Patch "cgroup1: don't allow '\n' in renaming" has been added to the 5.10-stable tree

[<gregkh@xxxxxxxxxxxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    cgroup1: don't allow '\n' in renaming

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cgroup1-don-t-allow-n-in-renaming.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001
From: Alexander Kuznetsov <wwfq@xxxxxxxxxxxxxx>
Date: Wed, 9 Jun 2021 10:17:19 +0300
Subject: cgroup1: don't allow '\n' in renaming

From: Alexander Kuznetsov <wwfq@xxxxxxxxxxxxxx>

commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream.

cgroup_mkdir() have restriction on newline usage in names:
$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2'
mkdir: cannot create directory
'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument

But in cgroup1_rename() such check is missed.
This allows us to make /proc/<pid>/cgroup unparsable:
$ mkdir /sys/fs/cgroup/cpu/test
$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2'
$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2'
$ cat /proc/self/cgroup
11:pids:/
10:freezer:/
9:hugetlb:/
8:cpuset:/
7:blkio:/user.slice
6:memory:/user.slice
5:net_cls,net_prio:/
4:perf_event:/
3:devices:/user.slice
2:cpu,cpuacct:/test
test2
1:name=systemd:/
0::/

Signed-off-by: Alexander Kuznetsov <wwfq@xxxxxxxxxxxxxx>
Reported-by: Andrey Krasichkov <buglloc@xxxxxxxxxxxxxx>
Acked-by: Dmitry Yakunin <zeil@xxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tejun Heo <tj@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 kernel/cgroup/cgroup-v1.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -820,6 +820,10 @@ static int cgroup1_rename(struct kernfs_
 	struct cgroup *cgrp = kn->priv;
 	int ret;
 
+	/* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */
+	if (strchr(new_name_str, '\n'))
+		return -EINVAL;
+
 	if (kernfs_type(kn) != KERNFS_DIR)
 		return -ENOTDIR;
 	if (kn->parent != new_parent)


Patches currently in stable-queue which might be from wwfq@xxxxxxxxxxxxxx are

queue-5.10/cgroup1-don-t-allow-n-in-renaming.patch