This is a note to let you know that I've just added the patch titled
Make sure nd->path.mnt and nd->path.dentry are always valid pointers
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
make-sure-nd-path.mnt-and-nd-path.dentry-are-always-valid-pointers.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 597ed7633bde8abc24c0cea5fbbfd824200d3251 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Apr 2021 12:33:07 -0400
Subject: Make sure nd->path.mnt and nd->path.dentry are always valid pointers
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
[ Upstream commit 7d01ef7585c07afaf487759a48486228cd065726 ]
Initialize them in set_nameidata() and make sure that terminate_walk() clears them
once the pointers become potentially invalid (i.e. we leave RCU mode or drop them
in non-RCU one). Currently we have "path_init() always initializes them and nobody
accesses them outside of path_init()/terminate_walk() segments", which is asking
for trouble.
With that change we would have nd->path.{mnt,dentry}
1) always valid - NULL or pointing to currently allocated objects.
2) non-NULL while we are successfully walking
3) NULL when we are not walking at all
4) contributing to refcounts whenever non-NULL outside of RCU mode.
Fixes: 6c6ec2b0a3e0 ("fs: add support for LOOKUP_CACHED")
Reported-by: syzbot+c88a7030da47945a3cc3@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: Christian Brauner <christian.brauner@xxxxxxxxxx>
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/namei.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -529,6 +529,8 @@ static void set_nameidata(struct nameida
p->stack = p->internal;
p->dfd = dfd;
p->name = name;
+ p->path.mnt = NULL;
+ p->path.dentry = NULL;
p->total_link_count = old ? old->total_link_count : 0;
p->saved = old;
current->nameidata = p;
@@ -602,6 +604,8 @@ static void terminate_walk(struct nameid
rcu_read_unlock();
}
nd->depth = 0;
+ nd->path.mnt = NULL;
+ nd->path.dentry = NULL;
}
/* path_put is needed afterwards regardless of success or failure */
@@ -2243,8 +2247,6 @@ static const char *path_init(struct name
}
nd->root.mnt = NULL;
- nd->path.mnt = NULL;
- nd->path.dentry = NULL;
/* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */
if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) {
Patches currently in stable-queue which might be from viro@xxxxxxxxxxxxxxxxxx are
queue-5.10/debugfs-fix-error-when-writing-negative-value-to-ato.patch
queue-5.10/saner-calling-conventions-for-unlazy_child.patch
queue-5.10/fix-handling-of-nd-depth-on-lookup_cached-failures-in-try_to_unlazy.patch
queue-5.10/lib-notifier-error-inject-fix-error-when-writing-err.patch
queue-5.10/tools-headers-uapi-sync-openat2.h-with-the-kernel-sources.patch
queue-5.10/fs-expose-lookup_cached-through-openat2-resolve_cached.patch
queue-5.10/libfs-add-define_simple_attribute_signed-for-signed-.patch
queue-5.10/make-sure-nd-path.mnt-and-nd-path.dentry-are-always-valid-pointers.patch
queue-5.10/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch
queue-5.10/alpha-fix-syscall-entry-in-audut_syscall-case.patch
queue-5.10/alpha-fix-tif_notify_signal-handling.patch
queue-5.10/fs-add-support-for-lookup_cached.patch
