ANDROID: sdcardfs: fix potential crash when reserved_mb is not zero

sdcardfs_mkdir() calls check_min_free_space(). When reserved_mb is not zero, a negative dentry will be passed to
ext4_statfs() at last and ext4_statfs() will crash. The parent dentry is positive. So we use the parent dentry to
check free space.

Change-Id: I80ab9623fe59ba911f4cc9f0e029a1c6f7ee421b
Signed-off-by: Lianjun Huang <huanglianjun@vivo.com>

diff --git a/fs/sdcardfs/inode.c b/fs/sdcardfs/inode.c
index b43258684fb933202d40cb9635589731304f6eb2..2de5a4dffa22ce71bf5bd406bb4c3927227fc1da 100644 (file)
--- a/fs/sdcardfs/inode.c
+++ b/fs/sdcardfs/inode.c
@@ -270,6 +270,7 @@ static int sdcardfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode
        struct dentry *lower_dentry;
        struct vfsmount *lower_mnt;
        struct dentry *lower_parent_dentry = NULL;
+       struct dentry *parent_dentry = NULL;
        struct path lower_path;
        struct sdcardfs_sb_info *sbi = SDCARDFS_SB(dentry->d_sb);
        const struct cred *saved_cred = NULL;
@@ -289,11 +290,14 @@ static int sdcardfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode
        OVERRIDE_CRED(SDCARDFS_SB(dir->i_sb), saved_cred, SDCARDFS_I(dir));
 
        /* check disk space */
-       if (!check_min_free_space(dentry, 0, 1)) {
+       parent_dentry = dget_parent(dentry);
+       if (!check_min_free_space(parent_dentry, 0, 1)) {
                pr_err("sdcardfs: No minimum free space.\n");
                err = -ENOSPC;
+               dput(parent_dentry);
                goto out_revert;
        }
+       dput(parent_dentry);
 
        /* the lower_dentry is negative here */
        sdcardfs_get_lower_path(dentry, &lower_path);