From patchwork Sat Jan 24 19:31:24 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <dan.carpenter@oracle.com>
X-Patchwork-Id: 5700171
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 567319F2ED
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Sat, 24 Jan 2015 19:31:43 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 8BE232020F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Sat, 24 Jan 2015 19:31:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 5D38E2020E
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Sat, 24 Jan 2015 19:31:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754559AbbAXTbh (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Sat, 24 Jan 2015 14:31:37 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:21416 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752845AbbAXTbg (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Sat, 24 Jan 2015 14:31:36 -0500
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id t0OJVYcB005481
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Sat, 24 Jan 2015 19:31:34 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85])
	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	t0OJVXng021923
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Sat, 24 Jan 2015 19:31:33 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
	by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	t0OJVWgK022684; Sat, 24 Jan 2015 19:31:32 GMT
Received: from mwanda (/154.0.139.178)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Sat, 24 Jan 2015 11:31:32 -0800
Date: Sat, 24 Jan 2015 22:31:24 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] posix_acl: cleanup posix_acl_create()
Message-ID: <20150124193124.GA18322@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If posix_acl_create() returns an error code then "*acl" and
"*default_acl" can be uninitialized or point to freed memory.  This
causes problems in some of the callers where it is expected that they
are NULL on error.  For example, ocfs2_reflink() has a bug.

	fs/ocfs2/refcounttree.c:4329 ocfs2_reflink()
	error: potentially using uninitialized 'default_acl'.

I have re-written this function and re-arranged things so that they are
set to NULL at the start and then only set to a valid pointer at the end
of the function.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 0855f77..66d2c13 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -546,50 +546,43 @@ int
 posix_acl_create(struct inode *dir, umode_t *mode,
 		struct posix_acl **default_acl, struct posix_acl **acl)
 {
-	struct posix_acl *p;
+	struct posix_acl *p, *clone;
 	int ret;
 
+	*acl = NULL;
+	*default_acl = NULL;
+
 	if (S_ISLNK(*mode) || !IS_POSIXACL(dir))
-		goto no_acl;
+		return 0;
 
 	p = get_acl(dir, ACL_TYPE_DEFAULT);
-	if (IS_ERR(p)) {
-		if (p == ERR_PTR(-EOPNOTSUPP))
-			goto apply_umask;
-		return PTR_ERR(p);
+	if (!p || p == ERR_PTR(-EOPNOTSUPP)) {
+		*mode &= ~current_umask();
+		return 0;
 	}
+	if (IS_ERR(p))
+		return PTR_ERR(p);
 
-	if (!p)
-		goto apply_umask;
-
-	*acl = posix_acl_clone(p, GFP_NOFS);
-	if (!*acl)
+	clone = posix_acl_clone(p, GFP_NOFS);
+	if (!clone)
 		return -ENOMEM;
 
-	ret = posix_acl_create_masq(*acl, mode);
+	ret = posix_acl_create_masq(clone, mode);
 	if (ret < 0) {
-		posix_acl_release(*acl);
+		posix_acl_release(clone);
 		return -ENOMEM;
 	}
 
-	if (ret == 0) {
-		posix_acl_release(*acl);
-		*acl = NULL;
-	}
+	if (ret == 0)
+		posix_acl_release(clone);
+	else
+		*acl = clone;
 
-	if (!S_ISDIR(*mode)) {
+	if (!S_ISDIR(*mode))
 		posix_acl_release(p);
-		*default_acl = NULL;
-	} else {
+	else
 		*default_acl = p;
-	}
-	return 0;
 
-apply_umask:
-	*mode &= ~current_umask();
-no_acl:
-	*default_acl = NULL;
-	*acl = NULL;
 	return 0;
 }
 EXPORT_SYMBOL_GPL(posix_acl_create);