From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+c88a7030da47945a3cc3@syzkaller.appspotmail.com,
Christian Brauner <christian.brauner@ubuntu.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 5.10 06/63] Make sure nd->path.mnt and nd->path.dentry are always valid pointers
Date: Tue, 3 Jan 2023 09:13:36 +0100 [thread overview]
Message-ID: <20230103081308.942805751@linuxfoundation.org> (raw)
In-Reply-To: <20230103081308.548338576@linuxfoundation.org>
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 7d01ef7585c07afaf487759a48486228cd065726 ]
Initialize them in set_nameidata() and make sure that terminate_walk() clears them
once the pointers become potentially invalid (i.e. we leave RCU mode or drop them
in non-RCU one). Currently we have "path_init() always initializes them and nobody
accesses them outside of path_init()/terminate_walk() segments", which is asking
for trouble.
With that change we would have nd->path.{mnt,dentry}
1) always valid - NULL or pointing to currently allocated objects.
2) non-NULL while we are successfully walking
3) NULL when we are not walking at all
4) contributing to refcounts whenever non-NULL outside of RCU mode.
Fixes: 6c6ec2b0a3e0 ("fs: add support for LOOKUP_CACHED")
Reported-by: syzbot+c88a7030da47945a3cc3@syzkaller.appspotmail.com
Tested-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namei.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -529,6 +529,8 @@ static void set_nameidata(struct nameida
p->stack = p->internal;
p->dfd = dfd;
p->name = name;
+ p->path.mnt = NULL;
+ p->path.dentry = NULL;
p->total_link_count = old ? old->total_link_count : 0;
p->saved = old;
current->nameidata = p;
@@ -602,6 +604,8 @@ static void terminate_walk(struct nameid
rcu_read_unlock();
}
nd->depth = 0;
+ nd->path.mnt = NULL;
+ nd->path.dentry = NULL;
}
/* path_put is needed afterwards regardless of success or failure */
@@ -2243,8 +2247,6 @@ static const char *path_init(struct name
}
nd->root.mnt = NULL;
- nd->path.mnt = NULL;
- nd->path.dentry = NULL;
/* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */
if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) {
next prev parent reply other threads:[~2023-01-03 8:15 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-03 8:13 [PATCH 5.10 00/63] 5.10.162-rc1 review Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 01/63] kernel: provide create_io_thread() helper Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 02/63] iov_iter: add helper to save iov_iter state Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 03/63] saner calling conventions for unlazy_child() Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 04/63] fs: add support for LOOKUP_CACHED Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 05/63] fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy* Greg Kroah-Hartman
2023-01-03 8:13 ` Greg Kroah-Hartman [this message]
2023-01-03 8:13 ` [PATCH 5.10 07/63] fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 08/63] tools headers UAPI: Sync openat2.h with the kernel sources Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 09/63] net: provide __sys_shutdown_sock() that takes a socket Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 10/63] net: add accept helper not installing fd Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 11/63] signal: Add task_sigpending() helper Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 12/63] fs: make do_renameat2() take struct filename Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 13/63] file: Rename __close_fd_get_file close_fd_get_file Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 14/63] fs: provide locked helper variant of close_fd_get_file() Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 15/63] entry: Add support for TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 16/63] task_work: Use TIF_NOTIFY_SIGNAL if available Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 17/63] x86: Wire up TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 18/63] arc: add support for TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 19/63] arm64: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 20/63] m68k: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 21/63] nios32: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 22/63] parisc: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 23/63] powerpc: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 24/63] mips: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 25/63] s390: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 26/63] um: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 27/63] sh: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 28/63] openrisc: " Greg Kroah-Hartman
2023-01-03 8:13 ` [PATCH 5.10 29/63] csky: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 30/63] hexagon: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 31/63] microblaze: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 32/63] arm: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 33/63] xtensa: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 34/63] alpha: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 35/63] c6x: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 36/63] h8300: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 37/63] ia64: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 38/63] nds32: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 39/63] riscv: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 40/63] sparc: " Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 41/63] ia64: dont call handle_signal() unless theres actually a signal queued Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 42/63] ARC: unbork 5.11 bootup: fix snafu in _TIF_NOTIFY_SIGNAL handling Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 43/63] alpha: fix TIF_NOTIFY_SIGNAL handling Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 44/63] task_work: remove legacy TWA_SIGNAL path Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 45/63] kernel: remove checking for TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 46/63] coredump: Limit what can interrupt coredumps Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 47/63] kernel: allow fork with TIF_NOTIFY_SIGNAL pending Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 48/63] entry/kvm: Exit to user mode when TIF_NOTIFY_SIGNAL is set Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 49/63] arch: setup PF_IO_WORKER threads like PF_KTHREAD Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 50/63] arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 51/63] x86/process: setup io_threads more like normal user space threads Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 52/63] kernel: stop masking signals in create_io_thread() Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 53/63] kernel: dont call do_exit() for PF_IO_WORKER threads Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 54/63] task_work: add helper for more targeted task_work canceling Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 55/63] io_uring: import 5.15-stable io_uring Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 56/63] signal: kill JOBCTL_TASK_WORK Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 57/63] task_work: unconditionally run task_work from get_signal() Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 58/63] net: remove cmsg restriction from io_uring based send/recvmsg calls Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 59/63] Revert "proc: dont allow async path resolution of /proc/thread-self components" Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 60/63] Revert "proc: dont allow async path resolution of /proc/self components" Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 61/63] eventpoll: add EPOLL_URING_WAKE poll wakeup flag Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 62/63] eventfd: provide a eventfd_signal_mask() helper Greg Kroah-Hartman
2023-01-03 8:14 ` [PATCH 5.10 63/63] io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups Greg Kroah-Hartman
2023-01-03 13:44 ` [PATCH 5.10 00/63] 5.10.162-rc1 review Pavel Machek
2023-01-03 14:51 ` Guenter Roeck
2023-01-03 16:16 ` Joel Fernandes
2023-01-04 5:29 ` Greg Kroah-Hartman
2023-01-04 21:56 ` Joel Fernandes
2023-01-05 11:43 ` Greg Kroah-Hartman
2023-01-03 18:16 ` Naresh Kamboju
2023-01-03 18:27 ` Florian Fainelli
2023-01-03 18:59 ` Allen Pais
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230103081308.942805751@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=christian.brauner@ubuntu.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+c88a7030da47945a3cc3@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).