Patch "afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 10 Nov 2020 10:07:33 -0500

This is a note to let you know that I've just added the patch titled

    afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e9eb47d199f56aa893dff7ffe8194fce632b4131
Author: David Howells <dhowells@xxxxxxxxxx>
Date:   Tue Nov 3 16:33:07 2020 +0000

    afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op
    
    [ Upstream commit f4c79144edd8a49ffca8fa737a31d606be742a34 ]
    
    The cleanup for the yfs_store_opaque_acl2_operation calls the wrong
    function to destroy the ACL content buffer.  It's an afs_acl struct, not
    a yfs_acl struct - and the free function for latter may pass invalid
    pointers to kfree().
    
    Fix this by using the afs_acl_put() function.  The yfs_acl_put()
    function is then no longer used and can be removed.
    
            general protection fault, probably for non-canonical address 0x7ebde00000000: 0000 [#1] SMP PTI
            ...
            RIP: 0010:compound_head+0x0/0x11
            ...
            Call Trace:
             virt_to_cache+0x8/0x51
             kfree+0x5d/0x79
             yfs_free_opaque_acl+0x16/0x29
             afs_put_operation+0x60/0x114
             __vfs_setxattr+0x67/0x72
             __vfs_setxattr_noperm+0x66/0xe9
             vfs_setxattr+0x67/0xce
             setxattr+0x14e/0x184
             __do_sys_fsetxattr+0x66/0x8f
             do_syscall_64+0x2d/0x3a
             entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
    Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
    Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
index 38884d6c57cdc..95c573dcda116 100644
--- a/fs/afs/xattr.c
+++ b/fs/afs/xattr.c
@@ -148,11 +148,6 @@ static const struct xattr_handler afs_xattr_afs_acl_handler = {
 	.set    = afs_xattr_set_acl,
 };
 
-static void yfs_acl_put(struct afs_operation *op)
-{
-	yfs_free_opaque_acl(op->yacl);
-}
-
 static const struct afs_operation_ops yfs_fetch_opaque_acl_operation = {
 	.issue_yfs_rpc	= yfs_fs_fetch_opaque_acl,
 	.success	= afs_acl_success,
@@ -246,7 +241,7 @@ error:
 static const struct afs_operation_ops yfs_store_opaque_acl2_operation = {
 	.issue_yfs_rpc	= yfs_fs_store_opaque_acl2,
 	.success	= afs_acl_success,
-	.put		= yfs_acl_put,
+	.put		= afs_acl_put,
 };
 
 /*






