xfs: don't crash the vfs on a garbage inline symlink

The VFS routine that calls ->get_link blindly copies whatever's returned
into the user's buffer.  If we return a NULL pointer, the vfs will
crash on the null pointer.  Therefore, return -EFSCORRUPTED instead of
blowing up the kernel.

[dgc: clean up with hch's suggestions]

Reported-by: wen.xu@gatech.edu
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>

diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index c3e74f9..f48ffd7 100644 (file)
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -471,8 +471,18 @@ xfs_vn_get_link_inline(
        struct inode            *inode,
        struct delayed_call     *done)
 {
+       char                    *link;
+
        ASSERT(XFS_I(inode)->i_df.if_flags & XFS_IFINLINE);
-       return XFS_I(inode)->i_df.if_u1.if_data;
+
+       /*
+        * The VFS crashes on a NULL pointer, so return -EFSCORRUPTED if
+        * if_data is junk.
+        */
+       link = XFS_I(inode)->i_df.if_u1.if_data;
+       if (!link)
+               return ERR_PTR(-EFSCORRUPTED);
+       return link;
 }
 
 STATIC int