookup.c @@ -260,7 +260,14 @@ static struct dentry *__wrapfs_lookup(struct dentry *dentry, err = -ENOMEM; goto out; } - d_add(lower_dentry, NULL); /* instantiate and hash */ + + /* + * Calling ->lookup instead of d_add will give the lower fs a chance + * to allocate the d_fsdata field but will still instantiate and hash the + * lower_dentry. Without this, wrapfs could not stack on top of itself. + */ + d_inode(lower_dir_dentry) + ->i_op->lookup(d_inode(lower_dir_dentry), lower_dentry, flags); setup_lower: lower_path.dentry = lower_dentry; -- 2.34.1