Matthew Wilcox (Oracle) 61cf93700f io_uring: Convert personality_idr to XArray ... You can't call idr_remove() from within a idr_for_each() callback, but you can call xa_erase() from an xa_for_each() loop, so switch the entire personality_idr from the IDR to the XArray. This manifests as a use-after-free as idr_for_each() attempts to walk the rest of the node after removing the last entry from it. Fixes: 071698e13a ("io_uring: allow registering credentials") Cc: stable@vger.kernel.org # 5.6+ Reported-by: yangerkun <yangerkun@huawei.com> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> [Pavel: rebased (creds load was moved into io_init_req())] Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/7ccff36e1375f2b0ebf73d957f037b43becc0dde.1615212806.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>		2021-03-10 07:28:42 -07:00
..
9p	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-27 08:07:12 -08:00
adfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
affs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
afs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
autofs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
befs
bfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
btrfs	for-5.12-rc1-tag	2021-03-05 12:21:14 -08:00
cachefiles	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
ceph	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
cifs	cifs/smb3 fixes including improvements to mode bit conversion when using cifsacl mount option, new mount options for controlling attribute caching, improvements to crediting and reconnect, improved debugging	2021-02-26 14:09:41 -08:00
coda	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
configfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
cramfs	cramfs: use %pD instead of messing with file_dentry()->d_name	2021-01-05 23:02:47 -05:00
crypto	inode: make init and permission helpers idmapped mount aware	2021-01-24 14:27:16 +01:00
debugfs	Driver core / debugfs update for 5.12-rc1	2021-02-24 10:13:55 -08:00
devpts
dlm
ecryptfs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
efivarfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
efs
erofs	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
exfat	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
exportfs	exportfs: Add a function to return the raw output from fh_to_dentry()	2020-12-09 09:39:38 -05:00
ext2	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
ext4	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
f2fs	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
fat	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
freevxfs
fscache
fuse	mm/filemap: remove unused parameter and change to void type for replace_page_cache_page()	2021-02-24 13:38:27 -08:00
gfs2	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-27 08:07:12 -08:00
hfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
hfsplus	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
hostfs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
hpfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
hugetlbfs	hugetlbfs: remove unneeded return value of hugetlb_vmtruncate()	2021-02-24 13:38:35 -08:00
iomap	More new code for 5.12:	2021-02-28 11:45:25 -08:00
isofs	isofs: handle large user and group ID	2021-02-03 19:05:52 +01:00
jbd2	block: use an on-stack bio in blkdev_issue_flush	2021-01-27 09:51:48 -07:00
jffs2	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
jfs	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-27 08:07:12 -08:00
kernfs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
lockd	SUNRPC: Make trace_svc_process() display the RPC procedure symbolically	2021-01-25 09:36:23 -05:00
minix	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
nfs	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
nfs_common	NFSv4_2: SSC helper should use its own config.	2021-01-28 10:55:37 -05:00
nfsd	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
nilfs2	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
nls
notify	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
ntfs	ntfs: check for valid standard information attribute	2021-02-24 13:38:26 -08:00
ocfs2	ocfs2: simplify the calculation of variables	2021-02-24 13:38:26 -08:00
omfs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
openpromfs
orangefs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
overlayfs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
proc	io_uring-worker.v3-2021-02-25	2021-02-27 08:29:02 -08:00
pstore	pstore fixes for v5.12-rc2	2021-03-05 17:21:25 -08:00
qnx4
qnx6
quota	quota: Fix memory leak when handling corrupted quota file	2021-01-05 14:42:18 +01:00
ramfs	ramfs: support O_TMPFILE	2021-02-24 13:38:26 -08:00
reiserfs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
romfs
squashfs	squashfs: add more sanity checks in xattr id lookup	2021-02-09 17:26:44 -08:00
sysfs	sysfs: Support zapping of binary attr mmaps	2021-01-12 14:26:31 +01:00
sysv	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
tracefs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
ubifs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
udf	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
ufs	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
unicode
vboxsf	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
verity	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
xfs	More new code for 5.12:	2021-02-28 11:45:25 -08:00
zonefs	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
aio.c	Merge branch 'akpm' (patches from Andrew)	2020-12-15 12:53:37 -08:00
anon_inodes.c	fs: anon_inodes: rephrase to appropriate kernel-doc	2021-01-15 12:17:25 -05:00
attr.c	ima: handle idmapped mounts	2021-01-24 14:27:20 +01:00
bad_inode.c	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
binfmt_aout.c
binfmt_elf.c	Merge branch 'parisc-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux	2021-02-21 13:20:41 -08:00
binfmt_elf_fdpic.c	Merge branch 'parisc-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux	2021-02-21 13:20:41 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c	binfmt_misc: pass binfmt_misc flags to the interpreter	2021-02-15 18:28:30 +01:00
binfmt_script.c
block_dev.c	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
buffer.c	fs: buffer: use raw page_memcg() on locked page	2021-02-24 13:38:30 -08:00
char_dev.c
compat_binfmt_elf.c	get rid of COMPAT_ELF_EXEC_PAGESIZE	2021-01-06 08:42:51 -05:00
coredump.c	fs/coredump: use kmap_local_page()	2021-02-26 09:41:05 -08:00
d_path.c
dax.c	mm: provide a saner PTE walking API for modules	2021-02-09 07:05:44 -05:00
dcache.c	fs: delete repeated words in comments	2021-02-24 13:38:26 -08:00
direct-io.c	block-5.12-2021-02-27	2021-02-28 11:23:38 -08:00
drop_caches.c
eventfd.c
eventpoll.c	kcmp: Support selection of SYS_kcmp without CHECKPOINT_RESTORE	2021-02-16 09:59:41 +01:00
exec.c	fs: delete repeated words in comments	2021-02-24 13:38:26 -08:00
fcntl.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
fhandle.c	fs: delete repeated words in comments	2021-02-24 13:38:26 -08:00
file.c	fs: provide locked helper variant of close_fd_get_file()	2021-02-01 10:02:42 -07:00
file_table.c
filesystems.c
fs-writeback.c	fs: improve comments for writeback_single_inode()	2021-01-13 17:26:50 +01:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c	init: handle idmapped mounts	2021-01-24 14:27:19 +01:00
inode.c	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-27 08:07:12 -08:00
internal.h	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
io-wq.c	io-wq: warn on creating manager while exiting	2021-03-07 14:12:43 -07:00
io-wq.h	io-wq: always track creds for async issue	2021-03-06 10:57:01 -07:00
io_uring.c	io_uring: Convert personality_idr to XArray	2021-03-10 07:28:42 -07:00
ioctl.c
Kconfig	Highlights:	2021-02-21 10:22:20 -08:00
Kconfig.binfmt	Merge branch 'work.elf-compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-21 09:29:23 -08:00
kernel_read_file.c
libfs.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
locks.c	Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2020-12-15 19:29:43 -08:00
Makefile	fs: Remove dcookies support	2021-01-29 10:06:46 +05:30
mbcache.c
mount.h	mount: make {lock,unlock}_mount_hash() static	2021-01-24 14:29:34 +01:00
mpage.c	block: Add bio_max_segs	2021-02-26 15:49:51 -07:00
namei.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
namespace.c	Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2021-02-27 08:07:12 -08:00
no-block.c
nsfs.c
open.c	idmapped-mounts-v5.12	2021-02-23 13:39:45 -08:00
pipe.c	fs: delete repeated words in comments	2021-02-24 13:38:26 -08:00
pnode.c
pnode.h	fs/namespace.c: WARN if mnt_count has become negative	2020-12-10 17:33:17 -05:00
posix_acl.c	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
proc_namespace.c	fs: introduce MOUNT_ATTR_IDMAP	2021-01-24 14:43:45 +01:00
read_write.c	teach sendfile(2) to handle send-to-pipe directly	2021-01-25 23:29:36 -05:00
readdir.c
remap_range.c	ioctl: handle idmapped mounts	2021-01-24 14:27:19 +01:00
select.c	poll: fix performance regression due to out-of-line __put_user()	2021-01-08 11:06:29 -08:00
seq_file.c	fs: fix kernel-doc markups	2021-01-21 14:06:00 -07:00
signalfd.c
splice.c	for-5.12/block-2021-02-17	2021-02-21 11:02:48 -08:00
stack.c
stat.c	fs: make helpers idmap mount aware	2021-01-24 14:27:20 +01:00
statfs.c	s390,alpha: switch to 64-bit ino_t	2021-02-13 17:17:53 +01:00
super.c	It has been a relatively quiet cycle in docsland.	2021-02-22 10:57:46 -08:00
sync.c
timerfd.c
userfaultfd.c	userfaultfd: use secure anon inodes for userfaultfd	2021-01-14 17:40:57 -05:00
utimes.c	utimes: handle idmapped mounts	2021-01-24 14:27:18 +01:00
xattr.c	namei: handle idmapped mounts in may_*() helpers	2021-01-24 14:27:17 +01:00