From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Chao Yu <chao2.yu@samsung.com>,
Tyler Hicks <tyhicks@canonical.com>
Subject: [PATCH 3.10 43/43] ecryptfs: avoid to access NULL pointer when write metadata in xattr
Date: Tue, 28 Oct 2014 11:36:41 +0800 [thread overview]
Message-ID: <20141028033525.264238123@linuxfoundation.org> (raw)
In-Reply-To: <20141028033523.407092670@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao2.yu@samsung.com>
commit 35425ea2492175fd39f6116481fe98b2b3ddd4ca upstream.
Christopher Head 2014-06-28 05:26:20 UTC described:
"I tried to reproduce this on 3.12.21. Instead, when I do "echo hello > foo"
in an ecryptfs mount with ecryptfs_xattr specified, I get a kernel crash:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
PGD d7840067 PUD b2c3c067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: nvidia(PO)
CPU: 3 PID: 3566 Comm: bash Tainted: P O 3.12.21-gentoo-r1 #2
Hardware name: ASUSTek Computer Inc. G60JX/G60JX, BIOS 206 03/15/2010
task: ffff8801948944c0 ti: ffff8800bad70000 task.ti: ffff8800bad70000
RIP: 0010:[<ffffffff8110eb39>] [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
RSP: 0018:ffff8800bad71c10 EFLAGS: 00010246
RAX: 00000000000181a4 RBX: ffff880198648480 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff880172010450 RDI: 0000000000000000
RBP: ffff880198490e40 R08: 0000000000000000 R09: 0000000000000000
R10: ffff880172010450 R11: ffffea0002c51e80 R12: 0000000000002000
R13: 000000000000001a R14: 0000000000000000 R15: ffff880198490e40
FS: 00007ff224caa700(0000) GS:ffff88019fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000bb07f000 CR4: 00000000000007e0
Stack:
ffffffff811826e8 ffff8800a39d8000 0000000000000000 000000000000001a
ffff8800a01d0000 ffff8800a39d8000 ffffffff81185fd5 ffffffff81082c2c
00000001a39d8000 53d0abbc98490e40 0000000000000037 ffff8800a39d8220
Call Trace:
[<ffffffff811826e8>] ? ecryptfs_setxattr+0x40/0x52
[<ffffffff81185fd5>] ? ecryptfs_write_metadata+0x1b3/0x223
[<ffffffff81082c2c>] ? should_resched+0x5/0x23
[<ffffffff8118322b>] ? ecryptfs_initialize_file+0xaf/0xd4
[<ffffffff81183344>] ? ecryptfs_create+0xf4/0x142
[<ffffffff810f8c0d>] ? vfs_create+0x48/0x71
[<ffffffff810f9c86>] ? do_last.isra.68+0x559/0x952
[<ffffffff810f7ce7>] ? link_path_walk+0xbd/0x458
[<ffffffff810fa2a3>] ? path_openat+0x224/0x472
[<ffffffff810fa7bd>] ? do_filp_open+0x2b/0x6f
[<ffffffff81103606>] ? __alloc_fd+0xd6/0xe7
[<ffffffff810ee6ab>] ? do_sys_open+0x65/0xe9
[<ffffffff8157d022>] ? system_call_fastpath+0x16/0x1b
RIP [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
RSP <ffff8800bad71c10>
CR2: 0000000000000000
---[ end trace df9dba5f1ddb8565 ]---"
If we create a file when we mount with ecryptfs_xattr_metadata option, we will
encounter a crash in this path:
->ecryptfs_create
->ecryptfs_initialize_file
->ecryptfs_write_metadata
->ecryptfs_write_metadata_to_xattr
->ecryptfs_setxattr
->fsstack_copy_attr_all
It's because our dentry->d_inode used in fsstack_copy_attr_all is NULL, and it
will be initialized when ecryptfs_initialize_file finish.
So we should skip copying attr from lower inode when the value of ->d_inode is
invalid.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ecryptfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -1051,7 +1051,7 @@ ecryptfs_setxattr(struct dentry *dentry,
}
rc = vfs_setxattr(lower_dentry, name, value, size, flags);
- if (!rc)
+ if (!rc && dentry->d_inode)
fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
out:
return rc;
next prev parent reply other threads:[~2014-10-28 3:53 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-28 3:35 [PATCH 3.10 00/43] 3.10.59-stable review Greg Kroah-Hartman
2014-10-28 3:35 ` [PATCH 3.10 01/43] Btrfs: try not to ENOSPC on log replay Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 02/43] Btrfs: fix build_backref_tree issue with multiple shared blocks Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 03/43] Btrfs: fix race in WAIT_SYNC ioctl Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 04/43] fs: Add a missing permission check to do_umount Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 05/43] kvm: x86: fix stale mmio cache bug Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 06/43] KVM: s390: unintended fallthrough for external call Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 07/43] kvm: dont take vcpu mutex for obviously invalid vcpu ioctls Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 08/43] x86/intel/quark: Switch off CR4.PGE so TLB flush uses CR3 instead Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 09/43] spi: dw-mid: respect 8 bit mode Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 10/43] spi: dw-mid: check that DMA was inited before exit Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 11/43] regmap: debugfs: fix possbile NULL pointer dereference Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 12/43] regmap: fix NULL pointer dereference in _regmap_write/read Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 13/43] be2iscsi: check ip buffer before copying Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 14/43] mptfusion: enable no_write_same for vmware scsi disks Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 15/43] qla2xxx: Use correct offset to req-q-out for reserve calculation Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 16/43] firmware_class: make sure fw requests contain a name Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 17/43] Drivers: hv: vmbus: Cleanup vmbus_post_msg() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 18/43] Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 19/43] Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 20/43] Drivers: hv: vmbus: Fix a bug in vmbus_open() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 21/43] m68k: Disable/restore interrupts in hwreg_present()/hwreg_write() Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 22/43] Documentation: lzo: document part of the encoding Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 23/43] Revert "lzo: properly check for overruns" Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 24/43] lzo: check for length overrun in variable length encoding Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 25/43] NFSv4: Fix lock recovery when CREATE_SESSION/SETCLIENTID_CONFIRM fails Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 26/43] NFSv4: fix open/lock state recovery error handling Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 27/43] NFSv4.1: Fix an NFSv4.1 state renewal regression Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 28/43] iwlwifi: Add missing PCI IDs for the 7260 series Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 29/43] PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 30/43] PCI: Generate uppercase hex for modalias interface class Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 31/43] rt2800: correct BBP1_TX_POWER_CTRL mask Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 32/43] Bluetooth: Fix HCI H5 corrupted ack value Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 33/43] Bluetooth: Fix issue with USB suspend in btusb driver Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 34/43] mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 36/43] kernel: add support for gcc 5 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 37/43] spi: dw-mid: terminate ongoing transfers at exit Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 38/43] arm64: compat: fix compat types affecting struct compat_elf_prpsinfo Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 39/43] ALSA: pcm: use the same dma mmap codepath both for arm and arm64 Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 40/43] ALSA: emu10k1: Fix deadlock in synth voice lookup Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 41/43] ALSA: usb-audio: Add support for Steinberg UR22 USB interface Greg Kroah-Hartman
2014-10-28 3:36 ` [PATCH 3.10 42/43] ARM: at91/PMC: dont forget to write PMC_PCDR register to disable clocks Greg Kroah-Hartman
2014-10-28 3:36 ` Greg Kroah-Hartman [this message]
2014-10-28 4:43 ` [PATCH 3.10 00/43] 3.10.59-stable review Guenter Roeck
2014-10-28 6:02 ` Greg Kroah-Hartman
2014-10-28 16:16 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141028033525.264238123@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chao2.yu@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.