quota: Fix possible oops in __dquot_initialize()

When quotaon(8) races with __dquot_initialize() or dqget() fails because of EIO, ENOSPC, or similar error, we could possibly dereference NULL pointer in inode->i_dquot[cnt]. Add proper checking. Reported-by: Dmitry Monakhov <dmonakhov@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>

quota: Fix possible oops in __dquot_initialize()
When quotaon(8) races with __dquot_initialize() or dqget() fails because of EIO, ENOSPC, or similar error, we could possibly dereference NULL pointer in inode->i_dquot[cnt]. Add proper checking. Reported-by: Dmitry Monakhov <dmonakhov@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
4408ea41 · Jan Kara · a4c18ad2 · 4408ea41
Commit 4408ea41 authored Oct 19, 2010 by Jan Kara
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

fs/quota/dquot.c fs/quota/dquot.c +3 -0

No files found.
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1386,6 +1386,9 @@ static void __dquot_initialize(struct inode *inode, int type)
 		/* Avoid races with quotaoff() */
 		if (!sb_has_quota_active(sb, cnt))
 			continue;
+		/* We could race with quotaon or dqget() could have failed */
+		if (!got[cnt])
+			continue;
 		if (!inode->i_dquot[cnt]) {
 			inode->i_dquot[cnt] = got[cnt];
 			got[cnt] = NULL;