From: Christian Brauner <brauner@xxxxxxxxxx> commit 4e32c25b58b945f976435bbe51f39b32d714052e upstream. get_stashed_dentry() tries to optimistically retrieve a stashed dentry from a provided location. It needs to ensure to hold rcu lock before it dereference the stashed location to prevent UAF issues. Use rcu_dereference() instead of READ_ONCE() it's effectively equivalent with some lockdep bells and whistles and it communicates clearly that this expects rcu protection. Link: https://lore.kernel.org/r/20240906-vfs-hotfix-5959800ffa68@brauner Fixes: 07fd7c329839 ("libfs: add path_from_stashed()") Reported-by: syzbot+f82b36bffae7ef78b6a7@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: syzbot+f82b36bffae7ef78b6a7@xxxxxxxxxxxxxxxxxxxxxxxxx Reported-by: syzbot+cbe4b96e1194b0e34db6@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: syzbot+cbe4b96e1194b0e34db6@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/libfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/libfs.c +++ b/fs/libfs.c @@ -2043,12 +2043,12 @@ struct timespec64 simple_inode_init_ts(s } EXPORT_SYMBOL(simple_inode_init_ts); -static inline struct dentry *get_stashed_dentry(struct dentry *stashed) +static inline struct dentry *get_stashed_dentry(struct dentry **stashed) { struct dentry *dentry; guard(rcu)(); - dentry = READ_ONCE(stashed); + dentry = rcu_dereference(*stashed); if (!dentry) return NULL; if (!lockref_get_not_dead(&dentry->d_lockref)) @@ -2145,7 +2145,7 @@ int path_from_stashed(struct dentry **st const struct stashed_operations *sops = mnt->mnt_sb->s_fs_info; /* See if dentry can be reused. */ - path->dentry = get_stashed_dentry(*stashed); + path->dentry = get_stashed_dentry(stashed); if (path->dentry) { sops->put_data(data); goto out_path; Patches currently in stable-queue which might be from brauner@xxxxxxxxxx are queue-6.10/libfs-fix-get_stashed_dentry.patch
