[BUG]Missing i_sb NULL pointer check in destroy_inode()

[Mingming Cao]

Hello, Andrew, Marcelo,

destroy_inode() dereferences inode->i_sb without checking if it is NULL.
This is inconsistent with its caller: iput() and clear_inode(),  both of
which check inode->i_sb before dereferencing it. Since iput() calls
destroy_inode() after calling file system's .clear_inode method(via
clear_inode()),  some file systems might choose to clear the i_sb in the
.clear_inode super block operation. This results in a crash in
destroy_inode().

This issue exists in both 2.6, 2.4 and 2.4 kernel.  A simple fix against
2.6.0-test9 is included below. 2.4 based fix should be very similar to
this one.  Please take a look and consider include it.  

Many thanks!!

--Mingming
----------------------------------------------------------
diff -urNp linux-2.6.0-test9/fs/inode.c a/fs/inode.c
--- linux-2.6.0-test9/fs/inode.c	2003-10-25 11:44:53.000000000 -0700
+++ a/fs/inode.c	2003-11-20 17:28:04.000000000 -0800
@@ -160,7 +160,7 @@ void destroy_inode(struct inode *inode) 
 	if (inode_has_buffers(inode))
 		BUG();
 	security_inode_free(inode);
-	if (inode->i_sb->s_op->destroy_inode)
+	if (inode->i_sb && inode->i_sb->s_op->destroy_inode)
 		inode->i_sb->s_op->destroy_inode(inode);
 	else
 		kmem_cache_free(inode_cachep, (inode));

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/