mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Linus Torvalds 012e79b98f vfs: don't do RCU lookup of empty pathnames 
commit c0eb027e5a upstream.

Normal pathname lookup doesn't allow empty pathnames, but using
AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
can trigger an empty pathname lookup.

And not only is the RCU lookup in that case entirely unnecessary
(because we'll obviously immediately finalize the end result), it is
actively wrong.

Why? An empth path is a special case that will return the original
'dirfd' dentry - and that dentry may not actually be RCU-free'd,
resulting in a potential use-after-free if we were to initialize the
path lazily under the RCU read lock and depend on complete_walk()
finalizing the dentry.

Found by syzkaller and KASAN.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-02-22 15:43:55 +01:00
..
9p fs/9p: Compare qid.path in v9fs_test_inode 2017-11-30 08:39:05 +00:00
adfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
affs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
afs afs: Fix abort on signal while waiting for call completion 2017-12-20 10:07:25 +01:00
autofs4 autofs: fix careless error in recent commit 2017-12-20 10:07:15 +01:00
befs befs fixes for 4.9-rc1 2016-10-15 12:09:13 -07:00
bfs Merge remote-tracking branch 'ovl/rename2' into for-linus 2016-10-10 23:02:51 -04:00
btrfs Btrfs: fix unexpected -EEXIST when creating new inode 2018-02-22 15:43:50 +01:00
cachefiles Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
ceph ceph: drop negative child dentries before try pruning inode's alias 2017-12-20 10:07:16 +01:00
cifs CIFS: zero sensitive data when freeing 2018-02-17 13:21:12 +01:00
coda coda: fix 'kernel memory exposure attempt' in fsync 2017-11-24 08:33:42 +01:00
configfs configfs: Fix race between create_link and configfs_rmdir 2017-06-24 07:11:12 +02:00
cramfs
crypto fscrypt: use ENOTDIR when setting encryption policy on nondirectory 2017-11-30 08:39:11 +00:00
debugfs dentry name snapshots 2017-08-06 18:59:43 -07:00
devpts Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
dlm dlm: avoid double-free on error path in dlm_device_{register,unregister} 2017-09-09 17:39:40 +02:00
ecryptfs eCryptfs: use after free in ecryptfs_release_messaging() 2017-11-30 08:39:03 +00:00
efivarfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
efs
exofs fs: exofs: print a hex number after a 0x prefix 2016-10-27 18:43:43 -07:00
exportfs exportfs: be careful to only return expected errors. 2016-10-06 09:07:44 -04:00
ext2 ext2: Don't clear SGID when inheriting ACLs 2017-07-27 15:08:02 -07:00
ext4 ext4: save error to disk in __ext4_grp_locked_error() 2018-02-22 15:43:48 +01:00
f2fs fscrypt: use ENOKEY when file cannot be created w/o key 2017-11-30 08:39:11 +00:00
fat fat: fix using uninitialized fields of fat_inode/fsinfo_inode 2017-03-15 10:02:52 +08:00
freevxfs
fscache FS-Cache: fix dereference of NULL user_key_payload 2017-10-27 10:38:11 +02:00
fuse fuse: fix READDIRPLUS skipping an entry 2017-11-02 09:49:13 +01:00
gfs2 GFS2: Take inode off order_write list when setting jdata flag 2017-12-20 10:07:30 +01:00
hfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
hfsplus hfsplus: Don't clear SGID when inheriting ACLs 2017-07-27 15:08:07 -07:00
hostfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
hpfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
hugetlbfs hugetlbfs: initialize shared policy as part of inode allocation 2017-10-08 10:26:09 +02:00
isofs isofs: fix timestamps beyond 2027 2017-11-30 08:39:04 +00:00
jbd2 jbd2: fix sphinx kernel-doc build warnings 2018-02-22 15:43:48 +01:00
jffs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
jfs jfs: Don't clear SGID when inheriting ACLs 2017-08-06 18:59:39 -07:00
kernfs kernfs: fix regression in kernfs_fop_write caused by wrong type 2018-02-17 13:21:15 +01:00
lockd lockd: double unregister of inetaddr notifiers 2017-11-30 08:39:06 +00:00
logfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
minix Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
ncpfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
nfs NFS: Fix a race between mmap() and O_DIRECT 2018-02-17 13:21:14 +01:00
nfs_common lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:05:38 +01:00
nfsd lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:05:38 +01:00
nilfs2 nilfs2: fix race condition that causes file system corruption 2017-11-30 08:39:03 +00:00
nls
notify dentry name snapshots 2017-08-06 18:59:43 -07:00
ntfs fs: remove the never implemented aio_fsync file operation 2016-10-30 13:09:42 -04:00
ocfs2 ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE 2018-02-22 15:43:52 +01:00
omfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
openpromfs fs: Replace CURRENT_TIME with current_time() for inode timestamps 2016-09-27 21:06:21 -04:00
orangefs orangefs: fix deadlock; do not write i_size in read_iter 2018-01-31 12:55:53 +01:00
overlayfs ovl: fix failure to fsync lower dir 2018-02-17 13:21:20 +01:00
proc fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() 2018-02-17 13:21:18 +01:00
pstore pstore: Use dynamic spinlock initializer 2017-08-06 18:59:43 -07:00
qnx4
qnx6
quota quota: Check for register_shrinker() failure. 2018-02-03 17:05:39 +01:00
ramfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
reiserfs reiserfs: remove unneeded i_version bump 2018-02-03 17:05:37 +01:00
romfs romfs: use different way to generate fsid for BLOCK or MTD 2017-06-17 06:41:56 +02:00
squashfs vfs: Remove {get,set,remove}xattr inode operations 2016-10-07 21:48:36 -04:00
sysfs sysfs: be careful of error returns from ops->show() 2017-04-12 12:41:11 +02:00
sysv Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
tracefs fs: Replace CURRENT_TIME with current_time() for inode timestamps 2016-09-27 21:06:21 -04:00
ubifs ubifs: Massage assert in ubifs_xattr_set() wrt. init_xattrs 2018-02-17 13:21:14 +01:00
udf udf: Avoid overflow when session starts at large offset 2017-12-20 10:07:33 +01:00
ufs ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path 2017-06-14 15:06:01 +02:00
xfs xfs: Properly retry failed dquot items in case of error during buffer writeback 2018-02-03 17:05:40 +01:00
aio.c aio: fix lock dep warning 2017-07-05 14:40:26 +02:00
anon_inodes.c
attr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-10-10 20:16:43 -07:00
bad_inode.c bad_inode: add missing i_op initializers 2017-01-09 08:32:24 +01:00
binfmt_aout.c
binfmt_elf.c binfmt_elf: use ELF_ET_DYN_BASE only for PIE 2017-07-21 07:42:21 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c fs: Replace current_fs_time() with current_time() 2016-09-27 21:06:22 -04:00
binfmt_script.c
block_dev.c fs/mpage.c: fix mpage_writepage() for pages with buffers 2017-10-18 09:35:39 +02:00
buffer.c fs: add i_blocksize() 2017-06-14 15:06:00 +02:00
char_dev.c
compat.c compat: remove compat_printk() 2016-09-27 21:20:53 -04:00
compat_binfmt_elf.c
compat_ioctl.c fs: compat_ioctl: add pretimeout functions for watchdogs 2016-09-24 09:27:18 +02:00
coredump.c coredump: Ensure proper size of sparse core files 2017-07-05 14:40:26 +02:00
dax.c dax: Avoid page invalidation races and unnecessary radix tree traversals 2017-12-09 22:01:49 +01:00
dcache.c dentry name snapshots 2017-08-06 18:59:43 -07:00
dcookies.c
direct-io.c direct-io: Prevent NULL pointer access in submit_page_section 2017-10-18 09:35:41 +02:00
drop_caches.c
eventfd.c
eventpoll.c epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() 2017-09-07 08:35:41 +02:00
exec.c exec: Limit arg stack to at most 75% of _STK_LIM 2017-07-21 07:42:22 +02:00
fcntl.c fs/fcntl: f_setown, avoid undefined behaviour 2018-01-31 12:55:52 +01:00
fhandle.c
file.c fs/file: more unsigned file descriptors 2016-09-27 18:47:38 -04:00
file_table.c
filesystems.c
fs-writeback.c writeback: fix memory leak in wb_queue_work() 2017-12-20 10:07:20 +01:00
fs_pin.c
fs_struct.c
inode.c xfs: evict all inodes involved with log redo item 2017-09-20 08:20:01 +02:00
internal.h xfs: evict all inodes involved with log redo item 2017-09-20 08:20:01 +02:00
ioctl.c vfs: cap dedupe request structure size at PAGE_SIZE 2016-09-15 13:29:52 -07:00
iomap.c iomap: fix integer truncation issues in the zeroing and dirtying helpers 2017-09-20 08:19:59 +02:00
Kconfig mm/hugetlb: introduce ARCH_HAS_GIGANTIC_PAGE 2016-10-07 18:46:29 -07:00
Kconfig.binfmt
libfs.c libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount 2017-12-09 22:01:51 +01:00
locks.c locking, fs/locks: Add missing file_sem locks 2016-10-18 12:21:28 +02:00
Makefile
mbcache.c mbcache: initialize entry->e_referenced in mb_cache_entry_create() 2018-02-22 15:43:48 +01:00
mount.h mnt: In propgate_umount handle visiting mounts in any order 2017-07-21 07:42:22 +02:00
mpage.c fs/mpage.c: fix mpage_writepage() for pages with buffers 2017-10-18 09:35:39 +02:00
namei.c vfs: don't do RCU lookup of empty pathnames 2018-02-22 15:43:55 +01:00
namespace.c mnt: In propgate_umount handle visiting mounts in any order 2017-07-21 07:42:22 +02:00
no-block.c
nsfs.c nsfs: mark dentry with DCACHE_RCUACCESS 2018-02-17 13:21:15 +01:00
open.c fs: completely ignore unknown open flags 2017-07-12 15:01:02 +02:00
pipe.c pipe: fix off-by-one error when checking buffer limits 2018-02-17 13:21:18 +01:00
pnode.c mnt: Make propagate_umount less slow for overlapping mount propagation trees 2017-07-21 07:42:22 +02:00
pnode.h mnt: Tuck mounts under others instead of creating shadow/side mounts. 2017-03-15 10:02:43 +08:00
posix_acl.c tmpfs: clear S_ISGID when setting posix ACLs 2017-01-26 08:24:37 +01:00
proc_namespace.c
read_write.c vfs: deny copy_file_range() for non regular files 2017-10-12 11:51:26 +02:00
readdir.c
select.c fs/select: add vmalloc fallback for select(2) 2016-10-11 15:06:30 -07:00
seq_file.c seq/proc: modify seq_put_decimal_[u]ll to take a const char *, not char 2016-10-07 18:46:30 -07:00
signalfd.c
splice.c vfs: fix uninitialized flags in splice_to_pipe() 2017-02-23 17:44:35 +01:00
stack.c
stat.c ufs: restore maintaining ->i_blocks 2017-06-14 15:06:01 +02:00
statfs.c
super.c fs: Better permission checking for submounts 2017-03-15 10:02:44 +08:00
sync.c
timerfd.c timerfd: Protect the might cancel mechanism proper 2017-05-08 07:47:54 +02:00
userfaultfd.c userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE 2017-12-20 10:07:18 +01:00
utimes.c Merge remote-tracking branch 'jk/vfs' into work.misc 2016-10-08 11:06:08 -04:00
xattr.c lsm: fix smack_inode_removexattr and xattr_getsecurity memleak 2017-10-12 11:51:19 +02:00