From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Vegard Nossum <vegard.nossum@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Eric Biggers <ebiggers3@gmail.com>
Subject: [PATCH 4.4 30/33] vfs: dont do RCU lookup of empty pathnames
Date: Wed, 21 Feb 2018 13:45:13 +0100 [thread overview]
Message-ID: <20180221124411.128121753@linuxfoundation.org> (raw)
In-Reply-To: <20180221124409.564661689@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream.
Normal pathname lookup doesn't allow empty pathnames, but using
AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
can trigger an empty pathname lookup.
And not only is the RCU lookup in that case entirely unnecessary
(because we'll obviously immediately finalize the end result), it is
actively wrong.
Why? An empth path is a special case that will return the original
'dirfd' dentry - and that dentry may not actually be RCU-free'd,
resulting in a potential use-after-free if we were to initialize the
path lazily under the RCU read lock and depend on complete_walk()
finalizing the dentry.
Found by syzkaller and KASAN.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namei.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2000,6 +2000,9 @@ static const char *path_init(struct name
int retval = 0;
const char *s = nd->name->name;
+ if (!*s)
+ flags &= ~LOOKUP_RCU;
+
nd->last_type = LAST_ROOT; /* if there are only slashes... */
nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
nd->depth = 0;
next prev parent reply other threads:[~2018-02-21 12:46 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-21 12:44 [PATCH 4.4 00/33] 4.4.117-stable review Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 01/33] IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 02/33] PM / devfreq: Propagate error from devfreq_add_device() Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 03/33] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 04/33] ARM: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 05/33] arm: spear600: Add missing interrupt-parent of rtc Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 06/33] arm: spear13xx: Fix dmas cells Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 07/33] arm: spear13xx: Fix spics gpio controllers warning Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 08/33] ALSA: seq: Fix regression by incorrect ioctl_mutex usages Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 09/33] KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 10/33] x86/cpu: Change type of x86_cache_size variable to unsigned int Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 11/33] drm/radeon: adjust tested variable Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 12/33] rtc-opal: Fix handling of firmware error codes, prevent busy loops Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 13/33] ext4: save error to disk in __ext4_grp_locked_error() Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 14/33] ext4: correct documentation for grpid mount option Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 15/33] mm: hide a #warning for COMPILE_TEST Greg Kroah-Hartman
2018-02-21 12:44 ` [PATCH 4.4 16/33] video: fbdev: atmel_lcdfb: fix display-timings lookup Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 17/33] console/dummy: leave .con_font_get set to NULL Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 18/33] rtlwifi: rtl8821ae: Fix connection lost problem correctly Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 19/33] Btrfs: fix deadlock in run_delalloc_nocow Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 20/33] Btrfs: fix crash due to not cleaning up tree log blocks dirty bits Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 21/33] Btrfs: fix unexpected -EEXIST when creating new inode Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 22/33] ALSA: hda - Fix headset mic detection problem for two Dell machines Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 23/33] ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 24/33] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 25/33] ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 26/33] ALSA: seq: Fix racy pool initializations Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 27/33] mvpp2: fix multicast address filter Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 28/33] dm: correctly handle chained bios in dec_pending() Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 29/33] x86: fix build warnign with 32-bit PAE Greg Kroah-Hartman
2018-02-21 12:45 ` Greg Kroah-Hartman [this message]
2018-02-21 12:45 ` [PATCH 4.4 31/33] ARM: pxa/tosa-bt: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 32/33] ARM: dts: s5pv210: add interrupt-parent for ohci Greg Kroah-Hartman
2018-02-21 12:45 ` [PATCH 4.4 33/33] media: r820t: fix r820t_write_reg for KASAN Greg Kroah-Hartman
2018-02-21 14:46 ` [PATCH 4.4 00/33] 4.4.117-stable review Nathan Chancellor
2018-02-21 15:30 ` Greg Kroah-Hartman
2018-02-21 17:58 ` Naresh Kamboju
2018-02-21 18:57 ` kernelci.org bot
2018-02-21 20:12 ` Shuah Khan
2018-02-22 14:11 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180221124411.128121753@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=ebiggers3@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vegard.nossum@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox