This is a note to let you know that I've just added the patch titled Make sure nd->path.mnt and nd->path.dentry are always valid pointers to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: make-sure-nd-path.mnt-and-nd-path.dentry-are-always-valid-pointers.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 597ed7633bde8abc24c0cea5fbbfd824200d3251 Mon Sep 17 00:00:00 2001 From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Date: Tue, 6 Apr 2021 12:33:07 -0400 Subject: Make sure nd->path.mnt and nd->path.dentry are always valid pointers From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> [ Upstream commit 7d01ef7585c07afaf487759a48486228cd065726 ] Initialize them in set_nameidata() and make sure that terminate_walk() clears them once the pointers become potentially invalid (i.e. we leave RCU mode or drop them in non-RCU one). Currently we have "path_init() always initializes them and nobody accesses them outside of path_init()/terminate_walk() segments", which is asking for trouble. With that change we would have nd->path.{mnt,dentry} 1) always valid - NULL or pointing to currently allocated objects. 2) non-NULL while we are successfully walking 3) NULL when we are not walking at all 4) contributing to refcounts whenever non-NULL outside of RCU mode. Fixes: 6c6ec2b0a3e0 ("fs: add support for LOOKUP_CACHED") Reported-by: syzbot+c88a7030da47945a3cc3@xxxxxxxxxxxxxxxxxxxxxxxxx Tested-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/namei.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/fs/namei.c +++ b/fs/namei.c @@ -529,6 +529,8 @@ static void set_nameidata(struct nameida p->stack = p->internal; p->dfd = dfd; p->name = name; + p->path.mnt = NULL; + p->path.dentry = NULL; p->total_link_count = old ? old->total_link_count : 0; p->saved = old; current->nameidata = p; @@ -602,6 +604,8 @@ static void terminate_walk(struct nameid rcu_read_unlock(); } nd->depth = 0; + nd->path.mnt = NULL; + nd->path.dentry = NULL; } /* path_put is needed afterwards regardless of success or failure */ @@ -2243,8 +2247,6 @@ static const char *path_init(struct name } nd->root.mnt = NULL; - nd->path.mnt = NULL; - nd->path.dentry = NULL; /* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */ if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) { Patches currently in stable-queue which might be from viro@xxxxxxxxxxxxxxxxxx are queue-5.10/debugfs-fix-error-when-writing-negative-value-to-ato.patch queue-5.10/saner-calling-conventions-for-unlazy_child.patch queue-5.10/fix-handling-of-nd-depth-on-lookup_cached-failures-in-try_to_unlazy.patch queue-5.10/lib-notifier-error-inject-fix-error-when-writing-err.patch queue-5.10/tools-headers-uapi-sync-openat2.h-with-the-kernel-sources.patch queue-5.10/fs-expose-lookup_cached-through-openat2-resolve_cached.patch queue-5.10/libfs-add-define_simple_attribute_signed-for-signed-.patch queue-5.10/make-sure-nd-path.mnt-and-nd-path.dentry-are-always-valid-pointers.patch queue-5.10/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch queue-5.10/alpha-fix-syscall-entry-in-audut_syscall-case.patch queue-5.10/alpha-fix-tif_notify_signal-handling.patch queue-5.10/fs-add-support-for-lookup_cached.patch